Government caution over legislation to protect privacy leaves NZ playing catch-up while our data is shared.

Privacy Commissioner Marie Shroff says New Zealand is lagging behind other countries when it comes to regulatory safeguards to protect people's data in the midst of a technology revolution, and she wants greater powers to help get the "Wild West" under control.

"What we have is a technology that's advanced at lightning speed and the safeguards need to catch up with that and the people who are using all that information they're taking from us and using," she told the Herald.

"We need to know that they are safeguarding it and if they don't, it will be made known to us and potentially that they will be punished."

She pointed to some "catastrophes" in the government sector.


She has looked enviously at Australia this week where its Government introduced an amendment to privacy laws requiring companies or government departments to notify clients if private data are leaked or compromised, to allow people to cancel credit cards or reset passwords or take other measures.

Australia, like New Zealand, has experienced major data breaches through hacking attacks, poor security systems or carelessness.

Marie Shroff laments the amount of time it is taking the Government to make decisions on a Law Commission report, published in 2011 after a five-year review of New Zealand's privacy laws.

The commission recommended more teeth for the Privacy Commissioner, including the power to undertake data audits of companies and government departments, to issue compliance notices and undertake systemic inquiries.

"In the meantime, the technological revolution is tearing along and we're waiting," she said. "The Government responded to that in early 2012, as they are bound to do, but their response was absolutely minimal. It was very light. They just said 'we've got a lot of recommendations and we're going to have a look at them'."

The strongest enforcement regime was in the European Union which allows its privacy regulator to fine companies 2 per cent of annual turnover for serious data breaches.

Marie Shroff said it would be good practice to watch what was happening in the EU "then to react quickly if it turns out to be an effective way to get this Wild West under control".

The only remedy victims of breaches had at the moment was to take an individual complaint, but that could take years to get through the system with some form of redress through the Human Rights Review Tribunal.

She said New Zealand officials were still "in 20th century government mode".

"We need to get into 21st century government mode. They need to join the modern world and stop being so cautious about getting the right regulatory framework in place to deal with it."

Without proper regulation the public would not have the confidence to take part in the digital economy.

"Our polling shows that people fear the internet. They love it but they also fear it. People's concerns about the safety of their information on the internet runs about 80 to 90 per cent."

A regulator who was well equipped to set safeguards and deal with redress if something went wrong would give people the confidence to take part in the e-economy.

She also pointed out that two of the Government's goals under the aegis of Better Public Services involved more effective e-government.

The Government quite reasonably wanted to make use of big data, to analyse, and to provide better service to its citizens.

"It wants to do a lot of good things off the back of this wonderful new technology but at the same time you have to have the regulatory regime to keep pace with that and if you don't, you can see that catastrophes can happen.

"We've now got to the point where, in the data protection field in New Zealand, some of those catastrophes have started to happen - Telecom-Yahoo, ACC, EQC, MSD kiosks.

"We've got an exploding field of government and business activity. Regulator activity and regulator capacity needs to keep pace with that."

Justice Minister Judith Collins said last year she planned to repeal and re-enact the Privacy Act 1993.

Last week she said she was expecting an official report in the next few weeks and would take a paper to the Cabinet later in the year.

The Law Commission's recommendations focused on clarifying and strengthening the existing law, and addressing gaps that have been uncovered over the past 20 years. Some of its recommendations were already in the process of being implemented, and 17 further recommendations would be considered in the course of other law reviews.

"The remaining recommendations, including enhanced powers for the Privacy Commissioner, are currently under consideration," the minister said. "Recent events highlight the importance of the Government developing and leading a culture that respects privacy.

"Ministers are absolutely clear on this point. An example is ACC's focus on improving privacy systems, process and leading organisation-wide culture change around handling personal information."

Danger zones
Potential data breaches where harm may occur

Credit cards: Hackers get hold of credit card details.

Health records: ACC sensitive case records sent to wrong person.

Protections orders: A careless bank clerk or government employee could let slip an address of a person covered by a protection order.

Political donations: Sloppy security allows tech-savvy members of the public to see who has donated to a party.

Email addresses: Hackers get massive database of client details from email provider.