Privacy Law and higher education
In December 2020 new privacy legislation came into force. Answer our five key questions to gain confidence that your tertiary institution is effectively managing its data privacy risks
In December 2020, the revised New Zealand Privacy Act came into force. Some of the changes included in the Act are stronger controls over the transfer of personal data overseas, fines for non-compliance with privacy directives, and, most notably, mandatory reporting of data breaches to the victims and the Office of the Privacy Commissioner (OPC).
The new legislation is particularly relevant to New Zealand Tertiary Education Institutes (TEIs) – organisations that collect and process vast amounts of Personally Identifiable Information (PII) about students, alumni, staff and contractors, some of whom are based overseas. It is of utmost importance that TEIs ensure their privacy practices are not only compliant with the law but also manage their privacy risk.
Impact of Privacy Breaches on TEIs
Privacy breaches can have a major impact on organisations that are not sufficiently protected from or prepared for them. The cost of investigating and remediating the breach can in some cases be compounded by regulator fines and media coverage, ultimately causing a negative impact on a TEI’s reputation. Please see the June 2020 Tertiary Talk article on privacy for some examples of the costs incurred by overseas TEIs as a result of privacy breaches.
An emerging trend involves the challenges of managing privacy risks involving outsourced partners. We continue to see an increase across the sector of those who have experienced a privacy breach. We have seen recent examples where having a robust and tested emergency response plan has enabled organisations to react promptly to when situations arise by:
- Notifying the OPC of the breach and the TEI’s response,
- Notifying all affected parties of the breach and the TEI’s response, and
- Publishing a public notice of the breach on the TEI’s website.
These trends highlight the need for TEIs to strengthen their privacy management programmes for third party vendors and service providers.
Managing Your Risk
Data breaches and all types of cyberattacks are considered by the privacy and security community to be ‘when, not if’ events for most organisations. It is important therefore that all institutions, including TEIs, have seriously considered and routinely tested their breach management plans so that they can be quickly activated. Of course, a comprehensive privacy strategy and ongoing programme is required to reduce the risk of a breach in the first place. Part of this programme must have an assurance component which involves cyclical validation that your TEI has adequate and effective privacy protection procedures and controls.
In the wake of the new Privacy Act, here are five key questions that should be asked of TEI leaders and privacy officers to gain confidence that institutions are effectively managing data privacy obligations:
- Do we understand the size and severity of risks associated with the PII that we are carrying? For example, how have we measured and addressed privacy risks attached to this information?
- How do we know that our privacy processes are fit for purpose and well communicated? For example, what monitoring, and reporting procedures have we implemented?
- Is the responsibility for privacy related matters clearly defined and communicated to all stakeholders, including our vendors and partners who have access to this data?
- What programme do we have in place to ensure our staff and partners are keeping up to date and upholding the obligations imposed by privacy laws relevant to our data subjects? For example, how are we embedding privacy thinking in the changes we make to our business?
- Do we have an incident management plan and is this tested regularly?
If you would to discuss managing your TEI’s privacy data obligations, please get in touch.