Last month, the ASX’s updated Guidance Note 8 took effect, which provides much needed guidance for companies in relation to disclosure following a cyber-attack. Recognising the difficulty facing companies where the extent of an attack is unknown, the updated guidance provides a worked example with commentary about what disclosure, if any, is required at each stage of the process. The guidance also indicates the expectations of the ASX, including in relation to the forensic work undertaken by the company and recommendations to have a draft announcement ready for release should it become necessary.

The guidance highlights scenarios in which the exceptions to Listing Rule 3.1 would apply, which in most cases is because the information in relation to an attack is not sufficiently definite to warrant disclosure (one of the five situations listed in Rule 3.1A) and because the fact of the breach is confidential. Those situations include:

• immediately after a breach has been identified where the company has incomplete information as to the extent of the breach
• once a ransom request is received. Although not specified in the guidance, it seems clear that if there was proof provided with the ransom request that personal data had been accessed and could be used, then that could change the position in relation to materiality and may trigger the disclosure requirement
• confidential disclosure of the breach to a regulator, which the company considers is necessary in light of the potentially sensitive data involved. The guidance makes it clear that disclosure to a regulator will not result in confidentiality being lost, and
• where further information about the breach has been identified by forensic experts, and it is clear that some personal data has been exfiltrated, but the extent of the breach remains uncertain.

Where information is known, including the fact that personal data has been accessed, it is likely that disclosure will soon be required. The guidance notes that disclosure will be required as soon as the company commences notifying individuals, because the breach will cease to be confidential, and the company can no longer rely on the exception. Confidentiality will also likely be lost if a journalist approaches the company for comment on a suspected breach.

While the guidance is useful in giving comfort to companies that seek to rely on the disclosure exception, it also makes it clear that the ASX expects companies to be diligent in these situations, including undertaking urgent forensic work to determine the extent of the breach and form a view about whether it is materially price sensitive. As part of the commentary on the example, the ASX notes that the Listing Rules requires disclosure when information ought reasonably to have been known to an officer of the company in the course of the performance of their duties – a reminder that a company cannot rely on a delay in performing work to avail itself of the exception to disclosure. It is also recommended that companies prepare a draft announcement to be released as soon as it forms the view that the breach is material. The content of the announcement will depend on what is known, but it should at least include:

• a description of what has occurred
• material facts known (e.g. the nature of the data accessed and number of individuals impacted)
• any impact of operations or the financial position of the company
• action that is being taken in relation to the breach, and
• when the company expects to be able to next update the market

In addition to guidance on when reliance can be placed on the exceptions, the note also provides guidance on when a company should provide updates to the market and on any request for a trading halt. For example, the ASX expects that an update would be provided after the release of information by the threat actor, if the company has previously said no information has been released. It would not, however, expect an update to be provided in relation to the company’s determination to not pay a ransom.

Overall, the guidance is a useful disclosure framework, which will assist companies to comply with their continuous disclosure obligations. It is also a reminder that the mere fact of a company suffering a cyber-attack is not necessarily price sensitive, and that a company can rely on the disclosure exceptions in the early stages following an incident to assist it in balancing the competing demands it faces at a difficult time, including regulatory compliance and the need to comply with market obligations.

In May 2024, the Australian Competition and Consumer Commission (ACCC) released the eighth interim report (Interim Report) for the Digital Platform Services Inquiry. It sets out findings that support the strengthening of privacy laws and highlight unfair trading practices. The inquiry focuses on digital platform services including search engines, social media, private messaging, and online shopping.

Privacy policies and data collection are a key focus, with the ACCC reporting that:

• consumers usually have no choice but to accept a privacy policy if they wish to access a product or service, despite not appreciating the breadth and depth of data they are agreeing to share
• if Australian consumers were to read all privacy policies they encounter in full, it would take nearly 46 hours every month. With an average of 6,876 words in a typical privacy policy, it would take an average of 29 minutes to read each policy¹
• it is difficult for consumers to understand or control what happens to their data once it has been collected, raising the question of whether consent goes far enough at the point of collection, and
• 74% of consumers were uncomfortable with their location data being shared with third parties for purposes other than delivering a product or service.

