25.09.2020

Privacy Act 2020: new obligations to report privacy breaches

The Privacy Act 2020 creates a new requirement to report serious privacy breaches, as from 1 December 2020. 

What is a privacy breach?

The Act defines a privacy breach, in relation to personal information held by an agency, as “unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information, or an action that prevents the agency from accessing the information on either a temporary or permanent basis”. 

Just to recap, “personal information” is any information held by an agency that is “about an identifiable individual”.  It does not need to be secret, confidential or private information – merely any information that can be identified as being about an individual person. 

How serious does it have to be?

A privacy breach is notifiable if it is reasonable to believe that the breach has caused serious harm to an affected individual or individuals, or is likely to do so. 

A privacy breach can be a confidentiality/integrity breach (i.e. unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of personal information), or it can be an availability breach (something which prevents an entity from accessing personal information on a temporary or permanent basis; like a denial-of-service attack on a website). 

The phrase “reasonable to believe” indicates that the entity must make an objective assessment, from the point of view of a reasonable person in the entity’s position who is properly informed.  This is not intended to be considered from the point of view of an individual whose personal information has been breached; and it must be analysed based on information which is immediately available, or after reasonable inquiries or an assessment of the privacy breach.  The affected individual(s) can be located either inside or outside New Zealand.

The concept of “harm” is well-established under New Zealand privacy law.  It can include:

  • Specific damage (i.e. financial loss, loss of employment, or physical injury);
  • Loss of benefits (i.e. any adverse effects on the individual’s rights, benefits, privileges, obligations or interests);
  • Emotional harm (i.e. significant humiliation, loss of dignity or injury to feelings).

An agency needs to assess whether a privacy breach is likely to cause “serious harm”.  This needs to be considered on a case-by-case basis, taking into account at least the following factors:

  • The nature of the information (whether it is sensitive in nature, for example credit card details, health information or identity documents);
  • Mitigation (whether any action has been taken by the entity to reduce the risk of harm after the breach);
  • Security measures (whether the personal information is protected by a security measure);
  • The recipient (who has obtained, or may obtain in the future, personal information as a result of the breach? The risk of serious harm will likely be greater if personal information has been obtained by people with unknown or malicious intentions);
  • The nature of the harm that could be caused (for example, specific damage, loss of benefits, or emotional harm);
  • Any other relevant factors (for example, how many individuals are affected, how widespread the breach is or how long it has been occurring).

What does an agency have to do in response?

Agencies must notify the Privacy Commissioner “as soon as practicable” after they become aware that a notifiable privacy breach has occurred.  They must also notify any affected individuals, or, if it is not reasonably practicable to notify each member of a group of affected individuals, they must give public notice of the privacy breach.  If public notice is required, the Privacy Regulations 2020 set out how this public notice must be given.

There are limited exceptions to the requirement to notify – essentially, if notification would prejudice New Zealand’s security or defense, or the maintenance of the law, endanger safety, or reveal a trade secret. 

Further exceptions permit an agency not to notify an affected individual if the particular individual is under 16 and the agency believes that notification would be contrary to the person’s interests, or if, after consultation with the person’s health practitioner, the agency believes that notification would be likely to prejudice that individual’s health.

It is also important to note that while most notifications must take place “as soon as practicable”, an agency may delay notifying affected individuals or giving public notice if the agency believes that notification may have risks for the security of personal information held by the agency, and that those risks outweigh the benefits of informing the individuals.  The agency may delay notification only for the period during which the risks continue to outweigh the benefits of notification.  One example where this is important is if a company’s website security systems were hacked, causing a privacy breach, and the attack revealed a more widespread security vulnerability.  The company would likely be permitted to delay notification of the privacy breach while it fixed the vulnerability, especially if premature notification could enable other hackers to exploit the vulnerability.  However, agencies must in all circumstances notify the Privacy Commissioner of a notifiable privacy breach, even if the agency opts to delay notification to the affected individuals.

Points to consider

In the lead-up to the Privacy Act 2020 coming into force, businesses and organisations should be taking steps to ensure that they are able to comply with the new requirements.  These steps might include:

  • Ensuring that all personnel are aware of the new obligations;
  • Updating privacy policies to ensure they comply with the new Act;
  • Developing or reviewing procedures to keep information and data protected; both physically and electronically;
  • Developing clear procedures on how to detect, report and investigate potential data breaches. In particular, ensuring that your organisation has a plan in place to meet the new reporting obligations without delay;
  • Ensuring there are clear internal lines of communication so that all personnel know who they can talk to within your organisation about privacy issues.

If you have any further questions about the new Privacy Act 2020 or how to ensure that your organisation complies, please contact Lydia Sharpe, Alison Maelzer, Julika Wahlmann-Smith or your usual contact at Hesketh Henry.

 

The information contained in this article is current at the date of publishing and is of a general nature.  It should be used as a guide only and not as a substitute for obtaining legal advice.  Specific legal advice should be sought where required.

 

 

 

Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Kerry
Media contact - Kerry Browne
Please contact Kerry with any media enquiries and with any questions related to marketing or sponsorships on +64 9 375 8747 or via email.

Related Articles / Insights & Opinion

Are trustees bound to relationship property agreements?
In Rawson v Prescott [2024] NZHC 1919, the High Court addressed a dispute involving trust property and a relationship property agreement. Mr RR, trustee of the GR Family Trust, sought summary judgment...
10.09.2024 Posted in Private Wealth
shutterstock
Bowen case part 1 – blowing the whistle
You may have heard of the term ‘whistleblowing’, but have you heard of ‘protected disclosures’? Protected disclosures are a creature of the Protected Disclosures (Protection of Whistleblowers)...
10.09.2024 Posted in Employment
Construction theme black and white
Contractors take note – are any of your retentions clauses prohibited provisions?
In Stevensons Structural Engineers 1978 Ltd (in liq) v McMillan & Lockwood (PN) Ltd & Anor [2024] NZHC 2415, the High Court held that the timing for payment out of retentions in certain subcon...
05.09.2024 Posted in Construction
Avoiding the Grey Area: Interpreting Trust Beneficiary Classes
Beneficiary classes in trust deeds should be clearly defined to ensure the assets of the trust benefit the people who the settlor(s) of the trust originally intended.   If they are not, then disputes...
05.09.2024 Posted in Private Wealth
vecteezy square wooden blocks lined up on a wooden workbench  Insurance Icons centered
Hesketh Henry’s Insurance Team author LexisNexis Practical Guidance Insurance
Hesketh Henry’s Insurance Team is delighted to celebrate the launch of Practical Guidance Insurance. LexisNexis has launched Practical Guidance Insurance containing 12 topics and over 50 sub-topics ...
03.09.2024 Posted in Insurance
Contract dictionary
Is ‘close enough’ OK? Reasonable endeavours to overcome a force majeure event
The English Supreme Court’s decision in RTI Ltd v MUR Shipping BV [2024] UKSC 18 has demonstrated the effect sanctions may have on a contract as a force majeure event and clarified the parameters of...
03.09.2024 Posted in Trade and Transport
The useful Mackay v Dick principle is part of English law – might it apply here?
The useful Mackay v Dick principle is part of English law – might it apply here? In King Crude Carriers S.A. & Ors v Ridgebury November LLC & Ors, the English and Wales Court of Appeal confi...
03.09.2024 Posted in Trade and Transport
SEND AN ENQUIRY
Send us an enquiry

For expert legal advice, please complete the form below or call us on (09) 375 8700.