Now that we are emerging from lockdown and heading to a new normal, it seems prudent to remind organisations that at some point the bill repealing and replacing the Privacy Act 1993 will progress to its Third Reading. This is one of the final stages and so organisations should have preparations underway.
To date, most interest has been around the implementation of mandatory breach reporting. However, organisations should also note the Bill widens the scope of interest. For example, a crypto-locker attack may put you in breach of the Act as the organisation may not be able to satisfy principles around sharing information and/or being able to correct it.
Organisations holding Personally Identifiable Information (PII) should be ensuring that they are prepared for the new requirements as some may require a change to at least processes.
We recommend organisations:
Have their Privacy Officer review the Bill to make sure the organisation understands what changes it may need to make. See http://www.legislation.govt.nz/bill/government/2018/0034/latest/LMS23223.html
Reduce holdings of PII as much as possible. If something has to be retained, can it be done in a manner that reduces potential exposure.
Ensure sufficient controls are in place to prevent breaches and provide sufficient information for analysis should there be a breach.
Have incident response plans, and include communications as part of this.
Written by Jonathon Berry, Consulting Partner, InPhySec