The Interim Report comes amidst a number of recommendations from the ACCC on legal reforms for digital platforms, including changes to competition and consumer laws to address harms caused by the platforms,² changes to privacy laws to address consumer choice in the collection of personal information, and obligations on digital platforms to manage scams and misinformation.

The Australian Government is expected to announce changes to privacy laws in August 2024. It is unclear whether changes to competition and consumer laws will be announced this year. The ACCC’s final report on the Digital Platform Services Inquiry is due to be released in March 2025.

---

¹ ACCC March 2024 Interim Report dated 21 May 2024 – this case study provided by Salinger Privacy demonstrates how consumers may find it challenging to identify who holds data on them, as they often do not have a direct relationship with the third party firms which may have received their data from other sources.

² The ACCC has proposed new mandatory obligations on all digital platforms to address scams, harmful apps and fake reviews, including notice and action requirements and stronger verification of business users and reviews, https://www.accc.gov.au/media-release/consumers-lack-visibility-and-choice-over-data-collection-practices

The Office of the Australian Information Commissioner (OAIC) has recently closed its preliminary inquiries into TikTok’s use of surveillance tools, including ‘pixels’ that track user activity across the internet and social media.

Privacy Commissioner Carly Kind said, in the OAIC announcement closing the inquiries:

Many of these tracking tools are harmful, invasive and corrosive of online privacy. But Australia’s privacy laws do not currently outlaw such online tracking.

… Reforms to the Privacy Act will better address the nature of harm in the online environment and, importantly, empower the OAIC to do something about it.

The comments come as the Federal Government prepares to announce reform to the Privacy Act 1988 (Cth) in August. We cover the reforms in our previous bulletin here.

The Australian Prudential Regulation Authority (APRA) has released the expectation for all APRA-regulated entities to ensure cyber resilience through secure and sufficient data backups. Such requirements are outlined within the Prudential Standard CPS 234 Information Security (CPS 234).

In a letter issued to APRA entities in June 2024, the APRA states it has observed the following common weakness in entities’ backup practices:

• insufficient segregation between production and backup movements
• insufficient control testing coverage and rigour to ensure backups are protected from compromise, and
• insufficient testing of capability to recover systems and data within tolerance levels from backups.

In the event an entity is found to possess these insufficiencies within their system, APRA has stated it considers this notifiable under paragraph 36 of CPS 234 as material security control weaknesses.

APRA has further provided the following mitigation strategies:

• sufficient isolation of backup through access and permission controls
• utilise testing programs to validate that backups are free from unauthorised access, and
• utilise testing programs to validate backup’s capacity to recover critical business operations and ensure its technical capability and tolerance levels.

It is encouraged for entities to review their compliance with CPS 234 and incorporate necessary amendments to be considered by APRA as a cyber resilient entity.

The 2024-2025 Australian Federal Budget³ will have an impact on the data protection and cyber security in Australia. In particular:

• the Federal Government announced a budget of $288.1 million is being committed to support the further delivery and expansion of Australia’s Digital ID System so more Australians can realise the economic, security and privacy benefits of Digital ID⁴
• the Government is providing funding of $5.6 million to support the OAIC, which equates to approximately $11 million of funding terminating. On 15 May 2024, the OAIC issued a statement to say:
  

  These funds were allocated to the OAIC to allow it to undertake privacy regulatory functions which will continue, including in relation to social media and online platforms, and to investigate major data breaches such as the Optus data breach.
  

  Going forward, the OAIC will work to inform and implement the Government’s stated commitment to Australia’s Privacy Act reform. Taking into account the support that this initiative will require, the OAIC will be working with the Government to ensure stable and sustainable funding to achieve our purpose of promoting and upholding privacy and information access rights.⁵

• the Federal Government announced funding of $67.5 million (and $8.6 million per year ongoing) to combat scams through a Scams Code Framework and associated mandatory industry codes (led by ACCC, ASIC and ACMA), initially targeting telecommunications, banks and digital platform services⁶

• $78.7 million was allocated to the ATO for upgrades to information and communications technologies to enable the ATO to identify and block suspicious activity in real time, and

• $206.4 million will be allocated over four years to improve the data capability and cyber security of the APRA and ASIC (the cost of this measure will be partially met from cost recovery through ASIC and APRA industry levies).

