New Zealand: Adopted Privacy Bill including cybersecurity regulation (Bill No.34-3)

On 23 June 2020, the Privacy Bill (No.34-3), which includes provisions for cybersecurity regulation, was adopted by parliament. The Bill mandates that agencies covered by the Bill must report data breaches. Specifically, the cybersecurity regulations, which are outlined in part 6 of the privacy Bill, delineate the procedures for handling notifiable privacy breaches and compliance notices. A notifiable privacy breach is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or is likely to do so. In assessing serious harm, agencies must consider actions taken to mitigate the risk, the sensitivity of the personal information involved (e.g., health records), the potential harm to individuals, the identity of the party obtaining the information (if known), whether security measures and any other relevant factors protect the information. Agencies are required to inform the Privacy Commissioner promptly and affected individuals upon discovering a breach, with provisions for public notice if individual notifications are impractical. Barring extenuating circumstances, agencies should notify the Privacy Commissioner within 72 hours of becoming aware of a breach. The bill outlines exceptions and delays for situations involving national security concerns or personal safety risks. Failure to notify the Commissioner of a notifiable privacy breach constitutes an offence punishable by a fine of up to NZD 10'000. The Privacy Act applies to any entity defined as an "agency" under the Act. This includes individuals and groups, such as government departments, companies, small businesses, social clubs, and other organizations, regardless of whether they operate in the public or private sector.