Privacy Commissioner Issues First Compliance Notice

The Privacy Act 2020 (the Act) has been in force since 1 December 2020. The Act provided a number of new enforcement powers to the Office of the Privacy Commissioner (OPC), including the power to issue Compliance Notices to agencies that are not meeting their obligations under the Act. Now, the Privacy Commissioner has issued his first ever compliance notice, the recipient being the Reserve Bank of New Zealand (RBNZ).

RBNZ was the victim of a cyber-attack in December 2020 which resulted in a significant breach to one of their security systems. The breach raised the possibility of systemic weaknesses in RBNZ’s systems and processes for protecting personal information. RBNZ notified the OPC of the breach in line with the new mandatory reporting obligations imposed by the Privacy Act. The OPC investigated and found multiple instances of non-compliance with Information Privacy Principle 5, which requires agencies to protect the personal information it holds by reasonable safeguards. The OPC subsequently issued a Compliance Notice to RBNZ.

Through a Compliance Notice the Privacy Commissioner can require an agency to do something, or to stop doing something, in order to remedy a breach under the Privacy Act. A Compliance Notice can have certain conditions attached to it and identify particular steps that the Privacy Commissioner considers are required to be taken to remedy the breach. The Compliance Notice issued to RBNZ directed the agency to make specific improvements to its internal policies and procedures for protecting personal information in order to fulfil its obligations under Information Privacy Principle 5. These must be achieved within specified timeframes and will be monitored by the OPC.

Compliance Notices do not in themselves carry pecuniary penalties. However, failure to comply with a Compliance Notice can attract a fine of up to $10,000. Further, there may be significant reputational damage and adverse publicity following a determination that an agency has failed to comply with a Compliance Notice. In RBNZ’s case, the OPC has commended RBNZ on the “positive” way it has dealt with the breach, thereby defusing some of the adverse publicity resulting from the breach itself.

The issuing of the first Compliance Notice demonstrates that the OPC will take a proactive approach to privacy protection, and will not hesitate to call out agencies which breach their obligations under the Act, no matter how big and important they are. It provides a timely reminder to all agencies to ensure their privacy practices are up to date with the new requirements of the Act.

If you would like more specific advice on how to ensure your privacy policies are up to scratch, please get in touch.