The Federal Budget demonstrates that the Government is prioritising existing digital systems and strengthening privacy protections for Australians, with significant investment being provided to key regulators and government departments, to support Australia’s cyber security capabilities.

---

³ 2024-2025 Federal Budget, https://budget.gov.au/content/overview/download/budget-overview-final.pdf

⁴ Digital Service Providers Australia and New Zealand, https://www.dspanz.org/connect/news/2024-25-aus-federal-budget-impacts-dsps/

⁵ https://www.oaic.gov.au/newsroom/statement-on-the-federal-budget-2024-25

⁶ https://ministers.treasury.gov.au/ministers/stephen-jones-2022/media-releases/albanese-government-continues-crackdown-scammers

Western Australia has introduced new legislation to protect personal information and enhance safe sharing of information held by government.

The Privacy and Responsible Information Sharing Bill 2024 (PRIS Bill) will both modernise and strengthen privacy protections for Western Australians, as well as introduce a new information sharing framework to allow Western Australians greater control over their personal information. It will be the first of its kind to combine privacy and information sharing legislation together.

The PRIS Bill will include:

• new privacy principles to guide Western Australian public sector agencies on approved systems and processes to handle personal information
• a mandatory data breach reporting scheme for “notifiable information breaches”
• a framework for WA public sector entities to share information across public sector agencies, and with trusted external entities (such as health researchers), and
• a requirement for Aboriginal people and communities to be consulted when sharing government information that primarily affects Aboriginal people.

Additional legislation will be introduced to establish an Information Commissioner’s office to consider and resolve privacy complaints. A Chief Data Officer will also be established to lead and develop public sector capabilities for responsible information sharing.

Western Australia will join Queensland in the introduction of a data breach reporting scheme (yet to commence). Currently, only New South Wales and the Commonwealth have mandatory data breach reporting laws, while Victoria has an optional regime.

The Australian Information Commissioner has filed civil penalty proceedings against Medibank in relation to the 2022 cyber-attack that resulted in millions of Australians’ sensitive personal information being published on the dark web.

The OAIC’s argument appears to centre on the fact that Medibank ought to have considered the reasonableness of the measures it had in place against ‘various’ information security standards and frameworks in place at the time of the breach, and therefore failed to comply with APP 11 (with examples listed including the ACSC ‘Essential 8’, APRA Prudential Standard CPS 234, and ISO 27000).

While there is no direct definition in the Act of what constitutes ‘reasonable steps’ to comply with APP 11.1, the submissions provide insight into the expectations of the OAIC in determining compliance. This serves as an important reminder to APP entities to ensure sufficient security measures are in place and tested to meet contemporary security standards.

If the OAIC is successful in its allegations, the Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G (as per the penalty rate applicable from March 2021 to October 2022). The OAIC has requested that the Court consider a separate penalty for each of the 9.7 million Medibank customers affected by the incident, as an alternative to one penalty for all individuals impacted. Seeking a penalty per act or contravention is a trend we have seen with ASIC in the financial services space. However, whether separate penalties can be applied per individual in the context of a security breach to a system rather than multiple acts against individuals, let alone whether a penalty order is made at all, remains to be seen. Of course, it is ultimately a matter for the Court to decide.

---

At a glance

• The Concise Statement filed by the OAIC (Statement) sets out the alleged incident details and the events which led to the publication of exfiltrated sensitive health data of 9.7 million current and former Medibank customers.
• On or around 7 August 2022, the Medibank credentials of an employee of a Medibank contractor were stolen from the employee’s personal computer by a threat actor, using a variant of malware. The threat actor logged onto Medibank’s Global Protect VPN and subsequently accessed a range of Medibank’s IT systems. The threat actor then exfiltrated approximately 520 GB of data from Medibank’s systems. Between 9 November 2022 and 1 December 2022, the threat actor published data exfiltrated on the dark web.
• The OAIC alleges that from 12 March 2021 to 13 October 2022 (Relevant Period), Medibank seriously and repeatedly interfered with the privacy of individuals whose personal information it held, in contravention of section 13G of the Privacy Act 1988 (Cth) (Act). The OAIC argues the contravention arises from Medibank failing to comply with Australian Privacy Principle (APP) 11.1 of the Act, which requires entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
• The OAIC submits Medibank failed to:
  • have adequate information security measures in place commensurate to an organisation of Medibank’s size, resources, and volume of personal and sensitive information held, and
  • act on the recommendations of independent consultants engaged in the Relevant Period to advise on such measures – including several instances where deficiencies were raised.

