Data duties – reporting obligations for privacy breaches on the way
Privacy law in New Zealand will be overhauled next year with the Privacy Bill (the Bill) set to come into force on 1 March 2020. The Bill will replace the 25-year-old Privacy Act to bring the law into line with international developments following two and a half decades of rapid technological and social change. Agencies that hold information about individuals must be prepared to comply with the new data breach reporting obligations. An agency is any person or group of persons, whether corporate or not, and whether in the public or private sector. All businesses and other organisations in New Zealand must therefore be ready.
Privacy breaches – not just disclosures but inability to access information
The Bill imposes new reporting obligations on agencies in the case of a notifiable privacy breach. There will have been a privacy breach if there is:
- an unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal information held by an agency; or
- an action that prevents the agency from accessing the information on a temporary or permanent basis.
The privacy breach does not need to be caused by, or be attributable to, the agency. The hacking of an agency’s database, the accidental sending of information to the wrong person, the losing of a device like a USB or laptop containing personal information, or an agency temporarily losing access to a database could all constitute a privacy breach.
Notifiable privacy breaches – “Serious Harm”
A privacy breach will be notifiable if it is reasonable to believe that the breach has caused serious harm to an affected individual or is likely to do so. To assess whether a privacy breach is likely to cause serious harm, the agency must consider the following:
- any action taken by the agency to reduce the risk of harm following the breach;
- whether the personal information is sensitive in nature;
- the nature of the harm that may be caused to affected individuals;
- the person or body that has obtained or may obtain personal information as a result of the breach (if known);
- whether the personal information is protected by a security measure; and
- any other relevant matters.
Serious harm is not defined in the Bill, so agencies should err on the side of caution until the courts inevitably provide clearer guidance once the Bill comes into force.
Notification requirements for data breaches
Once an agency becomes aware of a notifiable data breach, it must, as soon as practicable, notify the Privacy Commissioner and any affected individuals. The notification must include:
- a description of the breach including the number of individuals affected (if known) and the identity of any person the agency suspects may be in possession of personal information because of the breach;
- an explanation of the steps the agency has taken or is going to take in response to the breach, including whether any affected individual has been contacted;
- the names or general description of any other agencies contacted with respect to the breach and the reasons for doing so; and
- details of a contact person within the agency for inquiries.
It is an offence to fail to notify the Commissioner of a notifiable privacy breach; a fine of up to $10,000 may be imposed for non-compliance.
Any affected individual must also be notified containing similar information to the above, but also confirming that the Commissioner has been notified and that the individual has the right to complain to the Commissioner. If it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, then public notice must be given.
What we recommend
To ensure compliance when the new law takes effect agencies should:
- maintain records of what and where personal information is stored, who is authorised to access it, and when, why and to whom it is shared;
- review policies now to ensure that internal data and security policies and systems are rigid and are being followed to minimise the risk of a privacy breach;
- train staff to know what a privacy breach is under the Bill so that if one occurs, it can be swiftly recognised and acted upon; and
- establish processes ahead of time so that notification obligations can be quickly satisfied and any harm flowing from a privacy breach can be mitigated.
For further information, please contact a member of our litigation and dispute resolution team.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.