New Zealand’s financial services sector is deficient in protecting customers from internal breaches of personal information, according to New Zealand Privacy Commissioner John Edwards.

Addressing the Insurance Council of New Zealand Conference in Auckland, he warned insurers they face tougher scrutiny when the New Zealand Privacy Act is introduced late next year.

Noting that New Zealand is falling behind other countries in the ways its laws protect private information, he said protecting customers’ privacy “is essential in maintaining their trust – it’s simple but seemingly difficult to do for some”.

“[Insurers] have liability and obligations to customers, shareholders and employees to ensure privacy is protected, but have not been, in particular, good in protecting privacy internally.”

Mr Edwards says there is one simple way for companies to improve their privacy security internally – audit regularly “and ask why”.

Another issue has been over-collection of information, with financial services organisations gathering data they don’t necessarily need.

He says some insurers see a customer’s consent to respond to questions as a right to use the information for any purpose they want. Insurers should “use some common sense” and not see such consent as a “privacy waiver”.

Half of the complaints the Privacy Commission receives are from customers seeking to access information their insurers have gathered about them.

Mr Edwards outlined to the conference key changes the new Act will bring, including stronger mandatory data breach notifications, new offences and increased compliance notices.

“That will give me more power,” he smiled at the delegates, who knew he wasn’t joking.