If you've been following the news, you will have seen the enormous Manage My Health shitshow, which has seen the medical records of 127,000 new Zealanders offered up for ransom (with the alternative of sale on the dark web). The information was obtained due to an absurdly basic security failure by the company, suggesting a complete failure of any duty of care for people's sensitive health information. It also seems to be an open and shutt violation of Information Privacy Principle 5 and/or rule 5 of the Health Information Privacy Code, both of which require information to be protected by "such security safeguards as are reasonable in the circumstances" - but there's no fines for breaching this, and the penalty even for violating a formal compliance notice is a derisory $10,000. The entire regime expects each affected individual to complain to the Privacy Commissioner, who can escalate complaints to the (over-worked and under-resourced) Human Rights Review Tribunal, which can issue damages. In, oh, six or seven years.
And its not like the Privacy Commissioner can help - they can't do own-motion investigations, and the regime has cut their budget. It's almost like they want our privacy to be violated and our information to be sold.
This isn't good enough. The Privacy Commissioner should be actually able to protect our privacy, rather than merely being an overworked mediator when someone has violated it. And where there has been an egregious failure to follow basic privacy practice like this, then there needs to be a criminal offence, and fines large enough to actually incentivise companies to obey the law, with personal liability for directors. Manage My Health didn't give a shit about the people whose information it was "safeguarding", because a $10,000 fine for not caring was just a cost of business. And the Facebooks and X's of this world won't give a shit either. If we start having fines in the millions, or charged as a percentage of global revenue (European-style), then maybe they will start obeying.
