Sunday, August 26, 2007

NZ commissioner to release breach guidelines

New Zealand's privacy commissioner, Marie Shroff, is going to introduce voluntary privacy breach guidelines today. I understand they are modeled on those recenly produced by the Canadian Privacy Commissioner. I'll post a link when they are released.

Computerworld > Privacy Commissioner boosts breach disclosure drive with guidelines

Privacy Commissioner Marie Shroff will today announce a draft guide for the management of data breaches in business and government, in what could be the first step towards introducing data breach disclosure laws to New Zealand.

The guidelines are not mandatory, however. Shroff says she may consider whether breach notification should be a mandatory part of New Zealand law, as is the case in parts of North America and has been recommended in Canada.

The guidelines say data breaches should be managed in four stages: containing and assessing the breach; evaluating the risks; considering or undertaking notification; and putting in place future prevention measures.

“Be sure to take each situation seriously and move immediately to investigate the potential breach,” the guidelines say. “Steps 1, 2 and 3 should be undertaken either simultaneously or in quick succession. Step 4 provides recommendations for longer-term solutions and prevention strategies. The decision on how to respond should be made on a case-by-case basis.”

UPDATE: Here are the materials posted on the NZ Commissioner's website:

Key steps for agencies responding to privacy breaches and privacy breach guidelines. The Commissioner welcomes feedback on the draft documents. Comments due by 28 September 2007.

Download the documents

No comments: