25.09.2020

Privacy Act 2020: new obligations to report privacy breaches

The Privacy Act 2020 creates a new requirement to report serious privacy breaches, as from 1 December 2020. 

What is a privacy breach?

The Act defines a privacy breach, in relation to personal information held by an agency, as “unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information, or an action that prevents the agency from accessing the information on either a temporary or permanent basis”. 

Just to recap, “personal information” is any information held by an agency that is “about an identifiable individual”.  It does not need to be secret, confidential or private information – merely any information that can be identified as being about an individual person. 

How serious does it have to be?

A privacy breach is notifiable if it is reasonable to believe that the breach has caused serious harm to an affected individual or individuals, or is likely to do so. 

A privacy breach can be a confidentiality/integrity breach (i.e. unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of personal information), or it can be an availability breach (something which prevents an entity from accessing personal information on a temporary or permanent basis; like a denial-of-service attack on a website). 

The phrase “reasonable to believe” indicates that the entity must make an objective assessment, from the point of view of a reasonable person in the entity’s position who is properly informed.  This is not intended to be considered from the point of view of an individual whose personal information has been breached; and it must be analysed based on information which is immediately available, or after reasonable inquiries or an assessment of the privacy breach.  The affected individual(s) can be located either inside or outside New Zealand.

The concept of “harm” is well-established under New Zealand privacy law.  It can include:

  • Specific damage (i.e. financial loss, loss of employment, or physical injury);
  • Loss of benefits (i.e. any adverse effects on the individual’s rights, benefits, privileges, obligations or interests);
  • Emotional harm (i.e. significant humiliation, loss of dignity or injury to feelings).

An agency needs to assess whether a privacy breach is likely to cause “serious harm”.  This needs to be considered on a case-by-case basis, taking into account at least the following factors:

  • The nature of the information (whether it is sensitive in nature, for example credit card details, health information or identity documents);
  • Mitigation (whether any action has been taken by the entity to reduce the risk of harm after the breach);
  • Security measures (whether the personal information is protected by a security measure);
  • The recipient (who has obtained, or may obtain in the future, personal information as a result of the breach? The risk of serious harm will likely be greater if personal information has been obtained by people with unknown or malicious intentions);
  • The nature of the harm that could be caused (for example, specific damage, loss of benefits, or emotional harm);
  • Any other relevant factors (for example, how many individuals are affected, how widespread the breach is or how long it has been occurring).

What does an agency have to do in response?

Agencies must notify the Privacy Commissioner “as soon as practicable” after they become aware that a notifiable privacy breach has occurred.  They must also notify any affected individuals, or, if it is not reasonably practicable to notify each member of a group of affected individuals, they must give public notice of the privacy breach.  If public notice is required, the Privacy Regulations 2020 set out how this public notice must be given.

There are limited exceptions to the requirement to notify – essentially, if notification would prejudice New Zealand’s security or defense, or the maintenance of the law, endanger safety, or reveal a trade secret. 

Further exceptions permit an agency not to notify an affected individual if the particular individual is under 16 and the agency believes that notification would be contrary to the person’s interests, or if, after consultation with the person’s health practitioner, the agency believes that notification would be likely to prejudice that individual’s health.

It is also important to note that while most notifications must take place “as soon as practicable”, an agency may delay notifying affected individuals or giving public notice if the agency believes that notification may have risks for the security of personal information held by the agency, and that those risks outweigh the benefits of informing the individuals.  The agency may delay notification only for the period during which the risks continue to outweigh the benefits of notification.  One example where this is important is if a company’s website security systems were hacked, causing a privacy breach, and the attack revealed a more widespread security vulnerability.  The company would likely be permitted to delay notification of the privacy breach while it fixed the vulnerability, especially if premature notification could enable other hackers to exploit the vulnerability.  However, agencies must in all circumstances notify the Privacy Commissioner of a notifiable privacy breach, even if the agency opts to delay notification to the affected individuals.

Points to consider

In the lead-up to the Privacy Act 2020 coming into force, businesses and organisations should be taking steps to ensure that they are able to comply with the new requirements.  These steps might include:

  • Ensuring that all personnel are aware of the new obligations;
  • Updating privacy policies to ensure they comply with the new Act;
  • Developing or reviewing procedures to keep information and data protected; both physically and electronically;
  • Developing clear procedures on how to detect, report and investigate potential data breaches. In particular, ensuring that your organisation has a plan in place to meet the new reporting obligations without delay;
  • Ensuring there are clear internal lines of communication so that all personnel know who they can talk to within your organisation about privacy issues.

If you have any further questions about the new Privacy Act 2020 or how to ensure that your organisation complies, please contact Lydia Sharpe, Alison Maelzer, Julika Wahlmann-Smith or your usual contact at Hesketh Henry.

 

The information contained in this article is current at the date of publishing and is of a general nature.  It should be used as a guide only and not as a substitute for obtaining legal advice.  Specific legal advice should be sought where required.

 

 

 

Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Kerry_100x100 1
Media contact - Kerry Browne
Please contact Kerry with any media enquiries and with any questions related to marketing or sponsorships on +64 9 375 8747 or via email.

Related Articles / Insights & Opinion

Bereavement Leave Confirmed for Miscarriages and Stillbirths 
New Zealand has become the second country in the world to pass legislation that provides bereavement leave for mothers and their partners after a miscarriage or stillbirth.
26.03.2021 Posted in Business Advice & Employment Law
Court of Appeal Overturns Employment Court’s Decision in Tourism Holdings
Tourism Holdings Limited v A Labour Inspector of the Ministry of Business, Innovation and Employment (Tourism Holdings) is the first decision in which the Employment Court considered section 8(2) of the Holidays Act 2003 (Act). The Court of Appeal has recently overturned this decision.
26.03.2021 Posted in Business Advice & Employment Law
Guarantees must be in writing and signed to be enforceable
For a guarantee to be enforceable, the requirements set out in section 27 of the Property Law Act 2007 (Act) must be strictly complied with.  This is what the NZSC held in Brougham v Regan. The key i...
19.03.2021 Posted in Business Advice
UK Supreme Court Delivers Decision on Uber Driver Employment Status
The distinction between employee and independent contractor can be complex, particularly where the nature of the business model blurs the lines of standard employment practices.
16.03.2021 Posted in Business Advice & Employment Law
Holidays Act Overhaul – Taskforce Recommendations
There have been calls for an amendment of the Holidays Act 2003 (Act) for some time.
16.03.2021 Posted in Business Advice & Employment Law
Unwanted Land Covenants and Easements: Seeking a Court Order
The Supreme Court recently considered an application by Synlait Milk to modify a land covenant restricting the burdened land use to farming, grazing and forestry operation to protect the ability of the benefited land owner to develop a quarry.  This article looks at the circumstances in which the courts might give relief to parties in an application to extinguish or modify a covenant or easement.
15.03.2021 Posted in Property Law
New ICC Arbitration Rules 2021 come into force
The revised International Chamber of Commerce (ICC) Arbitration Rules for 2021 (2021 Rules) have now come into force and apply to all ICC arbitrations begun after 1 January 2021.  While the new Rules...
10.03.2021 Posted in Litigation & Dispute Resolution
Send us an enquiry
For expert legal advice, please complete the form below or call us on (09) 375 8700.
  • This field is for validation purposes and should be left unchanged.
-->