Before the updated Privacy Bill of 2018, the last time New Zealand updated its Privacy Act was in 1993. Over the last 26 years we have seen rapid growth and changes in both technology and cyber-crime.
The updated Privacy Bill, set to be introduced by July 2019, is New Zealand playing catch up with the unintended and potentially harmful consequences of technology. As technology - including devices, printers, hardware and software - becomes more sophisticated and more common, so too does cyber-crime. New Zealand companies are exposed to more vulnerabilities than ever before from the risks of both intentional harm (like being hacked), and accidental harm (like unauthorised people seeing information they shouldn’t or sharing personal data incorrectly).
The new Privacy Bill will also bring New Zealand more in line with what’s happening around the world, including the European General Data Protection Regulation (GDPR).
The Privacy Bill 2019
Here are some of the key things you need to know:
· If someone’s privacy has been breached you mustnotify the NZ Privacy Commissioner and the individual(s) affected as soon as possible after the date of becoming aware of the breach.
· A privacy breach is: any unauthorised or accidentalaccess to, or disclosure, change, loss or destruction of personal information; or an action that stops the agency from accessing the information either temporarily or permanently.
· A privacy breach may not have a malicious intent behind it – it also extends to your staff accidentally seeing information that they shouldn’t have.
· What amounts to a privacy breach is set at a low threshold – which means, while many instances may not actually result in harm to individuals, the bar is set at “if there is a risk of” causing harm.
· What constitutes harm to the individual is broad and includes financial damage, emotional harm and injury to their rights, dignity or feelings.
· The Bill also sets out what is required when notifying individuals and the commissioner of a breach, as well as the steps the affected individual(s) may take. If it is not practical to give notice directly to individuals, businesses can issue a public notice.
· Consequences – if you fail to comply, you may be fined up to $10,000.[AM1]
What does this mean?
So, what should you do? What changes can you adopt to make sure that you are secure, compliant, and doing the right thing by your employees, company and your clients?
Here are my top ten tips:
1) Identify– Ensure you’re up-to-date on how to identify, reduce and prevent data breaches.
2) Train – Educate your staff on best practice for sharing, storing, identifying and dealing with data breaches.
3) Evaluate – Check to see if your technology can quickly identify and deal with data breaches. Check your whole network is watertight and up-to-date-including your software, hardware, printers and security systems.
4) Monitor –Make sure your IT, printer software and security are monitored 24/7.
5) Decrease – You can reduce your vulnerability of attack or mistakes by trying to decrease the amount of personal data your company stores.
6) Encrypt – Wherever possible, encrypt or anonymise personal data.
7) Manage risk and oversight – Depending on your resources and the size of your business, have a data protection officer or delegate tasks to a capable team member, so that you have someone who is responsible for oversight, managing risks, dealing with privacy breaches if they come up, and notifying the affected individual(s) and the Privacy Commissioner. [AM2]
8) Record and report –Keep records of where personal data is stored, who can access it, and how and when it is shared.
9) Insurance – Depending on your circumstances, you may choose to talk to an adviser about cover that protects you against cyber-security risks.
And most importantly,
10) Policies – Put in place strong internal and external policies that all your staff are aware of, and that clearly lay out the above nine points.
Be ready for the change[AM3]
The IT Psychiatrist can design and develop best practice policies, processes and strategies, so that you feel confident that your business is protected, compliant and ready for the new privacy rules.
You may also need some more support and resources to get ready for the changes. We can be your dedicated part-time IT manager for as long as you need.
If you want industry-leading and best practice IT policies, processes and strategies, or a part-time IT manager to help you get ready for the privacy changes, please give us a call.
[AM1]I like this section, but think we need to make it a little more future focused on what the bill will mean
[AM2]I’m not sure how to word this, but it needs to apply to small businesses too – a data protection officer may not be applicable, but someone should be responsible for this
[AM3]This is a great call to arms!
After doing the vital background work that we covered in our last two blogs, you’re finally ready to move on to the next phase – solution mo…
In our last blog we looked at how you can clearly identify problems, so you have a strong grip on the complexity of the problem and its boun…
A costly and common mistake: underestimating the power of problem statements.
"One of Ant's strengths is relating to owners in a visionary sense and talking to people who are on the ground...[Ant has a] wide understanding of different systems, processes and applications and can articulate where we're going and what the possibilities are...working with Ant has changed the way we make decisions about IT structures and support systems."
We hired Ant to support us with an important project after he was highly recommended by colleagues. Ant was responsive, speedy, super-helpful and helped us to make key decisions. We appreciated his broad experience, and his ability to hold a high level strategic view alongside expert advice on details. We will definitely be consulting with Ant again and are happy to recommend him.
"We don’t need a full-time CTO [chief technology officer]. Ant knows enough about our business he can deliver it virtually. He can translate things for us. During project management, Ant came into his own... Ant gets his head round your business and [took his time] understanding our context. He was really clear about pausing on investment into the app...Ant's inquisitive, curious and approachable - he's very easy to work with."
"Ant was really quick to understand the business model and our processes and IT structures."
"Ant helped us at the early stages of Aerotruth helping us to plan our technical infrastructure and ensure we built a product that would scale. Ant was great to work with and we really valued his support and contribution to Aerotruth"