When the new Privacy Act came into force on 1 December 2020, it became mandatory for “notifiable” privacy breaches to be reported to the Privacy Commissioner by the business or organisation involved (defined as an “agency” in the new Act).  Under the previous privacy legislation, reporting of privacy breaches was encouraged but not compulsory.

What is a privacy breach?

In relation to personal information, a privacy breach is:

  1. the unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
  2. an action that prevents the agency from accessing the information on either a temporary or permanent basis.

The first meaning above is what is commonly understood to be a privacy breach. This includes incidents such as unauthorised access to a computer system, losing devices such as laptops or USBs that contain personal information, or accidentally disclosing personal information to the wrong person.

The second meaning encompasses incidents such as ransomware attacks. This form of cyberattack has become increasingly common in recent years. 

In a ransomware attack, an outside party (a hacker) gains access to systems or databases, and either locks the users out or encrypts their files. Often the hacker will subsequently demand a financial payment in return for restoring access or providing a key to decrypt files.

There have been several incidents where businesses have refused to make payment of the ransom, and then sensitive information has been deleted or released to the public.

When is a breach notifiable?

A privacy breach is notifiable when it is reasonable to believe the breach has caused, or is likely to cause, serious harm to the affected individual(s).

The Act provides several factors that an agency must consider when deciding if a breach is notifiable:

  • any action taken by the agency to reduce the risk of harm following the breach;
  • whether the personal information is sensitive in nature;
  • the nature of the harm that may be caused to affected individuals;
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known);
  • whether the personal information is protected by a security measure; and
  • any other relevant matters.

A privacy breach is notifiable when it is reasonable to believe the breach has, or is likely to cause, serious harm. If or when the belief is “reasonable” is a matter for the business or organisation involved to determine.

Businesses and organisations dealing with personal information need to understand that a failure to notify the Privacy Commissioner of a notifiable breach, where there was a reasonable belief that it had or was likely to cause serious harm, is an offence punishable with a fine of up to $10,000.  It can also have further consequences in terms of action taken by the affected individual, investigation in the Human Rights Review Tribunal, and potentially major reputational damage.

Who must a notifiable privacy breach be reported to?

If a privacy breach is notifiable, it must be reported to the Privacy Commissioner and the affected individual must be informed. The agency must notify the affected individual as soon as reasonably practicable after becoming aware that a notifiable breach has occurred (unless an exception applies, for example to avoid prejudicing the security and defence of New Zealand or so as not to endanger any person).

The Act provides a detailed list of requirements that must be included in a notification to the Commissioner or affected individual. 

Notifying the Privacy Commissioner

A notification to the Privacy Commissioner from an agency must—

a)    describe the privacy breach, including—

                      i.        the number of affected individuals (if known); and

                     ii.        the identity of any person or body that the organisation suspects may be in possession of personal information as a result of the privacy breach (if known);

b)    explain the steps that the agency has taken or intends to take in response to the privacy breach, including whether any affected individual has been or will be contacted;

c)    if the agency is intending to give public notice of the breach, set out the reasons justifying that action (this can only be done in special circumstances set out in the Act);

d)    if the agency is relying on an exception, or is delaying notifying an affected individual or giving public notice, state the exception relied on and set out the reasons for relying on it, or state the reasons why a delay is needed and the expected period of delay;

e)    state the names, or give a general description, of any other agencies that the organisation has contacted about the privacy breach and the reasons for having done so; and

f)     give details of a contact person within the organisation for inquiries.

Notifying the affected individual/s

A notification to an affected individual or a representative must—

a)    describe the notifiable privacy breach and state whether the organisation has or has not identified any person or body that the agency suspects may be in possession of the affected individual’s personal information (but, must not include any particulars that could identify that person or body, unless certain exceptions apply);

b)    explain the steps taken or intended to be taken by the organisation in response to the privacy breach;

c)    where practicable, set out the steps the affected individual may wish to take to mitigate or avoid potential loss or harm (if any);

d)    confirm that the Privacy Commissioner has been notified;

e)    state that the individual has the right to make a complaint to the Privacy Commissioner; and

f)     give details of a contact person within the organisation for inquiries.

A notification to an affected individual may identify a person or body that has obtained or may obtain that affected individual’s personal information (where the identity is known) if the organisation believes on reasonable grounds that identification is necessary to prevent or lessen a serious threat to the life or health of the affected individual or another individual.

A notification to an affected individual must not include any particulars about any other affected individuals.

Notification must be made as soon as practicable, but may be provided incrementally, provided it is done as soon as practicable.

Mandatory breach reporting is a new process for many businesses and organisations. It is important that all businesses and organisations understand, and have a plan in place for, how to respond to potential privacy breaches, otherwise they could face expensive fines and serious reputational consequences. 

It is timely for businesses and organisations to review their internal policies for ensuring privacy compliance, and make sure staff are trained on how to identify and respond to a potential privacy breach.  Legal advisors with expertise in this area will be able to provide tailored advice to suit your business or organisation’s circumstances.

Leading law firms committed to helping clients cost-effectively will have a range of fixed-price Initial Consultations to suit most people’s needs in quickly learning what their options are.  At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.