A public concern for privacy
Newly-appointed privacy commissioner John Edwards says making it mandatory for organisations to report data breaches would bring New Zealand into line with other countries.
But he said it would be possible to set up a regime with too many compliance costs that would be prohibitively expensive.
Edwards acknowledged his appointment, made on the recommendation of Justice Minister Judith Collins, might be viewed as a case of poacher-turned-gamekeeper. "There is that potential perception," he said. However he did not believe that would be fair.
During his 21 years as a lawyer before taking up the role on Monday, Edwards specialised in privacy and freedom of information issues, usually representing agencies. For example, he represented a hospital which accidentally sent details of a women's abortions and sexually- transmitted diseases to her mother.
But he said that case demonstrated the importance of privacy to him and much of the work he had performed for government agencies was to advise them on best practice, rather than defending their indiscretions.
"What we have seen in the last three years are really strong calls from consumers and citizens about their expectations in this space, particularly with the 'Snowden stuff' and the relationship between government surveillance and the services we have become used to using every day such as Google and Facebook.
"Privacy has never had such a high profile so it is a fabulous time for me to come into this office."
In a valedictory speech, predecessor Marie Shroff discussed at length the limitations on the independence of Independent Crown Entities (ICEs), such as her office, saying appointment processes, funding decisions and law reform could all impinge. The three issues "raise an interesting question as to whether ICEs should have more safeguards for their independence", she said, calling for "a new way".
But Edwards said he thought the ICE model provided a good measure of independence.
Collins said the Government expected to introduce a Bill updating the Privacy Act later this year. Shroff had noted in her valedictory that the need for one had first been discussed "10 long years" ago.
The Law Commission has recommended the update include a mandatory data breach notification regime, which could compel businesses and government agencies to disclose if public information had been lost or fallen into the wrong hands.
The circumstances in which such a requirement would kick in "should not be too prescriptive" and should take into account the seriousness of the breach, Edwards said. Another consideration might be whether disclosure would help potential victims.
There was also a risk mandatory public disclosure could tip off criminals about what public information they might be able to get hold of, he said.
The trend in recent times when personal information was accidentally disclosed had been for people to "get on to their newspaper", he said. "I'd like people to be thinking about data they come across accidentally in the same way they might treat a wallet they find in the street. You . . . take steps to ensure it gets back to the rightful owner."
Collins would not reveal whether Shroff had reapplied for the role of privacy commissioner, saying that to do so would breach her privacy.