New Zealand’s Privacy Commissioner is right to argue that the law should be changed to allow agencies to be fined when they fail to protect people’s sensitive personal information.
In an increasingly digital society, we’re being encouraged to trust organisations with highly confidential data, including medical records, financial details, and personal identification information. With that trust must come accountability.
The recent cyberattack involving Manage My Health highlights why stronger enforcement powers are necessary. The platform stores sensitive health information for hundreds of thousands of New Zealanders and is widely used by patients and healthcare providers. When a system like this is compromised the consequences can be severe, including identity theft, privacy violations, and loss of confidence in digital healthcare services.
While an investigation followed the breach, many New Zealanders were left wondering whether anyone would face meaningful consequences. Too often, organisations can have a data breach without being held directly accountable for inadequate security practices.
These concerns become increasingly significant as New Zealand moves towards digital driver licenses and other forms of digital identity. While digital licenses offer convenience, efficiency and are the way of the future, they also create a centralised repository of highly valuable personal information.
If we’re expected to carry our identity in digital form, we need to be confident the systems protecting our information meet the highest security standards.
Where negligence or failure to meet these standards contributes to a breach, substantial financial penalties should be an available option. Privacy Commissioner Michael Webster says that when it comes to accountability for failing to protect an individual’s privacy, New Zealand's laws are "somewhat out of step" with those overseas.
The possibility of significant fines would create a strong incentive for organisations to invest in prevention rather than simply managing the fallout after a breach.
It would send a clear message that protecting personal data is a fundamental responsibility.
If organisations and government agencies expect the public’s trust, they must also accept meaningful consequences when that trust is broken.
See omnystudio.com/listener for privacy information.
