What is a privacy breach?
The Act defines a privacy breach, in relation to personal information held by an agency, as “unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information, or an action that prevents the agency from accessing the information on either a temporary or permanent basis”.
Just to recap, “personal information” is any information held by an agency that is “about an identifiable individual”. It does not need to be secret, confidential or private information – merely any information that can be identified as being about an individual person.
How serious does it have to be?
A privacy breach is notifiable if it is reasonable to believe that the breach has caused serious harm to an affected individual or individuals, or is likely to do so.
A privacy breach can be a confidentiality/integrity breach (i.e. unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of personal information), or it can be an availability breach (something which prevents an entity from accessing personal information on a temporary or permanent basis; like a denial-of-service attack on a website).
The phrase “reasonable to believe” indicates that the entity must make an objective assessment, from the point of view of a reasonable person in the entity’s position who is properly informed. This is not intended to be considered from the point of view of an individual whose personal information has been breached; and it must be analysed based on information which is immediately available, or after reasonable inquiries or an assessment of the privacy breach. The affected individual(s) can be located either inside or outside New Zealand.
The concept of “harm” is well-established under New Zealand privacy law. It can include:
- Specific damage (i.e. financial loss, loss of employment, or physical injury);
- Loss of benefits (i.e. any adverse effects on the individual’s rights, benefits, privileges, obligations or interests);
- Emotional harm (i.e. significant humiliation, loss of dignity or injury to feelings).
An agency needs to assess whether a privacy breach is likely to cause “serious harm”. This needs to be considered on a case-by-case basis, taking into account at least the following factors:
- The nature of the information (whether it is sensitive in nature, for example credit card details, health information or identity documents);
- Mitigation (whether any action has been taken by the entity to reduce the risk of harm after the breach);
- Security measures (whether the personal information is protected by a security measure);
- The recipient (who has obtained, or may obtain in the future, personal information as a result of the breach? The risk of serious harm will likely be greater if personal information has been obtained by people with unknown or malicious intentions);
- The nature of the harm that could be caused (for example, specific damage, loss of benefits, or emotional harm);
- Any other relevant factors (for example, how many individuals are affected, how widespread the breach is or how long it has been occurring).
What does an agency have to do in response?
Agencies must notify the Privacy Commissioner “as soon as practicable” after they become aware that a notifiable privacy breach has occurred. They must also notify any affected individuals, or, if it is not reasonably practicable to notify each member of a group of affected individuals, they must give public notice of the privacy breach. If public notice is required, the Privacy Regulations 2020 set out how this public notice must be given.
There are limited exceptions to the requirement to notify – essentially, if notification would prejudice New Zealand’s security or defense, or the maintenance of the law, endanger safety, or reveal a trade secret.
Further exceptions permit an agency not to notify an affected individual if the particular individual is under 16 and the agency believes that notification would be contrary to the person’s interests, or if, after consultation with the person’s health practitioner, the agency believes that notification would be likely to prejudice that individual’s health.
It is also important to note that while most notifications must take place “as soon as practicable”, an agency may delay notifying affected individuals or giving public notice if the agency believes that notification may have risks for the security of personal information held by the agency, and that those risks outweigh the benefits of informing the individuals. The agency may delay notification only for the period during which the risks continue to outweigh the benefits of notification. One example where this is important is if a company’s website security systems were hacked, causing a privacy breach, and the attack revealed a more widespread security vulnerability. The company would likely be permitted to delay notification of the privacy breach while it fixed the vulnerability, especially if premature notification could enable other hackers to exploit the vulnerability. However, agencies must in all circumstances notify the Privacy Commissioner of a notifiable privacy breach, even if the agency opts to delay notification to the affected individuals.
Points to consider
In the lead-up to the Privacy Act 2020 coming into force, businesses and organisations should be taking steps to ensure that they are able to comply with the new requirements. These steps might include:
- Ensuring that all personnel are aware of the new obligations;
- Updating privacy policies to ensure they comply with the new Act;
- Developing or reviewing procedures to keep information and data protected; both physically and electronically;
- Developing clear procedures on how to detect, report and investigate potential data breaches. In particular, ensuring that your organisation has a plan in place to meet the new reporting obligations without delay;
- Ensuring there are clear internal lines of communication so that all personnel know who they can talk to within your organisation about privacy issues.
If you have any further questions about the new Privacy Act 2020 or how to ensure that your organisation complies, please contact Lydia Sharpe, Alison Maelzer, Julika Wahlmann-Smith or your usual contact at Hesketh Henry.
The information contained in this article is current at the date of publishing and is of a general nature. It should be used as a guide only and not as a substitute for obtaining legal advice. Specific legal advice should be sought where required.