The Privacy Commissioner has this week published some details of a compliance notice issued in relation to the Reserve Bank of New Zealand (Reserve Bank), which related to a well‑publicised cyber-attack on the Reserve Bank in December 2020.

This is the Privacy Commissioner’s first exercise of his new enforcement power under the Privacy Act 2020 (Privacy Act), and is a reminder to businesses of the potential scrutiny they will come under from the Privacy Commissioner on privacy compliance.

Ke takeaways

The Privacy Commissioner’s decision to publish the fact that it had issued this compliance notice:

  • demonstrates that no matter how large or high profile the relevant agency, and regardless of the fact that it is a public sector agency, the Privacy Commissioner will not shy away from exercising his new powers under the Privacy Act and publishing some or all relevant details, if he considers it is in the public interest to do so;

  • shows the exercise of such powers isn’t just a “slap on the wrist”, and can lead to continued compliance obligations for a business, including improvements to privacy policies and procedures, and ongoing reporting to the Privacy Commissioner;

  • sends a message that although a compliance notice does not carry pecuniary penalties for a business (unless there is further non-compliance), a compliance notice is to be taken seriously, and any subsequent publication will likely lead to adverse publicity that should incentivise businesses to be proactive with their privacy compliance; and

  • assures the public that the Privacy Commissioner is providing oversight and is ensuring businesses comply with the Privacy Act, in order to deliver better privacy outcomes for all New Zealanders.

From the announcement made by the Privacy Commissioner, it appears the Reserve Bank did not meet its obligations under the Privacy Act to protect the personal information it holds by reasonable security safeguards.

The findings of the Privacy Commissioner’s office were that the breach caused by the attack raised the possibility of systemic weaknesses in the Reserve Bank’s systems and processes. This was accepted by the Reserve Bank.

The power to issue a compliance notice allows the Privacy Commissioner to require an agency to do something, or stop doing something, in order to remedy a breach under the Privacy Act. As with the notice issued to the Reserve Bank, a compliance notice can have conditions attached to it and identify particular steps that the Privacy Commissioner considers need to be taken by the agency to remedy the breach.

The issue and publication of this compliance notice is a timely reminder to all organisations subject to the Privacy Act to ensure that they are aware of, and comply with, their obligations under the Privacy Act. Proactive compliance can help to avoid time consuming and potentially reputation-damaging enforcement action.

It will be interesting to see whether compliance notices will be issued by the Privacy Commissioner in relation to the recent well-publicised cyber-attacks suffered by multiple large organisations in New Zealand.

Special thanks to Po Tsai for assisting with this article.


Related Articles