The document discusses New Zealand's privacy laws and an accounting firm's responsibilities around protecting client data. It summarizes that the Privacy Act of 1993 governs how agencies collect, use, store and access personal information. As accountants deal with client financial and payroll data, they are responsible under the Act for protecting this personal information. The document outlines 12 information privacy principles around areas like collection, storage, use and disclosure of personal data. It emphasizes that accounting firms must have security measures like encrypted files, backups, secure passwords and staff training to comply with these privacy laws and ensure client data is properly protected. Non-compliance could result in legal claims or reputational damage to professional practices.

1. 30 JULY 2013
BUSINESS
I
n August 2011 the Law Commission
completed its review of privacy
law and made a number of
recommendations.
Recent high profile cases of data
protection breaches highlight the
importance of the government overhauling
the 20-year-old privacy laws. Without new
modern regulation the public are less likely
to have the confidence to take part in the
digital economy.
In March 2012, the government agreed to
many of the Commission’s proposals, but
indicated that further work by the Ministry
of Justice was required on others.
Contrary to popular belief, the Privacy
Act 1993 (the Act) governs data protection
rather than facilitating the right to individual
privacy. The aim of the Act is to promote
and protect individual privacy in accordance
with the data protection guidelines of the
Organisation for Economic Cooperation
and Development, of which New Zealand
is a member.
The Act controls how “agencies” collect,
use, disclose, store and give access to
personally identifiable information (PII). PII
is information that can be used to uniquely
identify, contact, or locate a single person or
can be used with other sources to uniquely
identify a single living individual. By way of
example; a person’s name, Inland Revenue
number and bank account number, to name
a few, clearly classify as PII.
Section two of the Act defines an agency
as any person or body of persons whether
Is your
clients’ data
protected?
A refresher on how you can
uphold your professional
obligations in regards to
privacy.
by Zowie Murray CA
An
accounting
firm is
responsible
for the
personal
information
it holds,
including
information
that has been
transferred
to a third
party for
storage,
custody or
processing
corporate or not and whether in the public
sector or private sector. Therefore, NZICA
members working as accountants who hold
and use their clients’ personal information
unequivocally fall under this definition
and must demonstrate a good working
knowledge of the Act.
The privacy principles
At the heart of the Act are 12 information
privacy principles (IPPs). These
principles reflect internationally accepted
standards for good personal information
handling. The privacy principles
cover the attributes seen in table 1.
Protecting yourself protects clients
It is widely recognised that as an accountant
or auditor, your client holds you in a position
of trust. Not only do you have access to a
whole host of confidential information
regarding their business finances and
business performance, but if you have access
to payroll data too, you will have in-depth
knowledge of their employees’ personal
information.
An accounting firm is responsible for the
personal information it holds, including
information that has been transferred
to a third party for storage, custody or
processing. Therefore accounting firms must
incorporate special provisions into their
IT security strategies in order to provide
effective protection of their client data. The
following questions are to facilitate your
assessment around whether your practice
has the most basic of principles in place to
begin protecting your clients’ data.
1. Are your client files encrypted? Only the
employees handling that particular client
should be granted access to the data.
Other employees should not be able to
access that client file.
2. Do you have a rotational server backup
system in place? There is, of course,
always the possibility that a hard drive
may be defective or that an employee will
accidentally delete data. Taking regular
backups means that any lost data can
always be restored.
3. Do all data storage devices have secure
passwords? A password should be at least
eight characters in length and contain
upper-case and lower-case letters, as

2. 31JULY 2013
well as numbers and special characters.
Storage devices include smart phones,
tablet computers and memory sticks etc.
4. Do you provide regular staff training?
All staff that deal with information, from
databases to personnel records, need to
be aware of the legislation surrounding
data protection.
The education for employees may begin
with seemingly trivial aspects of security
such as: not leaving data storage devices
unattended; always locking your computer
when not at your desk; using a laptop lock
at all times; not leaving your laptop in your
car overnight or taking it into public places
with you; and so on.
Ensure that employees are aware that
they could be liable if they knowingly or
recklessly disclose personal information in
breach of the policy and, as a minimum,
that serious breaches of the policy will be a
disciplinary matter, even if the breach was
accidental.
Employers should consider incorporating
such information in the general induction
process for new employees and regularly
reminding employees of their obligations.
Compliance – the only option
Personal information is private and should
not be divulged unnecessarily. However,
with greater expectations surrounding the
speed of access to information, along with
new social media, people are more likely to
share what used to be considered private
information.
It is vital to the success of your own
business that you assure your clients that
their data is fully protected. You have a
duty of care to your client to maintain high
levels of confidentiality and security, and
the consequences of non-compliance are
significant not only in terms of possible
damages claims but also the harm done to
your professional reputation.
Data protection compliance is not simply
about consent wording in engagement
letters or placing a few policies on your
intranet. Complying with these laws
requires awareness of the data protection
rules amongst your staff and a culture that
encourages secure data handling practices.
Many breaches continue to occur simply
Collection
of personal
information (IPPs
1-4)
An agency can only collect personal
information directly related to its activities
and only by fair means. The collection of this
information should not unreasonably intrude
upon the privacy of the individual concerned.
In most cases, when collecting personal
information an agency must advise an
individual why the information is being
collected; and to whom the information is
normally disclosed.
Reasonable steps are to be taken by an
agency to ensure that personal information
collected is relevant, up-to-date and complete.
The collection of information must not
unreasonably intrude upon the individual’s
personal affairs.
Storage and
security
(IPP 5)
Agencies in possession of personal information
are to ensure that there are reasonable
safeguards to prevent unauthorised access, use,
modification, or disclosure of the information.
Access and
alteration (IPPs
6-7)
Individuals are entitled to access records
containing their personal information and to
request the record keeper to alter those records
if they are inaccurate.
Accuracy (IPP 8)
Reasonable steps are to be taken by agencies to
ensure that any personal information proposed
to be used is accurate, up-to-date and complete.
Retention (IPP 9)
An agency that holds personal information
shall not keep that information for longer than
is required for the purposes for which the
information may lawfully be used.
Use and disclosure
(IPPs 10-11)
In general, an agency must use personal
information only for the purpose for which
it was collected and disclose personal
information only if the individual concerned
has consented to that disclosure.
However, an agency may use or disclose
personal information if it is authorised by law
or if it is necessary for certain types of law
enforcement.
Unique identifiers
(IPP 12)
Unique identifiers must not be assigned
to individuals unless this is necessary for
the organisation concerned to carry out its
functions efficiently.
Table 1
through ignorance. Firms need to be very careful about who they
trust with their clients’ information – getting it wrong could have
significant consequences.
There is still no sign of the government’s new privacy Bill, but
recently, MP Sue Moroney’s private member’s bill (the Privacy
(Giving Privacy Commissioner Necessary Tools) Amendment Bill)
was introduced to the House. Also Justice Minister Judith Collins
said she was expecting an official report and would take a paper
to Cabinet later in the year. So there may be some action by the
government sooner, rather than later, in this area.
Zowie Murray CA is a Technical Advisor in NZICA’s Technical
Services Team.

3. Copyright of Chartered Accountants Journal is the property of Institute of Chartered
Accountants of New Zealand and its content may not be copied or emailed to multiple sites or
posted to a listserv without the copyright holder's express written permission. However, users
may print, download, or email articles for individual use.