2012: Year of the data breach

Several major public sector data breaches have led to the Privacy Commissioner labelling 2012 "the year of the data breach".

Among the biggest breaches noted in commissioner Marie Shroff's annual report, released today, were the ACC spreadsheet breach in March and MSD kiosk breach in October, contributing to a loss of public trust.

The incidents highlighted the "urgent need for far better security and respect by government agencies for New Zealanders' personal information", said Ms Shroff.

"The public sector can't afford to be complacent. It's quite clear that agencies holding large amounts of personal information need to place greater value on that information asset."

Agencies needed to develop strong leadership and a culture of respect for privacy, as well as practices to protect personal information: "There has been far too little focus on the fact that there are real people behind the masses of information that government agencies hold", she said.

And Kiwis agree.

Privacy complaints have soared as the public loses trust in agencies.

A recent TV One Colmar Brunton poll showed 60 per cent of New Zealanders don't trust government departments to protect their personal details.

In a commission survey this year, general concern about privacy was found to have "risen sharply" in the last decade, up to 67 per cent from 47 per cent in 2001.

Of the respondents, 88 per cent said they wanted businesses punished if they misused personal information.

Last year, ACC mistakenly emailed a spreadsheet containing details of about 6748 clients to former National Party insider Bronwyn Pullar.

The breach sparked a flood of 173 further complaints about the Government department this year.

Notification of data breaches is not required by law, but the Law Commission recently recommended it should be made compulsory where breaches put people at risk.

"That would bring New Zealand law into line with practice overseas," said Ms Shroff.

The commissioner supported a Privacy Act update that would require compulsory reporting of data breaches.

She also pointed to an amendment of the Credit Reporting Code that came into effect in April, allowing more comprehensive credit reporting.

Under the new system, lenders will upload information monthly, showing whether or not individuals have met their monthly credit repayments.

As a result, much larger collections of detailed and sensitive financial information on New Zealanders will be collected, so additional measures have been introduced to ensure protection to individuals.