Privacy Commissioner's Advice: Strengthening Cybersecurity with Two-Factor Authentication

11 June, 2023

Privacy Commissioner's Advice: Strengthening Cybersecurity with Two-Factor Authentication

What you need to know

New Zealand's Deputy Privacy Commissioner urges organisations to implement two-factor authentication (2FA) as a basic cybersecurity measure, warning that not doing so may result in breaches of the Privacy Act.

In the modern landscape where digital technologies have permeated into almost every aspect of our daily lives, including education, safeguarding sensitive data is of utmost importance. Recently, a strong directive regarding cybersecurity has come from New Zealand's Deputy Privacy Commissioner, Liz MacPherson. She underscores the necessity of a safety measure known as 'two-factor authentication' (2FA) in maintaining the security of digital systems.

Two-Factor Authentication in MacPherson's Words

Two-factor authentication is a security procedure that asks users for two different identifying elements when logging in to a digital system. This could be a password or PIN, followed by a unique code sent to a mobile device or email. It's a significant step up in security as it adds a second layer of defense against unauthorized access.

Highlighting the importance of this protocol, Deputy Privacy Commissioner Liz MacPherson explicitly states:

“Two-factor authentication is a bare minimum we would expect for small businesses or organisations that hold or share personal information digitally. If you are a small business that has a cyber-related privacy breach and don’t have at least two-factor authentication in place, expect to be found in breach of the Privacy Act.”

What This Means for Schools

MacPherson's emphasis on 2FA as a "bare minimum" standard of data security highlights the significance of this measure in today's increasingly digitized world. Her statement underlines that schools, similar to small businesses, are expected to protect sensitive data in their digital systems by using 2FA at the very least.

The message here is clear: failure to take this essential precaution could result in a breach of the Privacy Act, especially in the event of a cyber-related privacy breach. By using 2FA, schools can significantly mitigate the risk of a security breach and demonstrate that they are taking "reasonable" measures to protect sensitive data.


Schools hold a great deal of sensitive data, making them potential targets for cyber threats. Adhering to the Deputy Privacy Commissioner's advice and implementing two-factor authentication is a practical step to enhance cybersecurity. It is a clear demonstration of a school's commitment to protecting its community's personal information. The advice from the Office of the Privacy Commissioner sends a strong message: taking appropriate security measures is not just about compliance, it's about maintaining the trust of students, parents, and staff.