Privacy Commissioner issues first “Compliance Notice”

17 September 2021

The Office of the Privacy Commissioner (OPC) has used new powers u​​​nder the Privacy Act 2020 to issue its first “Compliance Notice."

The notice was issued to the Reserve Bank of New Zealand (RBNZ), in relation to the highly publicised cyber-attack in 2020 which exposed various weaknesses in the RBNZ's security measures.

Compliance Notices are one of a range of new enforcement powers introduced under the Privacy Act in December last year. The new powers reflect the OPC's broader focus on proactively managing compliance with the Privacy Act, rather than being focused predominantly on responding to complaints.

Background

RBNZ was the victim of a cyber-attack in December 2020 causing a significant breach to one of RBNZ's security systems. The breach raised the possibility of systemic weakness in RBNZ's systems and processes for protecting personal information. RBNZ notified the breach to the OPC and engaged KPMG to undertake an independent review of its systems and processes. The OPC and KPMG's investigations ultimately found multiple instances of non-compliance with Information Privacy Principle (IPP) 5. IPP 5 requires agencies to ensure the safe storage and security of personal information.

What is a “Compliance Notice"?

Under the new Privacy Act, the OPC now has the power to issue a Compliance Notice to any agency that is not meeting its obligations under the Act. A Compliance Notice may require an agency to do or stop doing something in order to comply with the Privacy Act. Failure to comply with a Compliance Notice carries a fine of up to $10,000 (enforceable by the Human Rights Review Tribunal) and may attract adverse publicity.

The Compliance Notice issued to the RBNZ sets out specific improvements required to its internal policies and procedures to safeguard personal information and satisfy IPP 5. These must be achieved within stipulated timeframes and will be monitored by the OPC. The OPC has highlighted the “positive" way the RBNZ dealt with the aftermath of the attack, reminding other agencies of the benefits of adopting a cooperative approach.

Implications

The Compliance Notice provides a timely reminder for all agencies to ensure that their privacy practices (including security policies and procedures) are up to date with the requirements of the new Privacy Act. For further information, including a summary of all changes, refer to our Guide to the Privacy Act 2020.

If you require assistance please get in touch with our privacy team or your usual Bell Gully advisor.


Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.