Category Archives: New Zealand

Law Commission begins joint review of the Search & Surveillance Act 2012

The Minister of Justice has asked the Law Commission and Ministry of Justice to review the operation of the Search and Surveillance Act 2012.  The Act controls how police and certain other government agencies search people or property, as well as the use of surveillance devices for the purpose of investigating crime.

The Law Commission and Ministry of Justice will be calling for public submissions later this year and will report to the Minister by the end of June 2017.

Link: Law Commission media release

Privacy scrutiny for Oculus Rift

Concerns have emerged this week over the privacy policy wording of Facebook’s virtual reality company (and Facebook subsidiary) Oculus Rift.

First to press was ZDNet, highlighting wording that purports to disclaim responsibility for data breaches.  This was followed by a letter (PDF) to the company from Senator Al Franken, demanding more detailed disclosures on what information Oculus collects from users and what it does with that data.

All in all, this is a timely reminder of the PR implications of privacy policies, especially for high profile businesses.  In jurisdictions like New Zealand, it is also an open question as to whether disclaimers of the kind highlighted above might attract attention from regulators under  unfair contract terms legislation.

Link: ZDNet  |  TechCrunch
Hat-tip: IAPP

New scrutiny for Privacy Act exceptions for SIS and GCSB

Radio NZ has coverage on the results of the recent review of New Zealand’s Security Intelligence Service (SIS) and Government Communications Security Bureau (GCSB).

Of particular interest to the media is the exemption in s57 of the Privacy Act, which provides that certain aspects of the Act do not apply to information collected, obtained, held, used, or disclosed by, or disclosed to,  the SIS and GCSB.

This means the Privacy Act does not prohibit private entities such as banks and telcos from disclosing customers’ personal information to the SIS or GCSB, though of course other restrictions such as customer confidentiality may still be relevant in the absence of a warrant that compels disclosure.

The Radio NZ report notes that the Privacy Commissioner is calling for a tightening of the rules on collection of personal information by the SIS and GCSB.

Link: Radio NZ Report

Can you sell your customer database?

After failing to sell Dick Smith as a going concern, receivers Ferrier Hodgson are now trying to sell the company’s New Zealand and Australian assets, including customer databases.  But does the Privacy Act 1993 allow it?

Link: Chapman Tripp Brief Counsel

Norton Cyber-security Insight Report (New Zealand)

Norton recently released its annual Cyber-security Insight Report for New Zealand.   The report found that:

  • the amount consumers lost to cyber-crime in the past year was NZD$256.8 million,
  • 83% of the respondents are worried that they will become a victim of cyber-crime,
  • only 45% of consumers “always” use a secure password,
  • only 15% of consumers feel completely in control over their online security, and
  • only 38% of the respondents are confident they know what to do if they become a victim of cyber-crime.

Link (Norton): Norton Cyber-security Insight Report (New Zealand)

PwC State of Information Security Survey in New Zealand

PwC has released its annual Global State of Information Security Survey.

Key findings for New Zealand include:

  • New Zealand organisations are much less confident this year that their information security activities are effective.  In 2014, 83.3% of New Zealand organisations were confident or somewhat confident, compared to just 64.7% this year.
  • Many organisations are emphasising the people side of the information security equation.  However, the survey data suggests that New Zealand is slightly behind the curve at board level.  Globally, 34.8% of organisations say their board receives information security risk updates at least four times a year.  In New Zealand, only 20.6% receive regular updates.
  • New Zealand is falling behind global trends in information security spending.
  • 43.3% of organisations have indicated that they have a security strategy in place for the cloud, 40% have mobile malware detection and 50.5% use common identity protection.  But more than 40% do not currently have an overall strategy that takes into account the holistic needs of the organisation.
  • 28% of organisations with a security incident in the past year suffered a loss or damage to internal records; 25.6% saw their brand or reputation compromised; and 18.3% suffered financial loss.

New Zealand respondents ‘ top information security priorities for the coming year are:

  • identifying sensitive assets;
  • security strategy for mobile devices;
  • classifying the business value of data; and
  • establishing security and baseline standards for third-party vendors, suppliers, and external partners.

Link (PwC): State of Information Security Survey in New Zealand

New Zealand Supreme Court allows limited protection of ‘digital data’ as ‘property’

The New Zealand Supreme Court has this week made a small dent in the proposition, upheld by the Courts of Appeal in New Zealand and England last year, that digital data is not property for the purposes of the law.

The Supreme Court held digital data is property for the purposes of the criminal law.  But civil reliance on property rights will not suffice to protect electronic information – at least for now.

You can find the background and more detailed commentary in our Chapman Tripp Brief Counsel.