Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Privacy Commissioner wants more power to fine agencies that don't protect people's data

Thursday, 4 June 2026

Privacy Commissioner Michael Webster says New Zealand
Privacy Commissioner Michael Webster says New Zealand's privacy laws are 'somewhat out of step' with those overseas.

The Privacy Commissioner says the law needs to change to make it possible to fine agencies for failing to protect people's sensitive data.

A report by the commissioner, published last week, found Health NZ and patient portal Manage My Health (MMH) 'failed in their responsibilities' to have adequate security controls when hundreds of thousands of medical files were stolen in a cyber attack.

Michael Webster said New Zealand's privacy laws were 'somewhat out of step' with those overseas.

He told RNZ he would like to see changes to the Privacy Act, which would be done through the Ministry of Justice and the Justice Minister, to better hold agencies accountable.

Processes to change laws 'always take time', he said. 'But we are certainly constantly encouraging and advocating for … change.'

A spokesperson for Justice Minister Paul Goldsmith told RNZ the minister had received the commissioner's report and would be taking it into consideration.

Who is liable for the Manage My Health hack?

Webster explained that, under current law, third-party providers (such as MMH) were not held liable, or fined if data was lost or stolen.

Instead, the responsibility fell on whoever had commissioned their services - in this case, Health NZ.

'What did [they] do to ensure that [their] third party provider had good systems in place? Did [they] do any due diligence? Did [they] check the quality of their systems? Did [they] enter into contractual arrangements that forced [the third party] to take steps to ensure the information was held securely?'

In this case, general practitioners, who also loaded patient information into Manage My Health, were not found liable - and the commissioner noted the capabilities of small providers to vet systems like this were limited.

Webster said his strongest tool under current law was to issue compliance notices to the companies involved, effectively a legal direction to an agency forcing it to comply with the law.

He said his office was still drafting those compliance notices in this case.

If a company ignored a compliance notice, the commissioner could take them to Human Rights Review Tribunal to have it enforced, and if that did not work, then fines could be handed out.

In this case, the fine would be for non-compliance with an order - not for the original failure to protect the data, as was the case in many places overseas.

'In a lot of other countries,' Webster said, 'there is the ability to seek financial penalties for those agencies that have, through their actions, led to significant breaches of individuals' privacy or have been particularly lax or deliberately not investing, for example, in hardening and strengthening their systems.

'So this would be in line with law overseas. In fact, we're somewhat out of step.'

How will the privacy commissioner make sure those responsible are making changes?

Webster explained he could monitor the progress of Manage My Health and Health NZ in a couple of ways - first, by asking for regular updates, and through documents and reports.

He said Manage My Health had already addressed a number of issues. 'But I need to be able to assure New Zealanders that actually, that's not just being said, that things have actually changed.'

Manage My Health has already acknowledged the seriousness of the incident, and apologised for causing distress and concern.

In a statement responding to the commissioner's report, the company said it had made a number of security and operational improvements since the hack, including introducing mandatory multi-factor authentication, improving real-time monitoring and alerting capabilities, and doing more independent security testing across the platform.

'We are continuing to work constructively with regulators and sector partners to demonstrate that our controls are in place and operating effectively,' it said.

Ongoing dark web monitoring was also in place, it said, supported by High Court injunctions to restrict further distribution of the stolen data.