---

Security controls OAIC allege Medibank should have had

The OAIC alleges that, considering Medibank’s size, resources, and the nature and volume of personal information it held and the associated risks, it was reasonable under APP 11.1 for Medibank to implement all or some of the following steps:

• multi-factor authentication (MFA) for access to its Global Protect VPN and other sensitive information assets inside its network
• proper change management controls regarding information security
• appropriate privileged access management controls by restricting access according to role and regularly reviewing the number and necessity of privileged accounts
• appropriate monitoring for privileged accounts, including setting up alerts for unusual account activities
• appropriate password complexity and monitoring to ensure passwords used were encrypted
• appropriate security monitoring procedures to detect and respond to information security incidents in a timely manner, including by undertaking and regularly reviewing first-level review and triage of all security alerts generated by Medibank’s Endpoint Detection Response Software, having clearly documented guidance for escalating security alerts, and configuring volumetric alerts to be generated for the exfiltration of abnormal volumes of data from sensitive asset servers
• appropriate security assurance testing for sensitive information assets and security controls, including by annual penetration testing and internal audits of the Global Protect VPN and MFA configuration, and testing after changes to configuration
• appropriate application controls for critical servers, and
• effective contractor assurance, including by conducting regular audits to ensure compliance of third party contractors with Medibank’s security policies and ensuring terms of agreement with security service providers clearly identify roles and responsibilities.

The OAIC also alleges that, prior to the incident, a number of tests and audit reports indicated Medibank’s awareness of the deficiencies in its cyber security and information security framework.

Implications

The security measures set out in the Statement provide an important indication of the security controls the OAIC expect are in place, particularly for organisations of a similar size. It is important to note, however, that this is the first proceeding of this type we have seen in the context of large-scale cyber incidents and data breaches. Accordingly, it will be interesting to see Medibank’s response and, ultimately, how the court deals with these issues.

The Australian Communications and Media Authority (ACMA) has filed proceedings in the Federal Court against Optus following its September 2022 cyber incident.

ACMA alleges that Optus failed to protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access, as required under s 187BA of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). The TIA Act provides a legal framework to prohibit the interception of telecommunications, except where authorised in special circumstances, such as the investigation of serious crime.

Optus is separately facing a class action from over 100,000 registered participants in response to the incident. The OAIC is separately investigating Optus’ information handling practices, as well as a ‘representative complaint’ which could allow the OAIC to determine compensation payable to class members.

It has been a case of déjà vu in the data breach class actions space recently, with Medibank claiming privilege over a Deloitte report and Optus appealing the judgment from last year that ruled its Deloitte report was not privileged.

Medibank

There was a two-day hearing in the Medibank proceeding last month, during which Medibank put forward its case for maintaining privilege over a number of documents, including:

• three reports produced by Deloitte in relation to the incident – a post-incident report, a root case analysis and a compliance report
• reports prepared by their external legal advisors, and
• sample email communications between Medibank and third parties, including Cyber CX (engaged by Medibank to assist with public relations).

The hearing included cross-examination of Medibank’s CEO and Chair in relation to their evidence about the purpose of the materials the subject of the claim. Medibank’s position is that the material was obtained for the purpose of obtaining legal advice in relation to the cyber-attack and potential legal exposure arising from it.

Counsel for the class raised similar objections to those that were raised in the Optus hearing last year, namely, that it was inconsistent for Medibank to maintain privilege in reports when it used the fact of the reports to reassure the public about the matter. It was also said that the legal purpose was not clear at the time the report was commissioned, but became clearer over time. In response to those submissions, Medibank said that the reference to the report in media releases was an “add on” benefit and did not change the fact that the report was commissioned for the purpose of obtaining legal advice.

