Privacy breach obligations under the Privacy Act 2020: lessons from recent cyber attacks

Privacy breach obligations under the Privacy Act 2020: lessons from recent cyber attacks

Recent cyber incidents, including the recent Qantas data breach, have brought renewed attention to the risks organisations face when personal information is not properly secured. The airline’s handling of the breach prompted questions from affected individuals about its response and the strength of its data protection measures. For New Zealand businesses, these developments reinforce the need for strong privacy management and strict adherence to the Privacy Act 2020.

Why should organisations prioritise privacy?

A privacy breach can have serious consequences for any organisation, including reputational damage, loss of customer trust, regulatory scrutiny, and financial penalties. Customers and regulators expect organisations to take privacy seriously and to respond swiftly and transparently if things go wrong. The Privacy Act 2020 sets clear expectations for how personal information should be managed and what steps must be taken in the event of a breach.

What is a privacy breach?

A privacy breach occurs when personal information is accessed, disclosed, altered, lost, or destroyed either accidentally or without authorisation. It also includes situations where information cannot be accessed on a temporary or permanent basis, such as when data is encrypted by ransomware.

When is a breach notifiable?

A notifiable privacy breach is one that has caused, or is likely to cause, serious harm to affected individuals. Examples of serious harm include:

• physical harm or intimidation
• financial fraud or identity theft
• family violence
• psychological or emotional harm

If a notifiable privacy breach occurs, you must notify the Privacy Commissioner as soon as possible, and ideally by no later than 72 hours after becoming aware of the breach. Affected individuals should also be notified unless there are good reasons not to do so.

Why timely notification matters

Delays in notification can increase the risk of harm to individuals and expose your organisation to reputational and regulatory risks. Prompt and transparent communication demonstrates compliance and helps maintain trust with customers and stakeholders.

What steps should you take if a breach occurs?

If you suspect a privacy breach, immediate action is essential. Recommended steps include:

• Contain: take steps to stop further unauthorised access or disclosure. This may include retrieving lost information, disabling compromised systems, or updating access credentials.
• Assess: evaluate the risks, extent, and severity of the breach. Consider the sensitivity of the information and the potential impact on affected individuals.
• Notify: if the breach is likely to cause serious harm, notify the Privacy Commissioner and affected individuals as required by law.
• Prevent: review your policies and procedures to address any gaps and prevent future breaches. This may include further staff training, security audits, or reviewing supplier arrangements.

How can you prevent privacy breaches?

Being proactive is key to reducing the risk of privacy breaches. Practical steps include:

• Understanding your obligations under the Privacy Act 2020 and the information privacy principles
• Maintaining up-to-date privacy policies and incident response plans
• Securing IT systems and networks with strong access controls and regular monitoring
• Providing regular privacy training for all staff
• Carefully assessing third-party providers and ensuring they meet privacy standards
• Minimising the collection and retention of personal information
• Conducting regular privacy audits and reviewing access controls