Tim Murphy reports:
MPs have revised privacy legislation to avoid a risk of ‘notification fatigue’ in which holders of data would be forced to advise the public of even minor data breaches.
Parliament’s justice select committee has raised the threshold in the Privacy Bill for when mandatory notifications to the Privacy Commissioner and affected individuals would be required from a breach causing “harm” to one of “serious harm”.
[…]
Now, the judgment of “serious harm” from a breach would be determined by a range of factors set out in the revised bill including: the actions a holder of data has taken to reduce the harm; the sensitivity of the information; the nature of the harm; those to whom the information might be disclosed; and whether the information is protected by security measures.
Read more on Newsroom. I wish they had linked to the actual language of the legislation. I’ll go look for it.
Update: Thanks to the Office of the Privacy Commissioner for the link to the actual text:
https://www.parliament.nz/en/pb/bills-and-laws/bills-proposed-laws/document/BILL_77618/privacy-bill