All companies will have to report harmful privacy breaches to the Privacy Commissioner, regardless of whether it was due to negligence or a cyberattack, under a new Government bill to protect people's private data.
But the Privacy Bill leaves the commissioner with no power to penalise companies that do report such breaches, omitting Commissioner John Edwards' request last year for the ability to fine individuals up to $100,000, and companies up to $1 million.
"Rogue agencies will continue to thumb their nose at the regulation, meaning responsible organisations will disproportionately bear the cost of compliance, while cowboys will ignore their obligations," Edwards said.
The bill, introduced to Parliament this week, aims to modernise privacy legislation and give the commissioner some teeth.
The commissioner currently helps parties to settle disputes, but has no power to issue fines for breaches. Nor is there any requirement on companies to notify breaches.
The bill would create new offences and make it mandatory for companies to report harmful privacy breaches. Failure to do so would face a fine up to $10,000.
Justice Minister Andrew Little said it was a significant step forwards in protecting people's privacy.
"If an organisation has a breach of privacy and doesn't report to the Privacy Commissioner and it later becomes apparent, then they are going to be in big trouble."
Little said the bill, which he expected to be improved at select committee, meant that a $10,000 fine for failure to report harmful breaches could hypothetically add up to $1 million, if a company's privacy breach affected 100 people.
"Even accidental privacy breaches in this day and age usually entail a whole lot of people at the same time. Each one of those constitutes a privacy breach. Arguably, you could level a penalty on each one of them."
But Edwards said that would only apply if the company in question failed to report the breaches. If it did, then Edwards would have no power to penalise the company, except to issue a compliance order - with a maximum fine of $10,000 - to fix the problem.
"There is no consequence if a company loses 1000 records of 1000 individuals and 500 of those suffer harm, as long as they tell me ... They stuffed it up, somebody was harmed, but there is no consequence."
He said he would lobby Parliament for the bill to include the ability to fine individuals up to $100,000 and organisations up to $1 million, which would align New Zealand with privacy regimes in Australia, America, and one about to come into force in Europe.
Other new offences in the bill include pretending to be an individual to access that person's information, and destroying any document containing personal information where that person has sought access to it.
The bill would also require New Zealand agencies to ensure personal information disclosed overseas would be subject to acceptable privacy standards.
Edwards would also be empowered to issue a compliance order in the event of a breach, or an access order if a person has been wrongfully denied access to their personal information.
Little said the Government was open to suggested improvements at the select committee stage.
"We got the bill to a point where we met the recommendations of the Law Commission. We could've spent longer getting it absolutely perfect but that would have delayed its introduction by a few months."
The bill is expected to pass by the end of the year.