By Tom Maasland & Richard Wells*
Data protection is a hot topic, both nationally and around the world. It is timely to consider the implications for the banking sector as one industry that needs to respond to regulatory change – as the change is arriving soon.
As banks review their systems, processes and contracting terms in light of the refreshed Reserve Bank Outsourcing Policy (BS11), it may be convenient to consider how these systems, processes and contracting terms need to be updated to reflect changing requirements in the data protection space – as well as considering any future-proofing highlighted in the New Zealand Privacy Bill (yet to be finalised) and other legal and regulatory requirements.
What is happening in New Zealand right now?
The Government introduced the Privacy Bill (the Bill) on 20 March this year which will repeal and replace the Privacy Act 1993 (as recommended in the Law Commission’s 2011 review of the Privacy Act). The Bill is now with the Select Committee with a report due on 11 October this year. Three of the key proposed changes under the Bill and how banks will need to start thinking about their implications are:
1. Mandatory reporting of privacy breaches
Systems and processes
Agencies will be required to notify the Privacy Commissioner and the affected individuals in the event of a notifiable privacy breach. This will up the stakes on all aspects of statutory compliance, including cyber-security. As well as ensuring that data collection and use practices are up to date and that storage systems are sufficiently secure and well managed (to further reduce the risk of a breach occurring), organisations should consider creating a specific channel for breach reporting and ensure staff are trained on processes.
For banks, who have so many touchpoints with their customers’ (and employees’) personal data, this may be a significant exercise. In addition, the practicalities of tracking breaches and breach notifications could require some kind of technology solution. Banks may want to start considering options in the market or enhancements to in-house solutions.
Contracts with third parties
In entering into relationships with third parties (such as data processors), agencies should ensure that those third parties are clear on their privacy obligations, including mandatory breach notification. This will be even more important when dealing with overseas suppliers who are not governed by and who are not familiar with New Zealand privacy laws. We recommend compliance requirements, and an appropriate liability regime, is drafted into contracts with these third parties.
Although the exact nature of the changes to privacy law (and when they will come into force) remains uncertain it is prudent (and best practice) when entering into contracts with third parties to ensure that they must take the actions necessary to comply with privacy law as it is updated from time to time, including providing notification of certain breaches and complying with any direction from the Privacy Commissioner.
Because banks will want to understand the nature of any security issues affecting it or its customers, the requirements should be drafted so that breach notification requirements apply even before any legal revisions come into effect.
Consequences and unfair contract terms
While it is proposed that organisations could be exposed to a fine not exceeding $10,000 for failing to report a notifiable privacy breach, the more important aspect of a mandatory breach reporting regime will be reputational. It is proposed under the Bill that the Privacy Commissioner will be able to publish the identity of the agency that has made the notification if it is in the public interest to do so.
The individuals affected will also be made aware of the breach and so may pursue the agency for damages. Privacy policies have been under scrutiny by the Commerce Commission as part of its unfair contract terms reviews and enforcement activity.
The new unfair contract terms regime was introduced in New Zealand in 2015 and applies to terms in a standard form consumer contract. The Commerce Commission has indicated that privacy policies and other documents incorporated by reference must also comply with the unfair contract terms regime (see its gym contracts review of August 2017). Limitation of liability causes that cut across a consumer’s remedies for breaches of privacy law should be carefully considered.
2. Compliance notice
The Bill will enable the Privacy Commissioner to issue compliance notices requiring an agency to either do something or stop doing something to comply with privacy laws, and may provide a timeframe for compliance. The agency would have the opportunity to comment on the notice before it is issued. This is an interesting power as it implies that prompt and meaningful engagement with the Privacy Commissioner will be required to ensure that the actions that the agency is required to take are necessary, realistic and affordable.
As banks’ systems, processes and touch points with personal data can be complex, it is prudent to establish a standing cross functional committee or team to interact with the Privacy Commissioner. Ultimately, it is proposed that a failure to comply with an order of the Human Rights Review Tribunal enforcing the order attracts a fine of up to $10,000, and again (though the fine is relatively low) reputational harm is likely to accompany any failure to comply with an order.
3. Strengthening cross-border data flow protections
Under the Bill, New Zealand agencies must take reasonable steps to ensure personal information that is disclosed to an overseas person is subject to acceptable privacy standards. The Bill proposes disclosure of personal information to an overseas person will only be permissible if the individual consents, if the overseas person has comparable privacy laws to New Zealand, or the agency believes the overseas person is required to protect the individual’s information in a way that is comparable to New Zealand’s privacy laws.
To the extent that New Zealand personal information is transferred overseas, and for the four large Australian-owned banks this is likely to be highly relevant (even despite the countervailing pressure exerted under BS11), then banks will need to undertake an analysis of whether the destination regimes are comparable and/or establish a requirement to comply with New Zealand’s privacy laws.
We consider that establishing in any relevant contracts a requirement to comply with New Zealand’s privacy laws would be preferable to do in any case, since it allows the contractual requirement to flex with any changes in the law.
*Tom Maasland and Richard Wells are corporate and commercial partners at law firm MinterEllisonRuddWatts.