Monday, 27 August 2007 LAWFUEL – The Legal Newswire – New guidelines have been drawn up to help businesses and government organisations take the right steps after a privacy breach occurs, including notifying people if their personal information has been stolen, lost or mistakenly disclosed.
Privacy Commissioner Marie Shroff announced the voluntary draft guidelines today, and called for public submissions.
“Privacy breach guidelines will help businesses and government organisations manage a privacy breach or suspected breach, and take measures to prevent such breaches occurring in the first place,” Mrs Shroff said.
In the United States data leaks are reported to have cost businesses an average 8 percent drop in revenue, and more than 200 privacy breaches containing sensitive personal information are reported to have occurred so far this year. In New Zealand, incidents of privacy breaches are already occurring.
“The draft New Zealand guidelines promote the use of best practice consistent with international experience – before we are faced with big breaches of the US kind,” Mrs Shroff said.
“Research shows most New Zealanders consider that respect and protection of their personal information by business is important. For business, this means privacy breaches need to be well managed to protect reputation and consumer trust.”
New Zealand law does not require privacy breach notification, and the guidelines themselves will not be mandatory. However, principle 5 of the Privacy Act (governing the way personal information is stored) does require all organisations and individuals that hold personal information to take reasonable steps to protect it. This can include notifying people of significant breaches, where necessary.
Mrs Shroff said breach notification was mandatory in 30 US states and some Canadian provinces, and might be considered in New Zealand in future.
The draft guidelines announced today outline the key steps public and private organisations should consider if personal information becomes available to unauthorised individuals or organisations.
In cases where the breach raises a risk of harm, the steps include notifying people that their personal information has been compromised. This could apply, for instance, where there is a risk of identity theft or fraud after sensitive personal information has been lost or stolen.
“Notifying individuals that their sensitive personal information has been disclosed enables them to take steps to prevent misuse of their details,” Mrs Shroff said.
“We recognise that not all breaches of personal information warrant notification. For example, there would be little point in notifying each individual on an address database that was accidentally sent to a trusted mail house and then safely retrieved.
“The situation would obviously be quite different if the database included customer credit cards numbers and it was stolen, or a disc of the list was lost.”
Public submissions on the draft guidelines close on 28 September. The guidelines are expected to be finalised before the end of the year.