One of the most talked-about changes in the new Privacy Act 2020 (which comes into force on 1 December) will be the introduction of mandatory privacy breach notifications. Under the new Act, any organisation that suffers a 'privacy breach' will be required to make a notification to the Privacy Commissioner and to affected individuals. Failure to report notifiable privacy breaches will carry a fine of up to NZ$10,000.
What is a notifiable privacy breach?
A privacy breach will be notifiable if it is reasonable to believe that the breach has caused serious harm to affected individuals, or is likely to do so. A 'breach' is defined broadly, and includes unauthorised access to or disclosure of information, as well as unauthorised alteration, loss or destruction. All manner of incidents - including common cases of human error - will likely need to be considered as a 'privacy breach'.
While the new Act does not define what "serious harm" is, it requires that businesses must consider in particular:
- Any action taken by the business to reduce the risk of harm following the privacy breach. This would include, for example, the retrieval of lost data via back-ups or disabling impacted systems;
- Whether the personal information is sensitive in nature. If the particular breach discloses sensitive health or financial information or other information that may enable fraud (such as passport details) then it is more likely that serious harm will occur;
- The nature of harm that may be caused to affected individuals. "Harm" in this context is broad and may include identity theft, threats to physical safety, loss of business or employment opportunities, humiliation or damage to relationships or workplace bullying;
- The person or body that has obtained or may obtain personal information as a result of the breach (if known). If the person who has obtained the information is known to have malicious intentions then this is likely to increase the risk of serious harm occurring, whereas an email mistakenly sent to a trusted and long term advisor who has given assurances that the email has been deleted may have less risk of serious harm occurring;
- Whether the information is protected by a security measure (such as encryption) as that is likely to reduce the risk of serious harm occurring; and
- Any other relevant matter, eg the scope and scale of the relevant privacy breach. If a large quantity of personal information is disclosed or if the privacy breach has been ongoing for some time, then the risk of serious harm occurring is likely to be greater.
Assessing whether serious harm has occurred is effectively a judgment call that will differ in each case depending on the facts in question. At the outset we anticipate that there may be some over-notification while businesses develop an understanding of what "serious harm" looks like, but it is also likely that some businesses will be reluctant to notify privacy breaches unless there is a very compelling case to do so. Where businesses determine that notification is not required, we recommend that those businesses document and record the relevant factors and decision making process to ensure that those decisions can in future be demonstrated as justifiable.
Importantly, as businesses are responsible for the personal information held by their service providers (to the extent that those service providers are not using the relevant information for their own purposes), if a service provider suffers a privacy breach then, under the new Act, the relevant business is responsible for making a notification of that privacy breach if the breach has caused serious harm or is likely to do so. To ensure that businesses can assess those privacy breaches and the risks of serious harm arising appropriately, businesses should ensure that contracts with service providers require the relevant service providers to notify them as soon as a breach occurs.
Who needs to be notified?
Businesses must notify the Privacy Commissioner and, unless an exception applies, "affected individuals" (ie individuals to whom the relevant information relates) if a notifiable privacy breach occurs. If it is not reasonably practicable to notify an affected individual or a group of affected individuals, the business must instead give public notice of the privacy breach (eg, where the business does not hold contact details for the individuals involved). There are also exceptions to the obligation to notify affected individuals if, for example, doing so would endanger the safety of any person or reveal a trade secret.
If notification is made publicly, notification will need to be made on a website maintained by the business that is free of charge and publicly available at all reasonable times and on at least one other medium (eg in a newspaper or on social media).
When does notification need to occur?
Subject to some very limited exceptions, the Privacy Commissioner and affected individuals need to be informed of notifiable privacy breaches as soon as practicable after becoming aware that a notifiable privacy breach has occurred. While the Privacy Commissioner has emphasised that "as soon as practicable" means "as soon as possible", there will be some flexibility for businesses as to when notification needs to be made. Based on guidance provided for equivalent privacy laws in Australia, the relevant timing is likely to vary for each business depending on the cost, time, and effort required to notify. In our view, the timeframes specified by European data protection law are also likely to provide a useful benchmark (ie without undue delay and, where feasible, within 72 hours of becoming aware of the breach).
What does the notification need to cover?
The content of a privacy breach notification differs depending on who the notification is being made to. In summary, notifications must:
- Describe the relevant privacy breach, including the number of affected individuals (if known) and the identity of any person or body that the business suspects may be in possession of personal information as a result of the privacy breach (if known);
- In notifications to the Privacy Commissioner, provide details of any exceptions or justifications for any delay in notification and details of any other businesses that the business has contacted about the privacy breach (as well as reasons for that contact) and, if notification is being made via public notice, an explanation as to why it is not possible to notify the affected individuals directly;
- State any steps that the business is taking or intends to take in response to the privacy breach and, in notices to the public and affected individuals, the steps the affected individual may wish to take to mitigate or avoid potential loss or harm;
- In notices to the public and affected individuals, confirm that the Privacy Commissioner has been notified and state that the affected individual can complain to the Privacy Commissioner; and
- Give details of a contact person within the business for inquiries.
The Privacy Commissioner's Office has also launched an online privacy breach notification tool ('NotifyUs') to assist with the notification process.
In our view, the content of notifications to affected individuals and the public are vital to ensuring that the PR risks posed by public notification are managed appropriately – a clear and easy to read notification with simple steps that individuals can take to manage any risks will be much better received than an ambiguous, high level, or overly cautious statement that does little to inform affected individuals of what has happened and the risks posed.
What should businesses be doing now to prepare?
Ideally, privacy breaches would not occur and no notifications would need to be made. However, breaches are increasingly becoming a reality for New Zealand businesses. With that in mind, to prepare for privacy breach notifications, businesses should start preparing a privacy breach policy that:
- Identifies what a privacy breach is (this might include setting out examples of what is or is not likely to constitute a privacy breach);
- Requires privacy breaches to be reported internally to the privacy officer, management, IT personnel (who may be able to try to contain or remedy the relevant privacy breach) and, potentially, insurance providers;
- Sets out the criteria for determining whether notification is required to the Privacy Commissioner and/or affected individuals and when that notification needs to be or does not need to be made; and
- Details what information a privacy notice should contain, timeframes for notification and a process for sending or publishing the notice (eg if the notice needs to be made publicly available, who is responsible for uploading the notice to the business' website and who needs to approve that notice beforehand?). Depending on the severity of the privacy breach, businesses may also wish to consider including a process for involving third party consultants, such as public relations advisors.
In addition, staff should also be notified of and receive training on the new privacy breach policy, so that know how to spot a breach and who to report it to internally.
This article was written by Allan Yeoman (Partner) and Alex Chapman (Senior Associate) for NBR November 2020.