25.09.2020

Privacy Act 2020: new obligations to report privacy breaches

Home / Insights & Opinion / Corporate & Commercial / Privacy Act 2020: new obligations to report privacy breaches
The Privacy Act 2020 creates a new requirement to report serious privacy breaches, as from 1 December 2020. 

What is a privacy breach?

The Act defines a privacy breach, in relation to personal information held by an agency, as “unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information, or an action that prevents the agency from accessing the information on either a temporary or permanent basis”. 

Just to recap, “personal information” is any information held by an agency that is “about an identifiable individual”.  It does not need to be secret, confidential or private information – merely any information that can be identified as being about an individual person. 

How serious does it have to be?

A privacy breach is notifiable if it is reasonable to believe that the breach has caused serious harm to an affected individual or individuals, or is likely to do so. 

A privacy breach can be a confidentiality/integrity breach (i.e. unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of personal information), or it can be an availability breach (something which prevents an entity from accessing personal information on a temporary or permanent basis; like a denial-of-service attack on a website). 

The phrase “reasonable to believe” indicates that the entity must make an objective assessment, from the point of view of a reasonable person in the entity’s position who is properly informed.  This is not intended to be considered from the point of view of an individual whose personal information has been breached; and it must be analysed based on information which is immediately available, or after reasonable inquiries or an assessment of the privacy breach.  The affected individual(s) can be located either inside or outside New Zealand.

The concept of “harm” is well-established under New Zealand privacy law.  It can include:

  • Specific damage (i.e. financial loss, loss of employment, or physical injury);
  • Loss of benefits (i.e. any adverse effects on the individual’s rights, benefits, privileges, obligations or interests);
  • Emotional harm (i.e. significant humiliation, loss of dignity or injury to feelings).

An agency needs to assess whether a privacy breach is likely to cause “serious harm”.  This needs to be considered on a case-by-case basis, taking into account at least the following factors:

  • The nature of the information (whether it is sensitive in nature, for example credit card details, health information or identity documents);
  • Mitigation (whether any action has been taken by the entity to reduce the risk of harm after the breach);
  • Security measures (whether the personal information is protected by a security measure);
  • The recipient (who has obtained, or may obtain in the future, personal information as a result of the breach? The risk of serious harm will likely be greater if personal information has been obtained by people with unknown or malicious intentions);
  • The nature of the harm that could be caused (for example, specific damage, loss of benefits, or emotional harm);
  • Any other relevant factors (for example, how many individuals are affected, how widespread the breach is or how long it has been occurring).

What does an agency have to do in response?

Agencies must notify the Privacy Commissioner “as soon as practicable” after they become aware that a notifiable privacy breach has occurred.  They must also notify any affected individuals, or, if it is not reasonably practicable to notify each member of a group of affected individuals, they must give public notice of the privacy breach.  If public notice is required, the Privacy Regulations 2020 set out how this public notice must be given.

There are limited exceptions to the requirement to notify – essentially, if notification would prejudice New Zealand’s security or defense, or the maintenance of the law, endanger safety, or reveal a trade secret. 

Further exceptions permit an agency not to notify an affected individual if the particular individual is under 16 and the agency believes that notification would be contrary to the person’s interests, or if, after consultation with the person’s health practitioner, the agency believes that notification would be likely to prejudice that individual’s health.

It is also important to note that while most notifications must take place “as soon as practicable”, an agency may delay notifying affected individuals or giving public notice if the agency believes that notification may have risks for the security of personal information held by the agency, and that those risks outweigh the benefits of informing the individuals.  The agency may delay notification only for the period during which the risks continue to outweigh the benefits of notification.  One example where this is important is if a company’s website security systems were hacked, causing a privacy breach, and the attack revealed a more widespread security vulnerability.  The company would likely be permitted to delay notification of the privacy breach while it fixed the vulnerability, especially if premature notification could enable other hackers to exploit the vulnerability.  However, agencies must in all circumstances notify the Privacy Commissioner of a notifiable privacy breach, even if the agency opts to delay notification to the affected individuals.

