The number of data breach notifications in New Zealand more than doubled in the year ended 30 June 2013 to 107, with three quarters of the breaches notified coming from the public sector.
23 out of the 107 breaches reported were from the private sector, but even that was nearly double the 12 breaches reported in 2012, according to the Privacy Commissioner's annual report (PDF).
While the most common type of breach remains the sending of physical information to the wrong person, with 23 breaches notified, electronic data breaches of various kinds are now much more common overall than physical breaches.
Sending electronic information to the wrong person was the second highest breach category (17 notifications) followed by website problems (12 notifications). Four instances of hacking were also notified.
The Privacy Commissioner has been tracking notifications since 2007 but is now formalising its breach tracking programme as “a matter of external interest and importance”.
“We are still developing our reporting system, including considering the most accurate and useful way of reporting types of breaches and outcomes,” the Commissioner’s annual report says.
“Data breaches are being reported to us more frequently, and we have noticed a growing responsiveness by business and government to the reputational benefits of notifying clients when things go wrong.”
A number of high profile public sector data breaches occurred during the year revealing weaknesses within many agency systems and processes, Privacy Commissioner Marie Shroff said.
These included the exposure of security vulnerabilities in Ministry of Social Development self-service kiosks and the inadvertent release of a document containing information about many tens of thousands of Christchurch earthquake damage claimants by EQC.
“We are receiving notifications from a greater variety of sectors, indicating that awareness of breach notification best practice is becoming more widespread,” Shroff said.
Data breach notification is voluntary in New Zealand, so the number of breaches is probably much higher. The Law Commission has recommended (PDF) breach notification become compulsory "in a clearly defined set of situations".
The Privacy Commissioner also submitted of the Government’s Bill to reform the Government Communications and Security Bureau (GCSB) during the year.
“Our submission on the Bill said that because of the complex and dynamic environment, we believe surveillance, and in particular oversight of that activity, needed to be considered further,” Shroff said.
The Privacy Commissioner also participated in the Global Privacy Enforcement Network (GPEN) Internet Sweep, an internationally coordinated effort to scan websites to assess the adequacy of their privacy notices and policies.
The office also received long awaited notification from the European Commission that New Zealand law was considered adequate for the purpose of European Union law.
Coming into effect in April 2013, this decision provides New Zealand businesses with a “comparative advantage” in cross-border data processing, the report says.