Both parties referenced the provision of the report to APRA by Medibank. The class relied upon the recent decision in ASIC v Noumi where Shariff J found that privilege had been waived in a third party report when it was voluntarily provided to ASIC, notwithstanding that it had been provided on a limited waiver basis. In response to the submission that provision to APRA resulted in a similar waiver, Medibank relied upon the fact that it was provided on the basis that Medibank could maintain privilege. It will be interesting to see how Rolfe J reconciles that submission with the Noumi decision, noting that both ASIC and Noumi have appealed.

Optus

It wasn’t just Medibank in the news last month; on 27 May, the Full Court denied Optus’ request for leave to appeal Beach J’s decision regarding the privilege status of the Deloitte report. The Court found that there was insufficient doubt in the decision to warrant leave being granted.

In forming that view, one of the factors the Court noted was the reliance that Beach J placed on the fact that the CEO and Board members gave no evidence about the purpose of the report – an important reminder for organisations to put in place the necessary parameters for reports like this, including at Board level, to support claims for privilege. It is notable, and no doubt a direct response to Beach J’s decision, that the Medibank’s CEO and Chair gave evidence about the purpose of the report.

The Full Court also reiterated that while the time for assessing the dominate purpose will depend on the circumstances of the case, where a report has been commissioned from a third party, the relevant time for that assessment will usually be the time the report is commissioned. The Court went on to say that evidence as to later events may still be relevant and the Court may take into account events across the continuum of time leading up to the creation of a report like this.

Where to from here?

The decision in Medibank is pending, but reference was made to the Full Court decision in Optus in closing submissions. It will be interesting to see whether the differing approach taken by Medibank results in a different outcome and how the various issues under consideration are treated by Rolfe J.

The Optus proceeding is listed for a case management hearing on 14 June.

Both cases serve as crucial reminders about the importance of taking steps early to maintain privilege in third party reports. While the management of a cyber incident moves rapidly, organisations should be careful to ensure:

• the purpose of any report is clearly documented at all times, including if appropriate, at Board level
• if privilege is to be claimed, then the report needs to be commissioned for the dominant purpose of obtaining legal advice. Caution should be exercised in using the report for other purposes
• appropriate protocols are put in place to maintain the confidentiality in the report
• caution is used when considering whether to provide reports to regulators until the position in Noumi is resolved, and
• where appropriate, external statements are reviewed by lawyers to guard against any inadvertent waiver of privilege.

The Supreme Courts of Victoria and Queensland have recently issued guidance documents for the use of artificial intelligence (AI) in court or tribunal proceedings.

The Queensland guidance is designed to assist non-lawyers (including self-represented litigants, McKenzie friends and lay advocates), after courts and tribunals reported an increase in the use of generative AI to help prepare court documents. The guidance emphasises the importance of why chatbots cannot substitute legal advice, as “currently available Generative AI chatbots have been known to provide inaccurate information on Australian law”.

The Victorian guidance goes further, requiring parties (including lawyers) to disclose any use of AI in litigation to the courts and other parties “where appropriate (for example, where it is necessary to enable a proper understanding of the provenance of a document or the weight that can be placed upon its contents)”.

Both guidance documents emphasise the need to consider the privacy and confidentiality of information inputted into an AI tool, as well as accuracy concerns when relying on the output of AI programs.

At a glance

In Canview Pty Ltd & anor v Gilmore [2024] FCA 551 (22 May 2024), the Federal Court of Australia (FCA) granted interlocutory relief to a medicinal cannabis company by restricting its software provider’s access to certain documents and information which are the subject of a claim for copyright infringement, breach of confidence and conversion.

This case shows that disputes can often arise between technology professionals and their clients while contractual arrangements remain on foot, often involving issues around intellectual property and termination rights. That can in turn lead to coverage issues such as whether a “claim” has been made within the meaning of the technology provider’s professional indemnity policy and, if not, whether there is utility to insurers providing limited mitigation cover in the interests of avoiding a larger and more costly dispute.

---

Background

Canview Pty Ltd and its holding company Vitura Health (Canview) carry on a business distributing medical cannabis products.

Mr Gilmore is the director of Code4 Cannabis Pty Ltd (C4C), which provides software to Canview for the sale and distribution of cannabis products by facilitating transactions between doctors, pharmacies and patients (Canview software).

