Recent privacy breaches, such as those concerning ACC, Work and Income and now IRD, had been cited as human error and typically involved information being sent to the wrong people by email.
It was hoped that staff working in any organisation that dealt with personal information would have an appreciation of the importance of keeping that information safe, she said.
"Therefore, changing the law on its own will never be sufficient to prevent breaches of privacy caused by human error.
"Surely, this is as much an issue of how the information is managed, which goes beyond technological aspects and to the heart of any business."
Institutions, both public and private, need to establish management priorities of information as a business issue and ensure that both their technological and staff processes were such that breaches were kept to an absolute minimum, Ms Peart, a partner with Marks and Worth, said.
One of the main issues must be the reliance on email of those organisations and the ability to inadvertently include information through attachments and forwarding emails, something which was never intended.
The way in which information was retained needed to be reviewed so that it was depersonalised as much as possible in the form in which it was recorded. That would help remove the ability of third parties to identify the person to whom the information related, she said.
"Management can also extend to security around information so that unauthorised access is easily detected and formal processes are in place to ensure that clear guidelines are maintained and are complied with."
The extent to which that was a people issue should not be underestimated.
Organisations should ensure staff were appropriately trained to understand the importance of privacy and be able to manage privacy, Ms Peart said.
"It is important that people handling that information are accountable for maintaining privacy as are those ultimately having responsibility for the organisation."
Ms Peart said there had been much public discussion recently about requirements to notify breaches of privacy.
She believed it was an important measure for maintaining accountability - particularly in the public sector where there might be political ramifications from breaches.
However, there needed to be some qualitative assessment of the nature of the breach to ensure the requirement was not unduly onerous, Ms Peart said.
