Data protection – systems and process issues for the banking sector

This is article 1 in a three-part series on data protection and the implications for open banking:

Introduction and key takeaways

Data protection is a hot topic, both nationally and around the world.  It is timely to consider the implications for the banking sector as one industry that needs to respond to regulatory change – as the change is arriving soon.

As banks review their systems, processes and contracting terms in light of the refreshed Reserve Bank’s Outsourcing Policy (BS11), it may be convenient to consider how these systems, processes and contracting terms need to be updated to reflect changing requirements in the data protection space – as well as considering any future-proofing highlighted in the New Zealand Privacy Bill (yet to be finalised) and other legal and regulatory requirements.

What is happening in New Zealand right now?

The Government introduced the Privacy Bill (the Bill) on 20 March this year which will repeal and replace the Privacy Act 1993 (as recommended in the Law Commission’s 2011 review of the Privacy Act).  The Bill is now with the Select Committee with a report due on 11 October this year.

Three of the key proposed changes under the Bill and how banks will need to start thinking about their implications are:

  1. Mandatory reporting of privacy breaches

Systems and processes

Agencies will be required to notify the Privacy Commissioner and the affected individuals in the event of a notifiable privacy breach.  This will up the stakes on all aspects of statutory compliance, including cyber-security.

As well as ensuring that data collection and use practices are up to date and that storage systems are sufficiently secure and well managed (to further reduce the risk of a breach occurring), organisations should consider creating a specific channel for breach reporting and ensure staff are trained on processes.

For banks, who have so many touchpoints with their customers’ (and employees’) personal data, this may be a significant exercise.

In addition, the practicalities of tracking breaches and breach notifications could require some kind of technology solution.  Banks may want to start considering options in the market or enhancements to in-house solutions.

Contracts with third parties

In entering into relationships with third parties (such as data processors), agencies should ensure that those third parties are clear on their privacy obligations, including mandatory breach notification.  This will be even more important when dealing with overseas suppliers who are not governed by and who are not familiar with New Zealand privacy laws.  We recommend compliance requirements, and an appropriate liability regime, is drafted into contracts with these third parties.

Although the exact nature of the changes to privacy law (and when they will come into force) remains uncertain it is prudent (and best practice) when entering into contracts with third parties to ensure that they must take the actions necessary to comply with privacy law as it is updated from time to time, including providing notification of certain breaches and complying with any direction from the Privacy Commissioner.

Because banks will want to understand the nature of any security issues affecting it or its customers, the requirements should be drafted so that breach notification requirements apply even before any legal revisions come into effect.

Consequences and unfair contract terms

While it is proposed that organisations could be exposed to a fine not exceeding $10,000 for failing to report a notifiable privacy breach, the more important aspect of a mandatory breach reporting regime will be reputational.  It is proposed under the Bill that the Privacy Commissioner will be able to publish the identity of the agency that has made the notification if it is in the public interest to do so.  The individuals affected will also be made aware of the breach and so may pursue the agency for damages.

Privacy policies have been under scrutiny by the Commerce Commission as part of its unfair contract terms reviews and enforcement activity.  The new unfair contract terms regime was introduced in New Zealand in 2015 and applies to terms in a standard form consumer contract.  The Commerce Commission has indicated that privacy policies and other documents incorporated by reference must also comply with the unfair contract terms regime (see its gym contracts review of August 2017).

Limitation of liability causes that cut across a consumer’s remedies for breaches of privacy law should be carefully considered.

2. Compliance notice

The Bill will enable the Privacy Commissioner to issue compliance notices requiring an agency to either do something or stop doing something to comply with privacy laws, and may provide a timeframe for compliance. The agency would have the opportunity to comment on the notice before it is issued.

This is an interesting power as it implies that prompt and meaningful engagement with the Privacy Commissioner will be required to ensure that the actions that the agency is required to take are necessary, realistic and affordable.  As banks’ systems, processes and touch points with personal data can be complex, it is prudent to establish a standing cross functional committee or team to interact with the Privacy Commissioner.

Ultimately, it is proposed that a failure to comply with an order of the Human Rights Review Tribunal enforcing the order attracts a fine of up to $10,000, and again (though the fine is relatively low) reputational harm is likely to accompany any failure to comply with an order.

3. Strengthening cross-border data flow protections

Under the Bill, New Zealand agencies must take reasonable steps to ensure personal information that is disclosed to an overseas person is subject to acceptable privacy standards.  The Bill proposes disclosure of personal information to an overseas person will only be permissible if the individual consents, if the overseas person has comparable privacy laws to New Zealand, or the agency believes the overseas person is required to protect the individual’s information in a way that is comparable to New Zealand’s privacy laws.

To the extent that New Zealand personal information is transferred overseas, and for the four large Australian-owned banks this is likely to be highly relevant (even despite the countervailing pressure exerted under BS11), then banks will need to undertake an analysis of whether the destination regimes are comparable and/or establish a requirement to comply with New Zealand’s privacy laws.

We consider that establishing in any relevant contracts a requirement to comply with New Zealand’s privacy laws would be preferable to do in any case, since it allows the contractual requirement to flex with any changes in the law.

Like this article?

This is article 1 in a three-part series on data protection and the implications for open banking:

Who can help

Richard Wells

Partner - Corporate and Commercial

Richard is a commercial lawyer with particular expertise in technology, media and telecommunications law, intellectual property, commercial contracting and sport.