Points to consider

In the lead-up to the Privacy Act 2020 coming into force, businesses and organisations should be taking steps to ensure that they are able to comply with the new requirements.  These steps might include:

  • Ensuring that all personnel are aware of the new obligations;
  • Updating privacy policies to ensure they comply with the new Act;
  • Developing or reviewing procedures to keep information and data protected; both physically and electronically;
  • Developing clear procedures on how to detect, report and investigate potential data breaches. In particular, ensuring that your organisation has a plan in place to meet the new reporting obligations without delay;
  • Ensuring there are clear internal lines of communication so that all personnel know who they can talk to within your organisation about privacy issues.

If you have any further questions about the new Privacy Act 2020 or how to ensure that your organisation complies, please contact Lydia Sharpe, Alison Maelzer, Julika Wahlmann-Smith or your usual contact at Hesketh Henry.

 

The information contained in this article is current at the date of publishing and is of a general nature.  It should be used as a guide only and not as a substitute for obtaining legal advice.  Specific legal advice should be sought where required.

 

 

 

SHARE
Print
Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Kerry
Media contact - Kerry Browne
Please contact Kerry with any media enquiries and with any questions related to marketing or sponsorships on +64 9 375 8747 or via email.
Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Topics
Written By
IMG Website Edit
Alison Maelzer
Sign up for our
Employment News eZine
ezine

Related Articles / Insights & Opinion

UK Court of Appeal rules that that courts can order parties to engage in ADR: Churchill v Merthyr Tydfil County Borough Council [2023] EWCA Civ 1416
The England and Wales Court of Appeal (EWCA) has held that in certain circumstances, the courts can order parties to engage in alternative dispute resolution (ADR) or stay proceedings to allow the par...
24.07.2024 Posted in Construction & Disputes
Health and Safety Tiles
Updated Guidance: IOD and WorkSafe release ‘Health and Safety Governance – A Good Practice Guide’
While we wait with bated breath for the outcome in the prosecution of former Ports of Auckland CEO, Tony Gibson, officers’ duties are very much at the forefront of everyone’s mind. Section 44 of t...
23.07.2024 Posted in Employment & Health & Safety
Knowing your limits: High Court confirms liability caps in engineering consultancy agreements are consistent with Building Act duties
Design errors in a construction project can result in millions of dollars in loss.  Standard form consultancy agreements typically limit the amount that can be recovered for such errors.  The cap on...
09.07.2024 Posted in Construction & Disputes
glenn carstens peters npxXWgQZQ unsplash
Sender beware – how private are digital workplace conversations?
Following on from the recent Official Information Act request for correspondence between Ministry of Justice employees, employees may be wondering how private their online conversations with colleague...
04.07.2024 Posted in Employment
Concrete pillars impressive
TCC confirms Slip Rule limits in Adjudications
The Technology and Construction Court (TCC) has confirmed the narrow parameters of the ‘slip rule’ in the UK, which allows adjudicators to amend their determination to correct for any clerical or ...
02.07.2024 Posted in Construction & Disputes
Scots rule standard notification clause was condition precedent
In a warning for contractors, a Scottish Court has ruled that a standard form notification clause was a condition precedent to recovering time-related costs (TRCs) (FES Ltd v HFD Construction Group Lt...
01.07.2024 Posted in Construction
rape blossom
Anticipatory Repudiatory Breach and the Date of Default: Ayhan Sezer v Agroinvest
The decision in Ayhan Sezer v Agroinvest [2024] EWHC 479 (Comm) clarifies that where there has been an anticipatory repudiatory breach of contract, the “date of default” is the date of the breach ...
25.06.2024 Posted in Trade and Transport
BROWSE ALL
Insights & Opinion
Our Affiliations
German New Zealand Chamber of Commerce Advoc law link gala logo juraforum
Website by Scratch
SEND AN ENQUIRY
Send us an enquiry

For expert legal advice, please complete the form below or call us on (09) 375 8700.

Contact Us +64 9 375 8700 +64 9 309 4494 lawyers@heskethhenry.co.nz