Privately speaking is a quarterly publication tracking developments in privacy legislation, regulation and case law.
The risks for organisations from a privacy breach can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of data integrity and confidentiality.
Our team of data protection lawyers can assist you with data security risk management, including reviewing contractual terms, privacy compliance training, responding to privacy requests and investigations,
and litigation to contain data security breaches.
NEW ZEALAND
Privacy Commissioner’s annual report
The Privacy Commissioner received 121 data breach notifications in the 2014-2015 June year which was marginally up on the previous year. But this may reflect increased awareness as reporting is voluntary and there is no way of knowing how many incidents were not flagged.
Of the breaches, 71 were in the public sector and 50 in the private sector. The most common causes were:
- information inadvertently sent to the wrong recipient
- loss or theft of a file, and
- unauthorised “browsing” by employees.
Link: the report
Security risk analysis from the NZ Intelligence Community
The post-election briefing from New Zealand’s intelligence agencies to the Prime Minister and the Minister in charge of the SIS and responsible for the GCSB, Chris Finlayson, has been released under the OIA.
The paper, which is marked “top secret” and has been heavily redacted, identifies risks of relevance to business, including industrial espionage and cyber data and information loss which it says:
“is happening now, with significant compromises of major New Zealand companies and government departments. The capabilities are getting easier to acquire, and are easy to combine with insider threats. This is potentially a real drag on our economy, our reputation and the integrity of Government”.
Contents
New Zealand 1
Australia 3
North America 3
European Union 4
United Kingdom 4
Contacts 5
- | December 2015
The briefing also says the internet:
“doesn’t work like a telecommunications system, but more like an ocean of data with almost no respect for international borders…[I]t is already an area of conflict, as well as an ungoverned space in terms of the economic and social behaviour that it allows”.
NZ Business Number Bill reported back
The Bill which will allow eligible entities to obtain a New Zealand Business Number – a unique identifier to be used in all their interactions with the government – has been reported back from select committee.
It will create rules for collecting, accessing and sharing data to be held on the New Zealand Business Number (NZBN) register, including protections for personal and commercially confidential information.
The committee, after consultation by officials with the Privacy Commissioner and the Government Chief Privacy Officer, is “satisfied that the Bill’s privacy safeguards are adequate”. It notes, however, the efficacy of the Bill will depend on widespread adoption of the NZBN by government agencies and, if this does not eventuate, there is a risk that the Bill may increase business overheads rather than reducing them.
Link: the Bill
TPP agreement on electronic commerce
A summary of the TPP agreement released by the Ministry of
Foreign Affairs and Trade confirms the 12 countries to the negotiations
have agreed:
- to ensure the free flow of global information and data, subject to legitimate public policy objectives such as personal privacy
- to adopt and maintain consumer protection laws against fraud and deceptive conduct on line and to put in place measures to stop unsolicited commercial electronic messages
- that TPP companies should not be required to build data storage centres as a condition for operating in a TPP market and that the source code of software does not have to be transferred or accessed, and
- that there be no customs duties or other discriminatory measures on electronic transmissions.
Link: TPP text
Supreme Court allows limited protection of “digital data”
The Supreme Court has found that digital data is property for the purposes of the Crimes Act. However civil reliance on property rights will not suffice to protect electronic information – at least for now.
Link: Chapman Tripp commentary
Contents
New Zealand 1
Australia 3
North America 3
European Union 4
United Kingdom 4
Contacts 5
- | December 2015
Australian report gives NZ respectable “cyber maturity” rating
A study by the Australian Strategic Policy Institute on cyber maturity in the Asia-Pacific rates New Zealand sixth, just behind Australia. The ratings are based on performance across five areas – governance, cyber-crime, military, business and social. The US is highest of the 20 countries surveyed with a weighted score of 90.7 and North Korea is lowest on 16.4. Australia’s score is 79.9 and New Zealand’s 72.8.
Link: report
Search and Surveillance Act to be reviewed
The Law Commission and the Ministry of Justice will conduct a joint review of the Search and Surveillance Act 2012 next year. Among the issues the government wishes to explore are whether any changes are needed to respond to the impact of modern technology on the ability of the Police and other authorities to prevent and investigate crime.
