Notes from the Asia-Pacific region: Breach could spark shift in New Zealand privacy law

Staff Editor 2026-06-25
Notes from the Asia-Pacific region: Breach could spark shift in New Zealand privacy law

Notes from the Asia-Pacific region: Breach could spark shift in New Zealand privacy law

https://iapp.org/news/a/notes-from-the-asia-pacific-region-breach-could-spark-shift-in-new-zealand-privacy-law

Publish Date: 2026-06-25 11:40:00

Source Domain: iapp.org

The Office of the Privacy Commissioner of New Zealand’s Phase 1 inquiry into the Manage My Health data breach may ultimately have long lasting significance. 

Among the recommendations in the May report is a proposal to amend the Privacy Act 2020 to make third-party service providers directly liable for failing to implement reasonable security safeguards. If adopted, the change would represent a notable shift in New Zealand’s privacy framework.

The Privacy Act does not currently impose direct security obligations on processors equivalent to those found in some overseas jurisdictions. The Manage My Health inquiry exposed the limitations of that approach. The OPC found that both Manage My Health and Health New Zealand breached Rule 5 of the Health Information Privacy Code by failing to maintain reasonable security safeguards. The inquiry also identified shortcomings in governance, assurance and oversight arrangements. 

Yet, New Zealand’s existing legislative framework provides no direct accountability for service providers whose systems and controls contribute to such failures.

The recommendation is consistent with international regulatory approaches. Under the EU General Data Protection Regulation, for example, processors are subject to direct obligations to implement appropriate technical and organizational security measures. European regulators can investigate processors directly and impose significant penalties where those obligations are breached.

The rationale is straightforward. Modern organizations increasingly rely on cloud platforms, software-as-a-service providers and outsourced technology partners. In many cases, the processor controls key aspects of the security environment, including system architecture, vulnerability management, access controls and monitoring. Where processors exercise that level of operational control, it is difficult to argue that accountability should rest exclusively with the customer organization.

Importantly, direct processor…

Source

More Stories

Privacy concerns arise over AI security cameras considered by city of Missoula

Privacy concerns arise over AI security cameras considered by city of Missoula

Staff Editor 2026-06-26
Google seeks dismissal of kids’ privacy suit over Play Store family apps | MLex

Google seeks dismissal of kids’ privacy suit over Play Store family apps | MLex

Staff Editor 2026-06-26
Browsers can track you by your graphics card — and almost no privacy tool stops it

Browsers can track you by your graphics card — and almost no privacy tool stops it

Staff Editor 2026-06-26

Terms and Conditions - Privacy Policy