In an increasingly online world we are sharing and disclosing more and more online and that information is being held digitally. There are frequent examples in the news of leaks and data breaches. This article looks at this issue in detail and examines what the legal requirements are in this area. Understanding what to do when there are data breaches is vital in these times when it is an increasingly common event.
So you’ve had a Data Breach. What are you legally required to do?
On 1 December 2020, the new Privacy Act came into force. One of the significant changes is the requirement to report serious breaches to the Privacy Commissioner and the affected individuals.
What is a privacy breach?
A privacy breach is defined as:
- unauthorised or accidental access to, or disclosure, alteration, loss or destruction of, the personal information; or
- an action that prevents the agency from accessing the information on either a temporary or permanent basis.
When do I have to report a privacy breach?
A privacy breach becomes notifiable when it is reasonable to believe that the breach has caused serious harm to those affected, or is likely to do so.
How do I assess whether a privacy breach will cause serious harm?
When assessing the seriousness of a privacy breach, you will need to consider the following:
- any action you have taken to reduce the risk of harm following the breach;
• whether the personal information is sensitive in nature (e.g. financial/health information);
• the nature of the harm that may be caused to affected individuals;
• who obtained or may obtain personal information as a result of the breach (if known);
• whether the personal information is protected by a security measure (e.g. was the information encrypted?); and
• any other relevant matters.
How do I report the privacy breach?
As soon as practicable after becoming aware of the privacy breach, you must notify the Privacy Commissioner. You can do so at the Privacy Commissioner’s ‘NotifyUs’ page here.
You must also notify the affected individuals as soon as practicable after becoming aware, unless an exception applies.
What are the Exceptions?
You do not need to disclose the breach if disclosure would prejudice the security or defence of New Zealand, prejudice maintenance of the law, endanger the safety of a person or reveal a trade secret.
You may delay notification if you believe disclosure would risk the security of the personal information and those risks outweigh the benefits of informing the affected individuals. As soon as the grounds for delay no longer pose a risk, you must inform the affected individuals of the breach.
Even if you rely on an exception, you must always notify the Privacy Commissioners of the breach as soon as practicable.
What happens if I don’t comply?
Failure to notify the Privacy Commissioner of a notifiable privacy breach may result in a fine of up to $10,000 or the issue of a public compliance notice.
How can I prepare?
You should use this opportunity to make sure your privacy policy will comply with the Act. You should also consider the following:
- Make sure you have internal procedures in place to deal with how you become aware of a privacy breach;
- Assess the personal information you hold, the reason you collect it, where it is stored and who has access to it;
- Make sure your staff are aware of the new requirements.
This article is not a substitute for legal advice and you should contact your lawyer about your specific situation. If you think your privacy policy is insufficient (or non-existent!), we would strongly encourage you to get in touch with us. Contact Steven Moe at stevenMoe@parryfield.com