Canview alleged that Gilmore acquired confidential information about its business and infringed copyright through two incidents between mid-November 2023 and 13 May 2024, described as the “Hacking Incident” and the “Unauthorised Access and Download Incident”.⁷

On 15 April 2024, C4C issued a notice seeking to terminate the “Services Agreement” based on alleged breaches by Canview of clause 5.2, which provided that they would not ‘decompile, disassemble, reverse engineer or otherwise attempt to derive the source code of the Software’. C4C say that Canview breached the Services Agreement and that Canview’s employees accessed developer tools to access the source code of the web applications.

In response, Canview filed proceedings in the Supreme Court of Queensland seeking a declaration that this termination notice was invalid (Supreme Court proceedings). C4C filed a defence and counter claim in those proceedings, alleging that:

• documents published on Canview’s SharePoint platform evidence fundamental breaches of the Services Agreement, and

from 4 December 2023 to 29 March 2024, employees of Canview accessed the developer tools (which are used to access the source code of web applications).

Issues

On 7 May 2024, Canview filed proceedings against C4C in the FCA:

• alleging that the director of Mr Gilmore accessed and downloaded documents without their knowledge or consent, in breach of the Services Agreement, and
• seeking urgent injunctive relief restraining Mr Gilmore and C4C from using, disseminating and copying confidential information allegedly obtained (Fed Ct proceedings).

Key issues in the Fed Ct proceedings included whether Mr Gilmore:

• should be permitted to access servers, devices, stored data and stored information without first seeking Canview’s express consent, and/or
• should be permitted to access, use or disclose any documents already obtained from Canview’s systems for the purposes of the Supreme Court proceedings and to carry out the services under the Services Agreement.

The decision

On 22 May 2024, Meagher J granted Canview’s application barring Mr Gilmore from accessing Canview’s systems or stored information, except as necessary to carry out the services under the Services Agreement.

However, Meagher J allowed C4C to use the documents already accessed to obtain legal advice in relation to the Fed Ct proceedings and Supreme Court proceedings, stating that to rule otherwise would be “antithetical to the interests of justice”.

C4C has already indicated an intention to seek leave to appeal two of the orders made.

Implications

The judgment reinforces the availability of injunctive relief as a useful tool in navigating and mitigating cyber incidents. Where third parties are engaged to provide services on specific conditions, there may be enforceable ramifications for any overstep.

Coverage issues can also arise for technology liability insurers in circumstances where preliminary proceedings for injunctive relief may not always satisfy the policy’s definition of claim. However, there may be an argument for insurers to invoke mitigation cover at an early stage in the dispute to avoid a larger claim later.

---

⁷ Canview Pty Ltd v Gilmore (2024) FCA 551, Meagher J

In April 2024, the Office of the Privacy Commissioner (OPC) released a draft Biometric Processing Code for public consultation.

The Privacy Act 2020 gives the OPC the power to issues codes of practice (such as the Health Information Privacy Code and Credit Reporting Privacy Code), which modify, clarify, or extend the operation of the Act in particular areas.

The proposed Biometrics Code creates rules applicable to agencies using biometric technologies, such as facial recognition or fingerprint scanning. Key features of the draft Code include:

• a broad definition of “biometric information” encompassing physiological biometrics (something you are – your face, fingerprint, or eye colour) and behaviour biometrics (the way you do something – your voice or gait)
• additional requirements for collection of biometric information, including specific requirements to implement privacy safeguards and ensure that the processing is not disproportionate (including consideration of whether the benefit to society at large or the individual in question outweighs the privacy risk posed by the processing)
• increased notification requirements where biometric processing is in use, and
• an express ban on “web scraping” of biometric data, and on using biometric processing to collect health information (other than by a health agency) information about individuals’ “inner state” or “physical state”, and restricted biometric category data and age.

The consultation period has now closed and the OPC is in the process of analysing submissions. We can expect an updated draft Biometrics Code in due course. In the interim, regulatory oversight over biometric processing technologies is already in full swing. In April 2024, the OPC opened an investigation into Foodstuffs’ facial recognition technology trial. To date, the trial has received media coverage indicating that the technology has misidentified individuals as being banned from some supermarkets, raising questions around bias and profiling – key issues sought to be addressed through the Biometrics Code.

