As part of the build up to the Privacy Act 2020 coming in to force on 1 December, the Privacy Commissioner has launched an online tool to help assess whether a privacy breach is notifiable. One of the key elements of the Privacy Act 2020 is the need for organisations to notify the Commissioner and affected individuals if a privacy breach has caused, or is likely to cause, serious harm. A failure to report may result in a fine of up to $10,000.
Exactly what serious harm means is not defined in the new Act, so the Commissioner has launched an online tool to help assess whether what has happened amounts to something which is reportable and decide what to do next.
In addition, the Commissioner has provided some further detail by way of examples of what might amount to serious harm. It should be noted that some information is more sensitive than others and there may be some circumstances where information that is not inherently sensitive can nevertheless be sensitive and capable of causing harm in certain contexts. For example, disclosure of an address could be harmful where the person concerned is wanting to protect their location from an abusive former partner. Examples can provide guidance but they are not an exhaustive list. Examples can themselves give rise to further questions, but are a useful place to start. Determining serious harm remains a judgment call.
Examples of serious harm as set out by the Commissioner include:
- Physical harm or intimidation,
- Financial fraud including unauthorised credit card transactions or credit fraud,
- Family violence,
- Psychological, or emotional harm.
We would anticipate that further examples will be provided as the reporting system develops and trends emerge.
Click here for the reporting tool.
For further information please contact one of our data protection and privacy specialists.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.