Legislation leads to greater transparency

Reports of privacy breaches have doubled following the introduction of the Privacy Act 2020.

Part 6 of the Privacy Act 2020 introduced a mandatory obligation to report privacy breaches to the Privacy Commissioner and the affected individual(s) where the breach is likely to cause serious harm. Failing to report these breaches is a criminal offence, with potential liability up to $10,000 (NZD) for offending. As a result of this obligation, reports of serious privacy breaches have doubled since the Privacy Act came into effect on 1 December 2020.

Only those breaches that are likely to cause serious harm must be reported. The Privacy Act outlines that in considering serious harm you should look at;

• action taken by the agency to reduce the harm;
• whether the personal information is sensitive;
• the nature of the harm that may be caused to the affected individual;
• whether an organisation or person has obtained personal information from the breach;
• whether the personal information is protected by security measures;
• and any other factors that your organisation thinks may mitigate or aggravate the risk of harm.

More than half of the breaches reported to the Office of the Privacy Commission (OPC) involved emotional harm and approximately one third involved the risk of identity theft or emotional harm. The OPC has outlined that organisations are being proactive in reporting serious breaches with over 50% being reported within 5 days of the breach, and 65% of organisations notifying individuals of the breach at the same time as notifying the Privacy Office.

At the In-house Lawyers Association of New Zealand (ILANZ) conference last week, the Privacy Commissioner, John Edwards, highlighted that the penalties associated with failing to notify the Privacy commissioner of a breach seems to have motivated people to over-report breaches, including some that may not have been necessary. Mr Edwards, suggested agencies should consider whether in some cases informing individuals of a potential privacy breach may distress those individuals, causing them more harm than good, if there is no real risk of onward transmission or misuse of their personal information.

What does this mean?

Mandatory requirements within the Privacy Act have had a direct impact on these statistics. Training and education during the past 6 months by the Privacy Commission to raise awareness has also contributed to the increase.

Whilst the number of significant breaches may be skewed by over-reporting, increased reporting illustrates that more New Zealand organisations are taking privacy matters and their obligations seriously. Increased media attention (such as the prevalence of articles related to the security of personal information in the COVID-tracing app) also means businesses can’t pretend they’re unaware of their legal obligations or afford not to respond to customer queries or concerns. Like their European counterparts under GDPR, New Zealand consumers are becoming increasingly curious and cautious about how their personal information is treated.

Taking these elements together, the drastic increase in privacy breach reporting in the past six months shouldn’t come as a surprise, but that doesn’t make it less nerve-wracking if you are facing an incident.

What should you do if you have a potential privacy breach?

1) Take a breath.
2) Pause and consider whether there is real risk of serious harm.
3) Consider the spread of the breach and the risk of personal information being accessed. For example;

• Has the email only been sent to one person and you have retrieved it or had them delete it before they have opened it?
• Was the personal information securely locked or encrypted meaning the person who accidentally received it can't access it?
• Did the email sent to the wrong person really contain personal information?

4) Communicate with your internal team about managing this breach and what action can be taken to mitigate the risk of serious harm.
5) Triage and develop the best way to manage the breach and consider the potential risk of serious harm.
6) If you feel that there is a genuine risk of serious harm from the breach, notify the OPC using its NotifyUs tool , and the affected individual as soon as possible.

Useful Resources

• Click here for the article by the Privacy on the reporting statistics.
• Check out useful resources on OPC's eLearning site.
• Click here for more on the Privacy Act.
• Click here to read more from Andrew Dentice on Modernising the Act.

If you and your organisation would like help on ensuring that your privacy policy is up to date or if you have any privacy related queries, get in touch.