Privacy Commissioner labels 2012 the year of the data breach

A clutch of serious events, particularly to do with unintentional release of government-held information, have led privacy commissioner Marie Shroff to label 2012 “the year of the data breach”, in her annual report released yesterday.

The report singles out the ACC’s unintentional release of data on more than 6500 clients in March and the more recent leakage in the Ministry of Social Development’s kiosks.

In private industry, the customer can always react to a provider’s inadequate privacy practices by moving their business to a competitor, but with government this is not possible, the commissioner points out. This has led to calls for formal powers and sanctions against such breaches.

“It is clear that people believe regulators should have — and use — the ability to call agencies to heel,” Shroff says. “For instance in our public opinion survey earlier this year, 97 percent of respondents said that the privacy commissioner should have the power to order an agency to comply with the law, and 88 percent said they wanted businesses punished if they misuse people’s personal information.”

Personal information is increasingly recognised as an “asset class” in a business, says Shroff in the annual report, and its proper handling is of importance to the economy, particularly where cross-border movement of data is concerned.

“For instance, the World Economic Forum refers to the evidence of an emerging asset class of personal data, but also goes on to note the lack of rules, norms and frameworks that, by contrast, exist for other types of assets,” Shroff says.

“We may have the valued goods in the form of personal data — and the means of distribution through online networks — but we have sometimes lacked cross-border enforcement mechanisms and regulatory solutions for when things go wrong.”

Amendments to the Privacy Act to offer better cross-border protection were put in place in 2010, and the commissioner records that European Union authorities are as a result in the final stages of declaring New Zealand privacy legislation “adequate” for participation in trade with Europe. The adequacy finding is expected before the end of the year.

Privacy risk management should be recognised as a responsibility for the whole of the company, Shroff says.

The report flags cloud computing as an area of progress and the commissioner favourably mentions the Cloud Computing Code of Practice developed under the guidance of the Institute of IT Professionals.

The commissioner’s office has been working on a guide for cloud computing targeted at SMEs and expect to be able to make this freely available online shortly.