Sprawled across the media, apologising for any embarrassment caused, promising to review your internal procedures, wondering what it will take, and how long it will take, to undo the reputational damage – any way you look at it, the costs and distractions of being on the wrong side of a privacy breach are high.
And the trend internationally is that they will get higher as the public becomes increasingly sensitised to privacy issues and as the law-makers respond to the risks created by the sophisticated data collection, transfer and storage capabilities of the post-paper era.
The Australian Government is further down the track than we are, having last year passed wide-ranging legislation to beef up their privacy regime.
The Australian reforms:
- establish a unified set of Australian Privacy Principles, which will apply across both the public and private sectors (which is already the case in New Zealand)
- expand the obligations to inform individuals about how their information will be used and, if being stored overseas, in what countries
- place new limits on direct marketing, including requiring greater consent from consumers (through the inclusion of ‘opt-out’ mechanisms)
- strengthen the powers available to the Australian Privacy Commissioner, and
- provide for penalties of up to AUD$220,000 for an individual and AUD$1.1 million for a company.
In recognition of the adjustment burden this will create for Australian businesses, a 15-month transition period has been provided with the result that the new law will not come into effect until March 2014. Yet, despite the long lead time, almost a third of respondents to a poll by law firm Allens of its Australian client base identified privacy reform as the major issue facing their in-house legal teams this year.
And Australia has more to come. Changes signalled for Phase Two include mandatory data breach reporting, removal of the small business exemption and giving individuals the right to sue for serious invasions of privacy.
New Zealand’s personal data protection standards received an ‘adequacy’ rating from the EU at the end of last year. Despite the unassuming label, this is a big deal and will benefit New Zealand businesses in very real terms because it means that personal data can now flow freely from the EU to New Zealand. It also puts us into a fairly exclusive club as the rating has been awarded to only four countries outside of Europe (none of which is Australia).
But a series of high profile privacy breaches last year – Immigration New Zealand, Work and Income, ACC and Inland Revenue – has shaken public confidence and created a perception that reform is needed. So there is reason to expect that New Zealand may adopt some of the Australian reforms, or variants of them.
There is already some work underway as the regulators try to stay abreast of technological innovation. The Privacy (Information Sharing) Bill, reported back to the House last month and now split into three Bills, will make better provision for data sharing between public sector agencies and the Privacy Commission recently released “Cloud Computing Guidelines”.
But this is small beer. Much more substantial change is envisaged in the Law Commission’s four-part review of the Privacy Act 1993, completed in August 2011.
The Government has yet to respond to the bulk of the Commission’s more than 120 recommendations – including those recommending increased enforcement and investigative powers for the Privacy Commissioner, who currently has a facilitative role only and can act only on complaints received rather than initiating investigations on his/her own initiative.
Despite the comparative lack of government action, Chapman Tripp’s experience is that privacy concerns are now much higher on the New Zealand corporate agenda than they were a few years ago and that the compliance costs associated with privacy processes are significant and growing.
It’s time to plan ahead. Many organisations are starting to face the considerable compliance burden of Privacy Act requests when they are not resourced to deal with them. Having systems and procedures in place, and knowing what they are, will help.
It’s important an organisation:
- knows where personal information is stored
- knows how to access that information
- has a process for review and assessment of personal information
- has a procedure for sign-off of Privacy Act requests
- has a document retention and destruction policy
At a practical level, a difficult or extensive privacy request can consume as much time from busy management or in-house legal teams as discovery in a piece of litigation.
It pays to ensure privacy is a well-trodden path for your organisation so that the “system” responds constructively and efficiently. The cost and publicity of a breach mean that houses should be in order before our own regime ramps up.
Justin Graham is a senior associate at Chapman Tripp specialising in privacy issues and litigation.