Source: New Zealand Privacy Commissioner – Blog
Our personal information is precious. It is unique to each of us and tells a story about who we are.
Under the Privacy Act, organisations that collect and hold personal information have a duty to protect it and respect it.
When things go wrong and organisations breach the privacy of their customers, clients, or stakeholders, it can cause serious harm. Privacy breaches can lead to financial loss, identity theft or, in extreme cases, physical harm.
Organisations responsible for serious privacy breaches may also lose public trust and damage their brands or reputations.
Fortunately, there are many occasions when somebody realises a privacy breach is about to happen and acts before it is too late. Similarly, sometimes privacy breaches occur but no serious harm is caused. Each of these circumstances provides an opportunity for organisations to learn and make system changes to avoid a serious breach next time. Many of the most common privacy breaches are easily preventable.
What is a privacy breach?
A privacy breach is an event (whether intentional or accidental) in which someone’s personal information is accessed, used, altered, shared, lost, or destroyed without authorisation. A privacy breach also occurs if someone is either temporarily or permanently unable to access their personal information.
Under the Privacy Act, if an organisation experiences a privacy breach that it believes has caused or has the potential to cause serious harm, it must notify the Office of the Privacy Commissioner (OPC) and affected individuals as soon as possible*. It can do this using NotifyUs. *Unless an exception applies
Failure to report a notifiable privacy breach to OPC could result in a fine of up to $10,000.
What about near misses or non-serious privacy breaches?
Often organisations or individuals will narrowly avoid serious privacy breach through sheer luck.
For example, you might be about to send an email containing personal information to the wrong person. Or you may have drafted an email containing sensitive information to a list of people and Cc’d each email address, rather than Bcc’d. In each of these instances, a breach could be avoided if just before clicking ‘send’, you realise your mistake and take appropriate action to rectify the mistake.
Other examples of narrowly avoiding serious privacy breaches could be:
- Where an email or letter containing sensitive personal information is sent to the wrong person and the mail is returned unopened.
- When a website vulnerability that exposes personal information is discovered by staff before any website users see it.
- If a business’ CCTV camera inadvertently films somebody’s private property, but this is discovered before any people are filmed.
- If someone sends an email to the wrong recipient, but it contains no sensitive personal information. While a privacy breach has happened, because no serious harm has or is likely to occur, you would not need to notify OPC or the affected individuals.
How to avoid the most common type of privacy breach? Get your emails in order!
NotifyUs is OPC’s tool for organisations to report their privacy breaches to us.
More than a third of all privacy breaches reported to us over the past five months (since Privacy Act 2020 came into force) were the result of email errors.
If sensitive information relating to someone’s health, family, finances or other categories of sensitive personal information is attached to emails, it could easily cause someone serious harm.
Before you send an email containing personal information, follow these simple steps to avoid disaster:
- Double-check the list of recipients. Is it going to the intended person or people?
- Check your attachments. Make sure you are only sending what you intend to.
- For mass emails, ensure all email addresses are contained in the ‘Bcc’ section rather than ‘Cc’ field.
- Implement a send delay. One or two minutes should be fine. That way, if you realise you’ve made a mistake, you have time to change course. Here’s how to implement a send delay using Outlook.
- If sending information in spreadsheets, check there isn’t any sensitive information hidden behind document tabs and in pivot tables, unless the sheet is password protected.
Prevention is better than cure
Aside from avoiding email blunders, what other steps can you take to prevent privacy breaches or respond to near misses?
Near misses provide the perfect opportunity for organisations to examine how they handle customer or client information and improve their privacy game.
Steps to up your organisation’s privacy game:
Once you have taken those steps, you should also review your organisation’s physical and technical security.
Steps to review your organisation’s security:
Store personal information securely. Put physical documents containing personal information in lockboxes or filing cabinets. Digital documents containing personal information should be password protected.
Only staff who need access to personal information should have access to it. If possible, implement a system to keep track of who is accessing personal information on your systems. Many privacy breaches reported to our office are categorised as employee browsing. Employee browsing is when staff members access personal information they have no right to e.g. a bank teller searching the account information of people they know out of curiousity.
Finally, ensure you staff receive privacy training. An easy way to do this is to try our free e-learning units. Privacy ABC and Privacy Act 2020 are good units to get you started.
By following these simple steps, you can turn a narrowly avoided serious privacy breach into better privacy practice for your organisation.