Office of the Privacy Commissioner | First Privacy Act compliance notice successfully closed
The Privacy Commissioner has today announced the closure of its first compliance notice, issued to the Reserve Bank of New Zealand – Te Pūtea Matua in September 2021.
This followed the Reserve Bank’s response to the December 2020 cyber-attack and independent review of the incident by KPMG.
“When an agency has had a significant privacy breach, compliance notices are one of our core tools for providing them with a clear roadmap to improving their privacy practices,” says Privacy Commissioner Michael Webster.
“In this case, our compliance notice outlined improvements the Reserve Bank needed to make to ensure the safety and security of the personal information in its care, building on the KMPG report. The RBNZ has made every change recommended and more, and we are closing this compliance notice confident that all identified areas of concern have been addressed.”
The Privacy Commissioner can issue compliance notices to organisations or businesses that are not meeting their obligations under the Privacy Act. It details the changes the agency needs to make to its activities in order to comply with the Privacy Act. Refusing to comply with a compliance notice is an offence under the Privacy Act.
Reserve Bank Governor Adrian Orr says, “This is an important milestone and a credit to all the RBNZ staff and stakeholders who’ve worked together to deliver our business services improvement programme which we started shortly after the data breach incident.
“At Te Pūtea Matua we remain committed to our ongoing programme of education and training while continuing to improve our systems and processes supporting the protection and storage of information.
“I would like to again thank the OPC for its support throughout this incident and the collaborative approach they have taken to their investigation and our remedial actions.”
“The Reserve Bank did everything right in responding to this breach,” says Mr Webster. “They notified us immediately, they worked with us throughout the process, and they have taken on board the improvements we advised through our compliance notice. We’re heartened by their willingness to learn from this situation and the safeguards and continuous improvement processes they have put in place.”
More information
- A compliance notice is a written notice from the Privacy Commissioner to a public or private sector agency that the agency is in breach of its statutory obligations under the Privacy Act.
- The Privacy Act’s Principle 5 says agencies that hold personal information have to have reasonable security safeguards in place to protect personal privacy.
- Media release – Privacy Commissioner issues first compliance notice to Reserve Bank of New Zealand