Skip to main content

Disclaimer: Educational purposes only. Not legal advice. Consult a qualified NZ legal practitioner for your specific circumstances.

SimplifiedLaw.co.nz
general

Mandatory data breach reporting: What companies must do

Key Takeaway

New Zealand law mandates that organisations ('agencies') must report 'eligible privacy breaches' to the Privacy Commissioner and affected individuals. An eligible privacy breach occurs when unauthorised access, disclosure, or loss of personal information is likely to cause serious harm. This obligation ensures transparency and enables individuals to mitigate potential risks.

Mandatory Data Breach Reporting in New Zealand

In New Zealand, entities that handle personal information, known as 'agencies', have specific obligations regarding privacy breaches. The Privacy Act 2020 introduces mandatory reporting requirements for certain types of breaches, ensuring that both the Privacy Commissioner and affected individuals are informed.

What is an 'Agency'?

An 'agency' refers to any person or body of persons, whether corporate or unincorporate, and includes government departments, businesses, individuals, and non-profit organisations, with some specific exclusions like Members of Parliament acting in their official capacity or the Sovereign [Source: Privacy Act 2020, s 7].

Understanding a 'Privacy Breach'

A 'privacy breach' occurs when there is unauthorised access to, or disclosure or loss of, personal information held by an agency [Source: Privacy Act 2020, s 107]. 'Personal information' is defined as information about an identifiable individual [Source: Privacy Act 2020, s 7]. This can include names, addresses, health information, financial details, or any other data that can be linked to a specific person.

The 'Eligible Privacy Breach' Threshold

Not every privacy breach requires mandatory reporting. An agency is required to report an 'eligible privacy breach' if it is reasonable to believe that the privacy breach has caused serious harm to an affected individual or individuals, or is likely to do so [Source: Privacy Act 2020, s 108(1)].

When determining if a breach is an 'eligible privacy breach', an agency must consider several factors, including:

  • the nature of the personal information involved;
  • any steps taken by the agency to reduce the risk of harm following the breach;
  • the nature of the harm that may be caused to affected individuals;
  • the identity of the person who accessed or received the personal information (if known);
  • any other relevant circumstances [Source: Privacy Act 2020, s 108(2)].

Obligations to Notify

If an agency identifies an eligible privacy breach, it has two primary notification obligations:

  1. Notification to the Privacy Commissioner: The agency must notify the Privacy Commissioner as soon as practicable after becoming aware of the eligible privacy breach [Source: Privacy Act 2020, s 110(1)(a)].
  2. Notification to Affected Individuals: The agency must also notify any affected individual or individuals as soon as practicable after becoming aware of the eligible privacy breach [Source: Privacy Act 2020, s 110(1)(b)].

In some cases, if it is not reasonably practicable to notify every affected individual, the agency may be able to notify affected individuals by giving public notice, provided the Privacy Commissioner is also notified [Source: Privacy Act 2020, s 110(2)].

Content of the Notification

When notifying the Privacy Commissioner and affected individuals, the agency must provide sufficient information to allow the Commissioner and individuals to understand the breach and take appropriate steps. The notification must include:

  • the name and contact details of the agency;
  • a description of the eligible privacy breach;
  • the action taken or intended to be taken by the agency in response to the breach; and
  • the steps that affected individuals may take to mitigate any harm [Source: Privacy Act 2020, s 111(1)].

Exceptions and Delays in Notification

An agency is not required to notify individuals if the Privacy Commissioner considers it inappropriate to do so in the public interest, or if the agency is a law enforcement agency and believes that notification would prejudice certain law enforcement activities [Source: Privacy Act 2020, s 110(4), s 110(5)].

Notification may also be delayed if the agency believes that notification would prejudice the security of the personal information held by the agency, or would prejudice the taking of action to reduce the risk of harm [Source: Privacy Act 1993, s 112]. In such cases, the agency must notify the Commissioner of the delay and the reasons for it.

Consequences of Non-Compliance

Failure to notify the Privacy Commissioner of an eligible privacy breach is an offence [Source: Privacy Act 2020, s 119(1)(d)]. An agency (specifically, a body corporate) that commits this offence may be liable on conviction to a fine not exceeding $10,000 [Source: Privacy Act 2020, s 119(2)]. The Privacy Commissioner also has powers to issue compliance notices and take other enforcement actions to ensure adherence to the Act [Source: Privacy Act 2020, Part 9].

When to Seek Independent Legal Advice

Agencies dealing with privacy breaches, especially those that may constitute an 'eligible privacy breach', should seek independent legal advice. Legal professionals can assist with interpreting the requirements of the Privacy Act 2020, assessing the likelihood of serious harm, managing notification processes, and understanding potential liabilities. Assistance may also be available from Community Law Centres for general guidance regarding privacy law, and the Office of the Privacy Commissioner provides resources and guidance on compliance.

Key Resources