25.09.2020

Privacy Act 2020: new obligations to report privacy breaches

Home / Insights & Opinion / Business Advice / Privacy Act 2020: new obligations to report privacy breaches
The Privacy Act 2020 creates a new requirement to report serious privacy breaches, as from 1 December 2020. 

What is a privacy breach?

The Act defines a privacy breach, in relation to personal information held by an agency, as “unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information, or an action that prevents the agency from accessing the information on either a temporary or permanent basis”. 

Just to recap, “personal information” is any information held by an agency that is “about an identifiable individual”.  It does not need to be secret, confidential or private information – merely any information that can be identified as being about an individual person. 

How serious does it have to be?

A privacy breach is notifiable if it is reasonable to believe that the breach has caused serious harm to an affected individual or individuals, or is likely to do so. 

A privacy breach can be a confidentiality/integrity breach (i.e. unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of personal information), or it can be an availability breach (something which prevents an entity from accessing personal information on a temporary or permanent basis; like a denial-of-service attack on a website). 

The phrase “reasonable to believe” indicates that the entity must make an objective assessment, from the point of view of a reasonable person in the entity’s position who is properly informed.  This is not intended to be considered from the point of view of an individual whose personal information has been breached; and it must be analysed based on information which is immediately available, or after reasonable inquiries or an assessment of the privacy breach.  The affected individual(s) can be located either inside or outside New Zealand.

The concept of “harm” is well-established under New Zealand privacy law.  It can include:

  • Specific damage (i.e. financial loss, loss of employment, or physical injury);
  • Loss of benefits (i.e. any adverse effects on the individual’s rights, benefits, privileges, obligations or interests);
  • Emotional harm (i.e. significant humiliation, loss of dignity or injury to feelings).

An agency needs to assess whether a privacy breach is likely to cause “serious harm”.  This needs to be considered on a case-by-case basis, taking into account at least the following factors:

  • The nature of the information (whether it is sensitive in nature, for example credit card details, health information or identity documents);
  • Mitigation (whether any action has been taken by the entity to reduce the risk of harm after the breach);
  • Security measures (whether the personal information is protected by a security measure);
  • The recipient (who has obtained, or may obtain in the future, personal information as a result of the breach? The risk of serious harm will likely be greater if personal information has been obtained by people with unknown or malicious intentions);
  • The nature of the harm that could be caused (for example, specific damage, loss of benefits, or emotional harm);
  • Any other relevant factors (for example, how many individuals are affected, how widespread the breach is or how long it has been occurring).

What does an agency have to do in response?

Agencies must notify the Privacy Commissioner “as soon as practicable” after they become aware that a notifiable privacy breach has occurred.  They must also notify any affected individuals, or, if it is not reasonably practicable to notify each member of a group of affected individuals, they must give public notice of the privacy breach.  If public notice is required, the Privacy Regulations 2020 set out how this public notice must be given.

There are limited exceptions to the requirement to notify – essentially, if notification would prejudice New Zealand’s security or defense, or the maintenance of the law, endanger safety, or reveal a trade secret. 

Further exceptions permit an agency not to notify an affected individual if the particular individual is under 16 and the agency believes that notification would be contrary to the person’s interests, or if, after consultation with the person’s health practitioner, the agency believes that notification would be likely to prejudice that individual’s health.

It is also important to note that while most notifications must take place “as soon as practicable”, an agency may delay notifying affected individuals or giving public notice if the agency believes that notification may have risks for the security of personal information held by the agency, and that those risks outweigh the benefits of informing the individuals.  The agency may delay notification only for the period during which the risks continue to outweigh the benefits of notification.  One example where this is important is if a company’s website security systems were hacked, causing a privacy breach, and the attack revealed a more widespread security vulnerability.  The company would likely be permitted to delay notification of the privacy breach while it fixed the vulnerability, especially if premature notification could enable other hackers to exploit the vulnerability.  However, agencies must in all circumstances notify the Privacy Commissioner of a notifiable privacy breach, even if the agency opts to delay notification to the affected individuals.

