Office of the Privacy Commissioner | Compliance Notice issued to Reserve Bank of New Zealand following cyber attack
The Office of the Privacy Commissioner has issued a compliance notice to the Reserve Bank of New Zealand. This compliance notice relates to a weakness in one of the Agency’s third-party systems and some of the Agency’s processes identified as the result of a notifiable privacy breach reported to the Office on 9 January 2021.
This compliance notice requires the Reserve Bank to take specified steps by certain dates in order to comply with information privacy principle 5 (storage and security of personal information).
Background to the compliance notice
In December 2020 the Reserve Bank of New Zealand was the victim of a cyber-attack, which raised the possibility of systemic weaknesses in the RBNZ systems and processes for protecting personal information. As a result, RBNZ instigated an internal and external review to identify any shortcomings in their operations.
Following review of the privacy breach, the Privacy Commissioner determined that the Reserve Bank failed to adequately protect a subset of personal information it held despite security safeguards.
The Reserve Bank has now instigated a programme of work to improve policies and processes for protecting personal information.
This compliance notice has been issued to the Reserve Bank improve their policies and procedures and make their systems more secure for handling personal information. The compliance notice targets specific steps to be taken within identified timeframes and progress against this will be monitored by the Office of the Privacy Commissioner.
The Reserve Bank has been co-operative with the Privacy Commissioner’s investigation and findings. The Reserve Bank was provided with a draft compliance notice and the opportunity to comment.
Under the Privacy Act 2020, the Commissioner may issue compliance notices to agencies that are not meeting their obligations under the Act. A compliance notice will require an agency to do something, or stop doing something, in order to comply with the Privacy Act.
More information about compliance notices is available here.