Data breach rules years away

Privacy Commissioner Marie Shroff says she is likely to give voluntary guidelines that set out the way in which organisations should respond to the theft or accidental disclosure of customers' personal information 18 months to two years to take effect, before deciding whether mandatory rules are required.

Ms Shroff says that in the next two or three weeks she is likely to finalise the draft guidelines that were put out for public consultation in August.

The British Defence Ministry admitted earlier this month that a laptop containing personal information on 600,000 new and potential recruits to the armed forces had been stolen from a car of a junior officer in Birmingham - the latest in a string of British data breaches.

The draft guidelines issued by Ms Shroff say that organisations should weigh up how sensitive the information that has been lost or stolen may be, whose hands it may fall into and the uses to which it may be put, before deciding whether to notify those affected.

They should notify the Privacy Commissioner of "material breaches".

She says the response to the advice has been "largely positive and supportive".

Much of the feedback from public consultation centres on whether a mandatory regime governing the disclose of data breaches is required, she says.

"That will depend to a large extent on how businesses and government agencies abide by the guidelines, so to some extent it is in their hands."

Ms Shroff says few countries have rules forcing disclosure, and New Zealand has an opportunity to learn from their experiences over the next two years.

"Our research has definitely shown there are downsides to mandatory guidelines as well as to voluntary guidelines," she says.

"Mandatory guidelines always become somewhat rigid. It is starting to emerge that you sometimes get `notification fatigue' or you may run the risk of making the breach worse by notifying people of what information may have been lost, or you may alarm people unnecessarily."

Ms Shroff says some businesses argued the guidelines should be mandatory so there was a level-playing field for responsible businesses.

"If you want to encourage a culture of respect for privacy, it may well be better to go down the route of having people have good practices, good attitudes and good training than having to feel there is some punitive regime in place."

The Privacy Commissioner has been notified of one data breach since the draft guidelines were published. The Social Development Ministry advised it that it had printed the wrong people's names on the reverse of some Gold Cards issued to senior citizens.