Photo: RNZ / Finn Blackwell
A cyber-security consultant has launched a petition to Parliament urging harsher penalties in the wake of the major Manage My Health data breach.
Katja Feldtmann, of Whanganui, said the penalties available now were not enough.
"Because $10,000 for one organisation, if you make millions, the fact that it's up to $10,000 and not proportionate, on annual turnover or things like that, it really just is not adequate," she said.
That is how much the Office of the Privacy Commissioner is able to issue fines for, for select offences.
"Privacy Commissioners have tried to get higher penalties and stricter regulation and have failed, so I thought maybe if we can get enough people to sign a petition, then it comes from the people of New Zealand which out government should serve," she said.
"Maybe that makes a difference."
Feldtmann, like the Deputy Privacy Commissioner, pointed to penalties in Australia which were significantly increased in late 2022.
For serious breach and for each contravention, a court can impose a maximum A$50 million, or three times the benefit derived from what happened, or 30 percent of a business' annual turnover.
In New Zealand, there is no express penalty for a privacy breach.
The $10,000 fines can be issued for:
- A business or organisation that fails to change its behaviour after being issued with a compliance notice;
- Misleading a business or organisation to access someone else's personal information;
- A business or organisation destroying personal information after it has requested to avoid handing it over;
- Failing to notify the Privacy Commissioner of a breach.
"They're just not enough," Feldtmann said.
"I think they're just too low to be encouraging people to do better, they are hindering organisations from doing better because the penalty is cheaper than actually implementing some better security and privacy measures," she said.
"I always look at it and then I look at what the rest of the world is doing, the European Union is the gold standard.
"We're in the Five Eyes and you look at what the others do and then you look at we have and it's almost like we don't really deserve to be in the Five Eyes, at least in that cyber security space and privacy space," she said.
The petition is on Parliament's website.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
