CyberCX has released its annual Digital Forensics and Incident Response Year in Review Report for 2023 

Privacy Week: Reflecting on New Zealand’s Shifting Privacy Landscape

Cyber Security Strategy

Published by Dan Richardson, Executive Director, Strategy & Risk, 13 May 2024

 

Privacy is now firmly top-of-mind for industry, government and the public.  

Management of privacy risks and obligations is increasingly recognised by leading businesses as a core component of building sustainable and trusted market offerings and being an employer of choice.  

Simply put, how you manage and protect the information and data customers entrust with you is increasingly linked to your reputation.

And it’s not hard to see why – last year the Privacy Commissioner reported a 41% increase in privacy breach notifications which meet the serious harm threshold. (Source: Notable increase in data breaches reported.)

In an age where the community is grappling with an ever-increasing number of data breaches and cyber incidents, the phrase ‘data is the new uranium’ has become an increasingly common refrain. 

Against this backdrop, Privacy Week, spearheaded by the Office of the Privacy Commissioner to promote privacy awareness, is a good time to reflect on how the privacy landscape is shifting in New Zealand and what that means for you. 

 

Privacy builds trust, and trust builds opportunities

At CyberCX we understand the role privacy plays in building a sustainable and socially responsible data-driven business.

Across New Zealand and Australia, we have experienced privacy practitioners who understand data, the opportunities it brings and the regulatory and social boundaries around its use.

As the landscape shifts, here are our thoughts on the key privacy areas to watch. 

 

Artificial Intelligence  

Whether it’s large language models (LLMs) like ChatGPT or self-driving cars, there’s a lot of excitement around the potential for Artificial Intelligence to transform how we do business. We’re increasingly seeing applications that fall under the wide umbrella of AI bring benefits to sectors like education and healthcare too. 

But we can’t lose sight of what this means for privacy, and the Privacy Commissioner is pushing hard for organisations to consider the privacy risks before jumping into AI applications. 

A recent survey by the Privacy Commissioner found that New Zealanders have privacy concerns about the use of AI, which the Commissioner says they see as unregulated and carrying potential risks of malicious use. 

Privacy Commissioner Michael Webster made clear in March that the Privacy Act applies to everyone using AI tools in New Zealand. If you are using AI in your business, it’s your responsibility to ensure this complies with the Privacy Act when it comes to the collection, use of sharing of personal information. 

Expect to see this debate intensify as AI applications become an ever more common part of how we do business and live our lives. 

 

Infringement penalties 

There is a widespread view throughout New Zealand that our penalties for privacy breaches are simply not up to scratch. 

Speaking at the National Cyber Security Summit earlier this year, the Privacy Commissioner said that the maximum fine he could issue an organisation for failing to adhere to a compliance order is $10,000. 

The Commissioner compared this to our neighbours across the Tasman, where the Office of the Australian Information Commissioner (OAIC) can issue maximum fines for serious infringements of up to $50 million. 

The Commissioner has made clear they would like to see a beefed-up civil penalty regime for non-compliance as part of the Privacy Act 2020.  

 

Biometric data 

Privacy concerns around biometric data, like face scans and voice recordings, are becoming more topical. Just last month, the Privacy Commissioner began an inquiry into Foodstuffs North Island’s trial of facial recognition technology in 25 supermarkets

While there may be legitimate intentions behind retailers rolling out these types of technologies, such as preventing theft and anti-social behaviour, there are also obvious questions to be asked. These include: 

  • How is this data stored and how long for? 
  • Are customers adequately informed that their facial recognition data will be captured when they enter a store?  
  • Can customers opt out if they don’t want this data captured? 
  • Are staff sufficiently trained to use the technology? 
  • Does it actually work? 

While biometrics would technically be captured under the Privacy Act 2020, the Privacy Commissioner wants special protections for biometrics and is currently considering rules on the use of biometric technologies. Consultation on the draft ended last week – now we wait for the Commissioner’s decision on what a new Biometrics Code of Practice will look like. 

 

Changing policy landscape 

Just as the privacy landscape in New Zealand is continuing to evolve, so too is the response from government and policymakers.  

Just last week, the Justice Committee began calling for submissions on the Privacy Amendment Bill. The Bill will effectively create a new obligation for third parties to notify you when you they collect your data from an organisation you have provided your information to.  

This may be an important step for New Zealand maintaining its General Data Protection Regulation (GDPR) adequacy status, which allows New Zealand businesses and agencies to receive personal information from the European Union in compliance with the GDPR, which governs privacy across Europe. 

The Bill should also help increase transparency for individuals around who actually has access to their data, an important measure against a backdrop of rising third-party data breaches. 

 

It’s important to use Privacy Week to reflect on how privacy in New Zealand is evolving and what it means for you – whether you run a business or whether you hand over your data to organisations as part of everyday life. 

The Privacy Commissioner runs a full suite of free and education events for Privacy Week– you can access the programme here

For more information on CyberCX’s approach to privacy and how we can help your organisation, please visit our Privacy Advisory page here

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.