Reserve Bank's First Privacy Act compliance notice successfully closed

RBNZ "did everything right in responding" to the 2020 cyber attack, privacy commissioner says

Reserve Bank's First Privacy Act compliance notice successfully closed

The Reserve Bank’s first compliance notice, issued in September 2021, has been successfully closed, following the central bank’s response to the December 2020 cyber attack and KPMG’s review of the incident.

Read more: Reserve Bank consults on policy for branches of overseas banks

“When an agency has had a significant privacy breach, compliance notices are one of our core tools for providing them with a clear roadmap to improving their privacy practices,” Privacy Commissioner Michael Webster said. “In this case, our compliance notice outlined improvements the Reserve Bank needed to make to ensure the safety and security of the personal information in its care, building on the KMPG report. The RBNZ has made every change recommended and more, and we are closing this compliance notice confident that all identified areas of concern have been addressed.” 

A compliance notice is issued by the privacy commissioner to organisations or businesses that are in breach of its statutory obligations under the Privacy Act. Refusing to comply with the changes detailed in the notice is an offence under the act.

Read next: Reserve Bank strengthens enforcement framework

“This is an important milestone and a credit to all the RBNZ staff and stakeholders who’ve worked together to deliver our business services improvement programme which we started shortly after the data breach incident,” Reserve Bank Governor Adrian Orr said. “At Te PÅ«tea Matua, we remain committed to our ongoing programme of education and training while continuing to improve our systems and processes supporting the protection and storage of information.”

“The Reserve Bank did everything right in responding to this breach,” Webster said. “They notified us immediately, they worked with us throughout the process, and they have taken on board the improvements we advised through our compliance notice. We’re heartened by their willingness to learn from this situation and the safeguards and continuous improvement processes they have put in place.”