Points to consider

In the lead-up to the Privacy Act 2020 coming into force, businesses and organisations should be taking steps to ensure that they are able to comply with the new requirements.  These steps might include:

  • Ensuring that all personnel are aware of the new obligations;
  • Updating privacy policies to ensure they comply with the new Act;
  • Developing or reviewing procedures to keep information and data protected; both physically and electronically;
  • Developing clear procedures on how to detect, report and investigate potential data breaches. In particular, ensuring that your organisation has a plan in place to meet the new reporting obligations without delay;
  • Ensuring there are clear internal lines of communication so that all personnel know who they can talk to within your organisation about privacy issues.

If you have any further questions about the new Privacy Act 2020 or how to ensure that your organisation complies, please contact Lydia Sharpe, Alison Maelzer, Julika Wahlmann-Smith or your usual contact at Hesketh Henry.

 

The information contained in this article is current at the date of publishing and is of a general nature.  It should be used as a guide only and not as a substitute for obtaining legal advice.  Specific legal advice should be sought where required.

 

 

 

SHARE
Print
Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Kerry
Media contact - Kerry Browne
Please contact Kerry with any media enquiries and with any questions related to marketing or sponsorships on +64 9 375 8747 or via email.
Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Topics
Written By
IMG Website Edit
Alison Maelzer
Sign up for our
Employment News eZine
ezine

Related Articles / Insights & Opinion

Insurance Contract Law – Parliament finally gets to consider long-awaited reforms
In February 2022, the Ministry of Business, Innovation and Employment (MBIE) released an exposure draft of the Insurance Contracts Bill (MBIE’s Draft Bill) for public consultation and feedback.  MB...
24.04.2024 Posted in Insurance
Tower Troubles – Body Corporate 366567 (Harbour Oaks) v Auckland Council
Standing 40 storeys tall with 406 units, the Gore Street building in downtown Auckland (formerly known as “Harbour Oaks”) is presently the subject of New Zealand’s largest claim for residential ...
18.04.2024 Posted in Construction & Disputes
Construction Framework Wide BW
OIO Spotlight:  Government issues new directive on foreign investment for build-to-rent housing developments
Earlier this year, the coalition Government announced that it would be introducing a new streamlined consent pathway for build-to-rent developments by way of amendments to the Overseas Investment Act ...
16.04.2024 Posted in Business Advice & Property
Incorporated societies’ reregistration deadline – April 2026 may be closer than you think
The Incorporated Societies Act 2022 (2022 Act) came fully into force on 5 October 2023, meaning incorporated societies can now apply for reregistration under the 2022 Act.  Approximately 24,000 exist...
16.04.2024 Posted in Business Advice
iStock Construction dpi
Call me? Care is required when calling on a bond
In the recent High Court decision Hawkins Ltd v Elizabeth Properties Ltd, Hawkins was successful in preventing EPL from calling on a $3m bond pending determination of a dispute principally over the ap...
10.04.2024
HH News NZS Release
What You Need to Know About the New NZS3910:2023
The new NZS3910:2023 (conditions of contract for building and civil engineering construction) was released by Standards New Zealand in December 2024 (see our article here).  It is now gaining relevan...
10.04.2024 Posted in Construction
Money stack black and white
Income is classified as relationship property – surprised?
For all couples, embarking on the journey of building a life together involves not only love and commitment but also financial considerations.  As you navigate through shared finances, it’s imp...
26.03.2024 Posted in Private Wealth
BROWSE ALL
Insights & Opinion
Our Affiliations
German New Zealand Chamber of Commerce Advoc law link gala logo juraforum
Website by Scratch
SEND AN ENQUIRY
Send us an enquiry

For expert legal advice, please complete the form below or call us on (09) 375 8700.

Contact Us +64 9 375 8700 +64 9 309 4494 lawyers@heskethhenry.co.nz