The Biometrics Code comes at an opportune time. Agencies using biometric processing technologies would be well-advised to keep a close eye on the development of the Biometrics Code, as well on the OPC’s treatment of Foodstuff’s facial recognition trial.

New Zealand’s Privacy Week 2024 (running from Monday, 13 May 2024) ran under the theme “busting privacy myths”. Alongside a suite of webinars, the OPC has used privacy week to issue clarification around breach notification and its expectations.

The OPC has previously stated that it expects to be notified within 72 hours of an organisation becoming aware of a “notifiable privacy breach”. The OPC’s latest update reiterates the importance of the 72 hours timeframe but provides further insight as to when the OPC considers an agency has “become aware” of a breach.

“Becoming aware” of a notifiable breach requires “some degree of knowledge or an assessment about the risk of harm from the privacy breach.” While straightforward in some cases, others may be more complex. The OPC notes that an organisation may not discover a breach immediately, or need to undertake enquiries to determine whether a breach has occurred or is sufficiently serious to warrant notification.

The OPC emphasises that the critical point is that notification is prompt once the threshold is met:

The key thing is once your initial assessment indicates that harm is likely based on what you know at that time … you should be thinking about prompt notification, even if there are still some unknowns…

Organisations should have processes in place to ensure breaches are identified and investigated promptly and consider incremental notification where appropriate.

In the round the guidance reaffirms the approach many are already taking – it is important organisations act on potential privacy incidents, investigate, and assess the potential harm, and then notify as appropriate. While organisations do not need to rush to notification at the first sign of a potential breach, prompt investigation and notification (where appropriate) are critical to staying on the right side of the regulator.

The Customer and Product Data Bill (CPD Bill) has been introduced to Parliament. We last wrote about the CPD Bill in our 2022 NZ Insurance Market Trends Update following a consultation on initial draft legislation.

The Bill introduces a “consumer data right’. The framework, which is based off a similar regime adopted in Australia, facilitates the exchange of customer data between organisations in specified industries, and organisations and accredited data requestors. By empowering customers with control of certain data, the CPD Bill seeks to encourage individuals to compare services and move between providers, promoting innovation and competition.

The CPD Bill would only apply to certain designated sectors (notably banking and financial services in the first instance, but intended to expand to other sectors such as insurance in the future). As with the Australian regime, much of the operational detail of any consumer data right (for example, agreed data formats to allow the exchange of data) would need to be brought to life through additional regulations and standards.

The Bill introduced to Parliament contains a range of differences to the consultation draft published by MBIE in 2022. As well as limiting the scope of the data to which any consumer data right may apply, the Bill also contains a civil liability regime. This empowers the High Court to issue pecuniary penalties ranging up to NZD $2.5 million in the most egregious cases.

We await further consultation and development of the CPD Bill as it makes its way through Parliament. If you would like to discuss the implications of the Bill further, please reach out to a member of our Cyber + Technology team.

In May 2024, the OPC announced a consultation period for its new, comprehensive privacy management framework – Poupou Matatapu (the ‘pillars of privacy’).

The OPC identified that many organisations have been struggling “…with the principle-based approach of the Privacy Act and how to comply…”. The proposed Poupou provides guidance on how agencies can implement a robust and effective privacy management system and encourage a culture of privacy. The Poupou Matatapu covers nine topics:

• Governance
• Know your data
• Security and internal access controls
• Transparency
• Building capability and awareness
• Breach management
• Assessing risk
• Measure and monitor
• Privacy management plan

The Poupou Matatapu appears to provide a helpful resource for agencies in implementing a privacy management program and ensuring they are conducting themselves in a manner consistent with the Privacy Act 2020 principles. On the other hand, the Pou also provides a yardstick by which compliance with the Act can be judged. We anticipate that, following Poupou Matatapu being finalised, the OPC will be less understanding of organisations who are unaware of their obligations under the Privacy Act 2020 or have failed to take steps to implement good privacy practices.

We will be writing further articles on Poupou Matatapu as we learn more about the new framework and the OPC’s intentions going forward. If you would like to discuss how this may impact your organisation directly, please reach out to a member of our Cyber + Technology team.