Source: New Zealand Privacy Commissioner – Blog
In recent weeks, the Office of the Privacy Commissioner has been contacting individual organisations about specific privacy breaches that have been raised with us. We’re taking a more proactive approach to remind and warn individual organisations of their statutory responsibilities under the Privacy Act 2020.
There is, in particular, the requirement that organisations notify the Privacy Commissioner of a serious privacy breach. This would include a ransomware attack when personal information is either accessed, stolen, or rendered inaccessible. Section 114 of the Privacy Act 2020 says an organisation must notify the Commissioner as soon as practicable after it becomes aware that a notifiable privacy breach has occurred. Although the Act is silent on precise timing, we have determined that, unless there are extenuating circumstances, this should be within 72 hours.
If an organisation fails to do so, we can consider prosecuting a case against it. If convicted, it would have committed an offence under section 118 of the Act, making it liable for a fine of up to $10,000.
Organisation A was warned because a former employee appeared to be using personal information obtained while employed by the organisation to contact customers about their new business.
We were alerted of this apparent breach by a customer of the organisation. We reminded the organisation that it had a legal obligation to notify our Office of a serious privacy breach.
We recommended the organisation consider taking action to recover or at least prevent the ex-employee from using the information inappropriately. Our other recommendations were:
- a reminder to staff who offer their resignation that they should not take client information with them when they leave; and
- offer regular privacy training to staff – especially that they should only use customer information for the purpose the organisation had collected it.
While we did not intend to formally investigate the complaint we received, we advised the organisation that our Office might take further steps if we received similar complaints.
Organisation B sent letters which included sensitive information to a group of its clients. It discovered soon afterwards that many of the letters had gone to outdated addresses.
The organisation carried out an investigation into what went wrong with the mailout. As part of the investigation’s outcome, it decided to notify our Office of the privacy breach.
We queried why we were notified three months after the breach occurred. The law says an organisation must notify as soon as practicable, after becoming aware of a notifiable privacy breach. The organisation apologised for the delay in notifying our Office.
We decided not to prosecute but warned the organisation we may take further steps, including prosecution, if we identified similar non-compliance of the Act.
We recommended that the organisation:
- develop a policy in relation to privacy breach management, including notifying our Office as soon as practicable
- ensure its policy regarding privacy breach management is implemented as soon as possible
- ensure it had systems in place to assure itself that all privacy breaches that have caused or were likely to cause serious harm were notified to our Office as soon as practicable.
Organisation C notified our Office two months after it identified a serious privacy breach had occurred. Upon our request, the organisation gave us a copy of its policy regarding privacy breach management for our review.
The policy said the organisation should notify our Office as soon as practicable. It also set out what kind of information should be given to us.
We advised the organisation it should have reported the breach to our Office at the same time as it tried to rectify the breach. It was unnecessary to wait until all steps had been taken to resolve the matter before notifying us.
We informed the organisation we did not intend to prosecute. This could change if we identified similar non-compliance in the future.
Compliance and enforcement
It has now been six months since the Privacy Act 2020 took effect. The law has changed. Mandatory privacy breach reporting means telling our Office as soon as practicable if there’s been a serious privacy breach. It doesn’t mean telling us after the dust has settled. It means telling us sooner rather than later. Otherwise, there are potential consequences because the Privacy Act has given our Office new powers to enforce the law change.
Image credit: Image via The Noun Project