A data leak by a company, known as a privacy breach, involves the unauthorised or accidental access, disclosure, alteration, loss, or destruction of personal information. In New Zealand, the handling of personal information and the response to privacy breaches are primarily governed by the Privacy Act 2020.
What is a Privacy Breach?
A 'privacy breach' occurs when there is unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information, or an action that prevents an agency from accessing the personal information on either a temporary or permanent basis [Source: Privacy Act 2020, s 108].
An 'agency' is defined broadly under the Privacy Act 2020 to include most organisations, businesses, and government departments in New Zealand that collect or hold personal information [Source: Privacy Act 2020, s 7]. 'Personal information' refers to information about an identifiable individual [Source: Privacy Act 2020, s 7].
Company Obligations Regarding Data Protection and Breaches
Companies, as 'agencies', have specific obligations under the Privacy Act 2020:
Security Safeguards
Agencies must ensure that personal information is protected by reasonable security safeguards against loss, unauthorised access, use, modification, disclosure, or other misuse [Source: Privacy Act 2020, s 22, Principle 5]. This means they must take steps to keep your data secure.
Mandatory Notification of Notifiable Privacy Breaches
If a company experiences a 'notifiable privacy breach', it has a mandatory obligation to notify both the Privacy Commissioner and the affected individuals [Source: Privacy Act 2020, s 110].
A 'notifiable privacy breach' is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals, or is likely to do so [Source: Privacy Act 2020, s 109]. When assessing the likelihood of serious harm, factors considered include the sensitivity of the information, the nature of the harm that may be caused, the number of people affected, and any steps taken by the agency to reduce the harm [Source: Privacy Act 2020, s 109(2)].
The notification to the Privacy Commissioner and affected individuals must include a description of the breach, the personal information involved, how the breach occurred, the steps taken or planned to respond to the breach, and any steps affected individuals should take to mitigate potential harm [Source: Privacy Act 2020, s 111].
Individual Rights if Your Privacy is Breached
If your privacy is breached, the Privacy Act 2020 provides several rights and avenues for redress:
Right to Complain to the Privacy Commissioner
Individuals can make a complaint to the Privacy Commissioner if they believe an agency has interfered with their privacy [Source: Privacy Act 2020, s 67]. An interference with privacy includes a breach of one of the privacy principles, such as Principle 5 (security safeguards) or the mandatory notification rules [Source: Privacy Act 2020, s 69]. The Privacy Commissioner is an independent body responsible for promoting and protecting individual privacy [Source: Privacy Act 2020, s 12].
Right to Access Personal Information
Individuals have the right to request access to any personal information an agency holds about them [Source: Privacy Act 2020, s 22, Principle 6]. This allows individuals to see what information was potentially exposed in a breach.
Right to Request Correction of Personal Information
If personal information held by an agency is inaccurate, incomplete, or out of date, individuals have the right to request that the agency correct it [Source: Privacy Act 2020, s 22, Principle 7].
Outcomes of a Complaint
When a complaint is made, the Privacy Commissioner may investigate the complaint and attempt to facilitate a settlement between the individual and the agency [Source: Privacy Act 2020, Part 6]. If a resolution cannot be reached and the Commissioner believes there has been an interference with privacy, the matter may be referred to the Human Rights Review Tribunal [Source: Privacy Act 2020, Part 7]. The Human Rights Review Tribunal can make legally binding decisions, including ordering an agency to pay damages or perform specific actions [Source: Privacy Act 2020, ss 103-107].
Steps to Take if Your Privacy is Breached (Information for Individuals)
If an individual's personal information is subject to a privacy breach, actions that can be taken include:
- Contact the company: The individual can directly contact the company responsible for the breach to inquire about the details of the breach, the information affected, and the steps being taken to address it.
- Report to the Privacy Commissioner: If the individual is not satisfied with the company's response, or if they believe their privacy rights have been infringed, a complaint can be lodged with the Privacy Commissioner [Source: Privacy Act 2020, s 67]. The Privacy Commissioner can investigate the matter and attempt to resolve it.
- Take preventative measures: Individuals can consider changing passwords, monitoring bank accounts, or activating credit alerts if sensitive financial information or identity details were involved in the breach.
When to Seek Independent Legal Advice
If an individual's privacy has been breached and they are unsure about their rights, the process for making a complaint, or the potential for remedies, seeking independent legal advice is an option. Information and guidance can be obtained from the Office of the Privacy Commissioner or Community Law Centres for free legal assistance on privacy matters. Legal professionals can provide tailored information on specific circumstances and potential next steps.