Privacy means the ability to protect your personal information. Privacy is important to ensure that we feel secure and for this reason privacy is a human right that is recognised by law in New Zealand. This law is the Privacy Act 1993 and it contains a number of privacy principles, which ‘agencies’ (I.e. businesses and organisations) in New Zealand must comply with. Failure to comply with privacy obligations can lead to censure by the Privacy Commissioner as well as reputational damage and loss of customers.
The rapidly changing technology environment has changed the role of personal data in our lives, with a greater number of public and private organisations holding vast amounts of digital information. The chance of an organisation suffering a major security breach is increasing, and organisations cannot afford to ignore these risks. Some of the major security breaches reported publically include:
- Target (Department Store): 70 million records compromised in 2013
- Ebay: 145 million records compromised in 2014
- Ashley Madison: 37 million records compromised in 2015
If privacy breaches do occur the costs to an organisation in terms of loss of customers and reputation may be significant or even crippling. Businesses may also be exposed to regulatory action following a data security breach.
Security of personal information and Principle 5
There are twelve information privacy principles in the Privacy Act. Click here to see a thumbnail sketch of these on the Privacy Commissioner’s website. Principle 5 is a key privacy principle that requires agencies to ensure that they have reasonable security standards for personal information. Agencies that collect information must ensure that as the environment changes they continue to take reasonable steps to ensure personal information is kept securely.
What does “reasonable” mean?
In the context of Principle 5 “reasonable” means taking steps proportionate to the risk of harm to identify and manage risks to individuals in relation to their personal information. This means that different organisations have different requirements, depending on the nature of the information held and the kinds of risks that may arise from the misuse of the personal information. Every organisation needs to undertake an assessment of these matters and then identify the reasonable steps that need to be taken to secure the information.
Another aspect of this obligation is maintaining oversight of cyber risks. Directors and officers of organisations need to understand cyber risk and best practice in managing it. If security is weak it is almost impossible to maintain privacy and breaches will occur. Types of breaches could include identity theft, accidental release of information by staff, fraud, intentional employee leaks, and a range of hacker derived cyber-attacks (such as denial-of-service / DoS attacks, unauthorised access, theft of information and malware attacks).
What about outsourcing of IT services to third parties?
It is common for organisations to use a third party provider for storage and management of information. However, where an organisation uses a third party the organisation is still legally responsible for compliance with the privacy obligations. Under Principle 5, where it is necessary for an organisation to give information to a third party, that organisation needs to do everything reasonably within its power to prevent unauthorised use or unauthorised disclosure of the information.
Once again, the organisation using the third party provider needs to make an assessment of what steps are reasonable and proportionate to take in order to comply. In order to make this assessment the organisation will need to do its due diligence before signing up to the third party’s service. This will include checking references and researching about whether there are any known problems with the provider. Organisations will also need to ensure the third party will provide notification if there is a security failure. Where an organisation uses an offshore third party the organisation will need to understand the laws that apply in the provider’s own jurisdiction, checking that those laws do not impact on the organisation’s compliance with its obligations in New Zealand. All third party contracts will need to include robust terms about the protection of data and data about your customers.
Organisations simply cannot afford to leave personal information security in the hands of their IT departments and oversight needs to happen at the highest levels. Fortunately, there is a great deal of help available, which is easily accessible and user-friendly. To begin with, we recommend the Privacy Commissioner’s website at privacy.org.nz for extensive information and guidance. The Institute of Directors has a Cyber-Risk Practice Guide, which is freely available on its website iod.org.nz.
The information contained in this publication is of a general nature and is not intended as legal advice. It is important that you seek legal advice that is specific to your circumstances.
All rights reserved © Jackson Russell 2016
We can also help you to understand your obligations in more detail, assist you to conduct a data protection health check, and ensure that you complete due diligence of potential third-party providers before you sign on the dotted line.