what you need to know about mandatory privacy breach notifications in the new privacy act



Share on facebook
Share on twitter
Share on linkedin
Share on email

The long-awaited overhaul of New Zealand’s privacy law is almost here – the new Privacy Act 2020 (the Act) comes into force on 1 December 2020. 

The Act is a much-needed update to ensure New Zealand’s laws keep up with the privacy issues faced by us all in 2020 and beyond – a privacy landscape that has little in common with the issues faced in 1993, when the current Privacy Act came into force. 

As well as strengthening existing privacy protections, the Act includes new requirements for New Zealand businesses, such as new reporting and notification obligations.

This blog post is the first in a series of blogs on recent and upcoming privacy law changes.  Subscribe to our newsletter or keep an eye out for our privacy blogs on changes to the EU-US Privacy Shield, disclosures of personal information to offshore companies, and our new template privacy policy.

you must notify certain breaches

One of the biggest changes is the introduction of a mandatory privacy breach notification, bringing New Zealand into line with international best practice.  You must notify the Privacy Commissioner and affected individuals of notifiable privacy breaches as soon as practicable after becoming aware of it.

A privacy breach includes unauthorised or accidental access to personal information, or disclosure, alteration, loss or destruction of personal information.  That breach will become notifiable if it is reasonable to believe the breach has caused serious harm to an affected individual, or is likely to do so. 

what counts as ‘serious harm’?

Things to consider when deciding if there is serious harm include:

  • the action you took to reduce the risk of harm following the breach
  • whether the personal information is sensitive (e.g. health information)
  • the nature of the harm that may be caused to affected individuals
  • who obtained (or may obtain) personal information as a result of the breach
  • whether the personal information is protected, e.g. by a password or encryption.

If you have committed a notifiable breach, subject to some limited exceptions (discussed below), you must use a prescribed form to notify the Privacy Commissioner and affected individuals.  If it isn’t reasonably practicable to notify affected individuals, you must give public notice of the breach.

This notice must be given as soon as reasonably practicable after becoming aware of the breach.  In practice, this means you must quickly assess whether the breach is notifiable, and if it is, you must provide the notice as soon as possible.  

are there any exceptions?

There are carve-outs to the notification requirement for affected individuals, as follows.

  • You do not need to disclose if doing so would prejudice maintenance of the law, endanger a person’s safety, or reveal a trade secret. 
  • You may delay notifying affected individuals if to do so risks the security of other personal information held by you and those risks outweigh the benefits of informing affected individuals. E.g., if you identified a security vulnerability, you may wish to delay informing affected individuals until the vulnerability is fixed.  As soon as the grounds for delay no longer exist, you must inform affected individuals of the breach.

Despite these carve-outs related to affected individuals, you must always notify the Privacy Commissioner of the notifiable breach as soon as practicable.

Failing to give the notice without a reasonable excuse may result in a fine of up to $10,000 or the issue of a public compliance notice.  Given this, we suggest you err on the side of caution when assessing whether to notify a breach. 

what should you do?

Now is a great time to check your privacy policy to ensure it will comply with the Act.  It’s also a good chance to:

  • review and update your internal practices and systems to ensure they align with what will soon be required under the Act.  Think about including processes to enable you to quickly detect breaches, to respond promptly to minimise harm, and to provide notice of a breach if required
  • develop a clear view of what personal information you hold, including where it is stored and who accesses it
  • provide additional training to staff who handle personal information.

If you’d like us to review your privacy policy in light of these recent developments, get in touch.

explore our other blog posts

Your End of FY To-Do List:  AGMs

This is the first in a small series that Kindrik Partners is working on, pulling together company admin to be thinking about when 1 April comes around each year. 
[partial name="mailchimp-newsletter-horizontal" dir="template-parts/components/component"]

are you based in southeast asia?

If so then you may prefer