Privacy Act 2020 and mandatory privacy breach reporting
Alan Knowsley, New Zealand Tree Grower May 2021.
This article explains the steps a farmer or forestry organisation must take when reporting to the Privacy Commissioner and the individuals concerned if there has been a privacy breach under the new law which has recently come into force. Under the Privacy Act 1993, although encouraged as best practice, agencies did not have to report a privacy breach. The Privacy Act 2020, which came into force on 1 December 2020, makes reporting of privacy breaches mandatory if they classify as a ‘notifiable privacy breach’.
What is a privacy breach?
The new Act provides two interpretations of what a privacy breach is, in relation to personal information held by a farmer, forestry company or organisation. These include −
- Unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of the personal information
- An action which prevents the agency from accessing the information on either a temporary or permanent basis.
The first meaning is what is commonly understood to be a privacy breach. This includes incidents such as unauthorised access to a system, losing devices such as laptops or USBs which contain personal information, or accidentally disclosing personal information to the wrong person. The second meaning encompasses incidents such as ransomware attacks. This form of cyber attack has become increasingly common in recent years.
In a ransomware attack, an outside user gains access to systems or databases and either locks the users out or encrypts their files Often the hacker will subsequently demand a financial payment in return for restoring access or providing a key to decrypt files There have been several incidents where companies have refused to make payment, and sensitive information has been deleted or released to the public.
When a breach is notifiable
A privacy breach is notifiable when it is reasonable to believe the breach has caused, or is likely to cause, serious harm to the affected individuals. The Act provides several factors that an agency must consider when deciding if a breach is notifiable −
- Any action taken by the agency to reduce the risk of harm following the breach
- Whether the personal information is sensitive in nature
- The nature of the harm that may be caused to affected individuals
- The person or body which has obtained or may obtain personal information as a result of the breach if known
- Whether the personal information is protected by a security measure
- Any other relevant matters.
It is important to note that the breach is notifiable when it is reasonable to believe the breach has, or is likely to cause, serious harm. If or when the belief is reasonable is a matter for the organisation to determine. Organisations need to understand that a failure to notify the Commissioner of the breach, where reasonable belief exists, is an offence punishable with a one of up to $10,000.
Reporting the breach
If the breach is notifiable, it must be reported to the Privacy Commissioner and the affected individual. The agency must notify the affected individual as soon as reasonably practicable after becoming aware that a notifiable breach has occurred unless an exception applies.
The Act provides a detailed list of requirements which must be included in a notification
A notification to the Commissioner from an organisation must −
- Describe the privacy breach, including the number of affected individuals and the identity of any person which the organisation suspects may be in possession of personal information as a result of the privacy breach
- Explain the steps that the agency has taken or intends to take in response to the privacy breach, including whether any affected individual has been or will be contacted
- If the agency is intending to give public notice of the breach, set out the reasons justifying that action
- If the agency is relying on an exception, or is delaying notifying an affected individual or giving public notice, state the exception relied on and set out the reasons for relying on it or state the reasons why a delay is needed and the expected period of delay
- State the names or give a general description of any other agencies that the organisation has contacted about the privacy breach and the reasons for having done so
- Give details of a contact person within the organisation for inquiries.
A notification to an affected individual or a representative must −
- Describe the notifiable privacy breach and state whether the organisation has or has not identified any person or body that the agency suspects may be in possession of the affected individual’s personal information but, must not include any particulars which could identify that person or body
- Explain the steps taken or intended to be taken by the organisation in response to the privacy breach
- Where practicable, set out the steps the affected individual may wish to take to mitigate or avoid potential loss or harm
- Confirm that the Commissioner has been notified
- State that the individual has the right to make a complaint to the Commissioner
- Give details of a contact person within the organisation for inquiries.
A notification to an affected individual may identify a person or body who has obtained or may obtain that affected individual’s personal information if the organisation believes on reasonable grounds that identification is necessary to prevent or lessen a serious threat to the life or health of the affected individual or another individual. A notification to an affected individual must not include any particulars about any other affected individuals.
Notification must be made as soon as practicable, but may be provided incrementally, provided it is done as soon as practicable.
Mandatory breach reporting will be a new process for farming and forestry organisations. It is important that you understand, and have a plan in place, on how to respond to potential privacy breaches, otherwise you could face expensive fines
Alan Knowsley is a lawyer working for Rainey Collins Lawyers.