Your Resources

Office of the Privacy Commissioner warns organisations after privacy breaches

By Alan Knowsley

The Office of the Privacy Commissioner (OPC) has recently been warning individual organisations about specific privacy breaches that have been raised with the OPC.

Mandatory reporting of notifiable privacy breaches

The Privacy Act 2020 took effect on 1 December 2020 and the law has changed. It is now mandatory to report a “notifiable” privacy breach to the OPC as soon as practicable. A notifiable breach is any breach with a likelihood of serious harm.

Guidance from the OPC indicates that reporting should take place within 72 hours of the breach occurring, unless there is a good excuse for delay.

The OPC has also indicated that organisations notifying them should do so as information comes to light, even if that means reporting piece by piece, rather than delaying until more information is available or until the matter is resolved. Notification delays can increase the serious consequences of privacy breaches, resulting in even more harm to the affected individual/s.

Consequences

The Privacy Commissioner has the power to fine up to $10,000 for failing to notify the OPC of a privacy breach. There are also other fine and enforcement powers available the Commissioner.

Privacy breaches can have other significant consequences, including reputational damage (as a breach can seriously damage an organisation’s “brand”) and financial costs in addition to fines such as loss of revenue.

Recent examples

The OPC has provided three specific examples where organisations were warned for taking too long to report privacy breaches.

A former employee of “Organisation A” had been using personal information obtained during their employment to tell customers about their new business. The organisation had a legal responsibility to notify the OPC as this was a serious privacy breach.
“Organisation B” sent letters containing sensitive information to some of its clients and discovered that many of the letters had been sent to outdated addresses. During the organisation’s investigation of the situation, it notified the OPC but this was not until three months after the breach had occurred.
“Organisation C” did not notify the OPC of a serious privacy breach until two months after it had been identified despite their internal policies requiring that the OPC be notified as soon as possible. The OPC advised that the breach should have been reported as soon as it was identified, and waiting until it was resolved was unnecessary.

In all three cases, the OPC did not prosecute, but made recommendations and advised the organisations that further action including prosecution might be taken if similar complaints were received in the future. It is likely that the OPC will take an increasingly strong approach to failures to notify privacy breaches, as organisations have had time to get to grips with the new legislation.

If you think your organisation has experienced, or is experiencing, a privacy breach, you should seek urgent advice from a privacy professional.

If you are unsure of your business or organisation’s obligations under the new Privacy Act 2020, an experienced privacy professional will be able to provide you with tailored advice to ensure that your policies and processes are robust, to best avoid privacy breaches.

Gender Equality Charter - New Zealand Law Society

If you are a New Zealand Super Gold Card Holder (Australian Senior Cards do not qualify) we will give you a 75% discount of the fee for one of our set fee 1 hour initial consultations. We will also give you a 17.5% discount off the first matter we handle for you and then 12.5% off any subsequent matters for you. These discounts relate to your personal matters only (i.e. not business, trust or organisational matters or the sale and purchase of investment properties).

To receive the discount please let us know if you are a New Zealand Super Gold Card Holder.

Rainey Collins Lawyers is one of New Zealand's top law firms comprised of a wide range of experienced and skilled barristers and solicitors, making us experts in nearly all legal fields.

We provide litigation, legal representation and advice in fields such as employment law, buying and selling properties, setting up a family trust, commercial law, property law, Māori land, family law, relationship property, body corporates and construction. In addition to these legal services, we also provide highly efficient debt collection New Zealand wide for clients from large companies right through to small businesses and individuals.

Based in New Zealand's capital, our firm has a prime position in taking on cases not only from Wellington, but from all over Aotearoa, having helped a wide range of clients for over 100 years.

Top

Your Resources

Office of the Privacy Commissioner warns organisations after privacy breaches

Call us Toll Free on 0800 733 424

Articles by Topic

Call us Toll Free on
0800 733 424