He advises clients on issues arising at all stages in the product lifecycle and is an expert legal draftsperson and troubleshooter.  Richard is sought after to help establish new ventures and to commercialise new technology both in New Zealand and overseas.

As well as his technology practice, with a background in commercial and IP law, Richard is recognised as a leading Sports and Events lawyer ranked as Band 1 by international research directory Chambers Asia Pacific. He has broad experience working with event hosts, sponsors and stakeholders to deal with issues arising in relation to major events in New Zealand.

Richard Wells


Corporate and Commercial

P: +64 9 353 9908
M: +64 21 244 0238

Tom Maasland

Partner - Corporate and Commercial

Tom is a Partner in our Technology, Media and Telecommunications (TMT) practice – a practice which has been recognised by international legal directory, Asia Pacific Legal500, as Tier 1 for TMT in New Zealand.

Tom advises on the full gambit of technology law issues – from advising clients on major technology transformation programs and large scale technology procurement, through outsourcing and managed services and “as a service” arrangements, to the more run of the mill software licensing and support agreements. Tom also advises on emerging technology areas such as cyber security, artificial intelligence, blockchain and smart contract related advice.

To compliment his “black-letter” law expertise developed in private practice in NZ and the UK, Tom is able to draw on deep commercial acumen following significant in-house experience at Spark NZ (where he was Assistant General Counsel) and at Telefonica O2 in the UK and Ireland.

Tom has been ranked by Chambers & Partners as a leading TMT lawyer since 2013 where sources say “He is a very good communicator, able to articulate what can be a complex concept in a way that is easily understood by various parties.”  The Asia Pacific Legal 500 ranks him a leading individual in TMT, where sources describe Tom as “very client-focused, passionate and proactive.”

Tom Maasland


Corporate and Commercial

P: +64 9 353 9875
M: +64 27 453 6511

Jeremy Muir

Partner - Financial Services

Jeremy is a specialist financial services and investment lawyer. He works with retail and wholesale fund managers (including KiwiSaver and superannuation), trustee companies, derivatives issuers, FinTech (including crowdfunding and peer-to-peer lending platforms), insurers and start-ups.  He is also one of New Zealand’s leading lawyers advising on cryptocurrencies, initial coin offerings (ICOs) and digital tokens – working closely with the Financial Markets Authority and other regulators in relation to the treatment of coins, tokens, schemes and exchanges under New Zealand law.

Jeremy advises on all aspects of the Financial Markets Conduct Act 2013 (FMCA), in particular managed investment schemes and all required licences. He also advises on all other financial services legislation (including financial service provider registration, non-bank deposit takers (NBDTs), insurance prudential supervision, financial advice and broking).

Jeremy enjoys working with alternative assets and structures across private equity, venture capital, hedge funds, property investment vehicles, marinas and innovative platforms and products. He is a limited partnerships expert, having established numerous private equity and venture capital funds, including negotiating with significant cornerstone investors such as the New Zealand Venture Investment Fund (NZVIF), New Zealand Super Fund, ACC and Maori investors.

Jeremy also spent several years working in offshore funds for a major offshore law firm, and is admitted to the bar in both Guernsey and the Cayman Islands.

Jeremy Muir


Financial Services

P: +64 9 353 9819
M: +64 21 625 319

Jennifer Hambleton

Senior Associate - Dispute Resolution and Litigation

Jennifer is a member of our Dispute Resolution team with strong experience on contentious and non-contentious competition and consumer law matters and general commercial litigation.

Her expertise includes competition and consumer law, contract, franchising and corporations law disputes.

Jennifer has extensive experience as a commercial litigator. She has represented commercial and government clients on a number of large complex disputes in the Federal and Supreme Courts in Australia, the Australian Competition Tribunal and the High Court and Court of Appeal in New Zealand. Jennifer has particular expertise acting on competition enforcement actions, consumer law actions, actions for breaches of directors duties, contractual disputes and negligence actions.

Jennifer has advised clients in the technology and telecommunications, insurance, gambling, airline, accommodation, FMCG, grocery, pharmaceuticals and energy industries on a range of commercial issues. This includes advising clients on the implications of commercial terms such as warranties and indemnities, termination rights, restraints of trade and confidentiality, compliance with the Commerce Act, Fair Trading Act and Companies Act and product liability issues.

Jennifer Hambleton

Senior Associate

Dispute Resolution and Litigation

P: +64 9 353 9794
M: +64 27 541 0994

June Hardacre

Senior Associate - Employment

June has broad experience in all aspects of both New Zealand and English employment law. June regularly advises on senior executive appointments and terminations; restraints of trade and protection of confidential information; performance and disciplinary processes; restructuring, redundancy and outsourcing programmes; industrial relations and collective bargaining matters; whistleblowing and protected disclosures; and employee data privacy issues. June has been involved in litigation at all levels of the New Zealand court system, both in relation to substantive disputes and urgent interlocutory matters. June has significant experience in acting for both private and listed companies in the financial services, pharmaceutical and healthcare, and food and beverage sectors.

June recently returned to New Zealand, having practiced at a magic circle firm in London for several years, and at another top tier New Zealand law firm prior to that. During her time in London, June regularly advised leading private equity houses and FTSE100 companies on employment law and regulatory issues.

June Hardacre

Senior Associate


P: +64 9 353 9723
M: +64 21 105 9616

Related Articles