Link: announcement
AUSTRALIA
OAIC Guide: Developing a Data Breach Response Plan
The Office of Australian Information Commissioner has produced a guide to assist organisations in developing a data breach response plan. Recommended features include:
- a strategy for assessing and containing data breaches, including the actions the response team should take in the event of a breach or suspected breach
- a clear explanation of what constitutes a data breach, such that staff will be able to recognise when one has occurred
- the reporting line, including who needs to be informed immediately
- agreement about which external stakeholders should be contacted and by whom (for example, law enforcement agencies, regulators and the media)
- a procedure for recording data breaches, including those that are not referred to the response team, and
- a strategy to identify and address any weaknesses in data handling that contributed to the breach.
Link: Guide to Developing a Data Breach Response Plan
NORTH AMERICA
S&P rates cybersecurity as big risk for global banking
Credit ratings agency Standard and Poor’s puts cybersecurity “at or near the top of the list” of challenges faced by global banking. It says banks’ retail presence, the value of the data they hold and their
function as a currency conduit make them an obvious target. However, it rates the credit risk of a cyberattack as “medium” rather than “high” because of the mitigation strategies the industry has put in place.
Link: S&P release
Contents
New Zealand 1
Australia 3
North America 3
European Union 4
United Kingdom 4
Contacts 5
EUROPEAN UNION
EUCJ finds US/EU safe harbour agreement invalid
The European Court of Justice has overturned the European Commission’s “safe harbour” decision under which personal data on EU citizens’ could be transferred from Europe to the US. The ruling means that companies transferring such information may need to sign “model contract clauses” to maintain compliance.
Link: EUCJ decision
French regulator rejects Google’s “right to be forgotten” appeal
French privacy regulator CNIL has rejected Google’s informal appeal against its ruling that an individual’s right to have posts removed extends to all of Google’s websites worldwide, including Google.com (and not just Google’s European websites such as Google.de or Google.fr).
CNIL did not accept Google’s argument that this would not amount
to applying French law extraterritorially. Instead it characterised the decision simply as “[requesting] full observance of European legislation by non-European players offering their services in Europe”.
UNITED KINGDOM
No Disclosure of third party submissions on peership bid
Having twice unsuccessfully sought appointment as a non-party- political life peer, Dr. Ranger brought a claim under section 7 of the Data Protection Act (UK) 1998 for disclosure of two letters sent by third parties to the House of Lords Appointment Commission and for material produced by the Commission in considering his application.
The UK High Court dismissed the claim, saying it came within the exemption in s37 of the Act for personal data processed for the purposes of “the conferring by the Crown of any honour or dignity”.
The Court referred to the High Court decision in Durant v Financial Services Authority [2003] EWCA Civ 1746, holding that “mere mention of the data requester in a document held by the data controller does not necessarily amount to [personal data under section 7 of the Act]“.
It also rejected arguments that the exemption in s37 was disproportionate, saying there was a broad public interest in encouraging full and candid submissions to the House of Lords Appointment Commission.
Links: Ranger v House of Lords [2015] 1 WLR 4324, and Durant v
Financial Services Authority [2003] EWCA Civ 1746
Link: CNIL decision
- | December 2015
Contents
New Zealand 1
Australia 3
North America 3
European Union 4
United Kingdom 4
Contacts 5
New Privacy Brief newsfeed
We have recently launched a new privacy law and data protection newsfeed (www.privacybrief.net), collating links and articles
from around the world. Visit and subscribe (via Wordpress, email, RSS or Twitter) if you’d like to stay up-to-date in between our quarterly publications.
Our thanks to Steven Li for compiling this publication.
Contacts
PHEROZE JAGOSE – PARTNER
T: +64 4 498 4954
M: +64 27 241 2999
JUSTIN GRAHAM – PARTNER
T: +64 9 357 8997
M: +64 27 209 0807
KELLY MCFADZIEN – PARTNER
T: +64 9 357 9278
M: +64 27 473 2230
GEOFF CARTER – SPECIAL COUNSEL
T: +64 3 353 0394
M: +64 27 290 5057
If you would prefer to receive this newsletter by email, or if you would like to be removed from the mailing list, please send us an email at [email protected].
Every effort has been made to ensure accuracy in this newsletter. However, the items are necessarily generalised and readers are urged to seek specific advice on particular matters and not rely solely on this text.
© Chapman Tripp
TIM SHERMAN – SENIOR ASSOCIATE
T: +64 4 498 2400
M: +64 27 345 3250
|
SARAH QUILLIAM-MAYNE – SENIOR SOLICITOR
T: +64 4 498 6307
M: +64 22 136 2601