As a business owner, it is important to be aware of your privacy obligations, including your obligations to notify the Privacy Commissioner and affected people of privacy breaches. A privacy breach occurs when personal information is either intentionally or accidentally accessed or disclosed. Furthermore, a privacy breach is also when this information is altered in an unauthorised manner, lost, destroyed, or someone is unable to access their personal information. Under the 2020 Privacy Act, certain types of privacy breaches are notifiable. Then, you are required to notify New Zealand's Office of the Privacy Commissioner and affected people. In this article, we look at:
- what a notifiable privacy breach is;
- what serious harm from a privacy breach is;
- how your business can limit the impact of a privacy breach; and
- how your business can limit the risk of a privacy breach.
What is a Notifiable Privacy Breach?
A 'privacy breach' is any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal information, or any action that prevents the affected person or your business from accessing the information on either a temporary or permanent basis. Indeed, personal information includes information such as a person's name, email address, phone number, religious status, health information, etc.
If your business is subject to the 2020 Privacy Act, it is mandatory to report a notifiable privacy breach to the Privacy Commissioner and affected individuals. However, you do not have to report all privacy breaches. A privacy breach is notifiable if it is reasonable to believe the breach has caused or is likely to cause serious harm to any of the affected people.
The Privacy Commissioner's website has many resources you can use to help you determine whether a privacy breach is notifiable.
What is Deemed to be Serious Harm?
Types of harm caused by a data breach may include financial, physical, psychological or reputational harm.
Whether a privacy breach is likely to result in serious harm will depend on many factors, including:
- whether the information lost, disclosed or accessed is sensitive;
- who has obtained or could obtain the information; and
- whether you have used effective security measures to limit ongoing access to the information.
When considering these factors, you should consider what type of consequences the breach could have for those affected. For example, suppose the information is sensitive and has fallen into a criminal's hands. In that case, the criminal may use it to commit identity theft or cause significant financial loss or humiliation. As such, privacy breaches like this are more likely to have the potential to result in serious harm.
Limiting the Impact of a Privacy Breach
When you discover a privacy breach, you need to act quickly to contain it and investigate what went wrong and what information has been breached. Therefore, the relevant people within your organisation should be involved in containing and assessing the breach. This should include:
- someone from management who can make commercial decisions on behalf of the business;
- the head of your IT security team who can lead technical aspects of the containment and investigation; and
- someone from legal who can assist with assessing whether the breach is legally notifiable.
In some circumstances, these may need to be external advisers, such as an external law firm who can provide you with advice or an IT forensic expert who can track the actions of a hacker within your systems.
Practical options for containing a privacy breach will depend on the type of breach. However, they may include:
- asking the recipient to delete the information and confirm in writing that they have done so;
- removing a hacker from your systems and disabling the breached system until you have patched the vulnerability;
- recovering lost records;
- using CCTV to view who has accessed your premises; or
- removing information that someone has accidentally published online from being publicly viewable.
Limiting the Risk of a Privacy Breach
Prevention is key when it comes to privacy breaches. Therefore, you can implement technological features to minimise the risk of breaches, including the:
- use of reputable antivirus and cybersecurity software;
- storage of documents and passwords in secure locations and the use of security measures such as pseudonymisation via encryption; and
- use of email delay functions to quickly recall emails directed to the wrong recipient.
In addition, you can encourage good privacy and security practice and minimise human error by:
- training staff on privacy and security obligations;
- preparing and implementing an internal privacy and security compliance manual setting out the correct procedures for handling personal information; and
- appointing a privacy officer to champion your business' privacy training, processes and policies.
Your privacy and security manual should include a plan for responding to privacy breaches. A privacy breach response plan is a useful document because a suspected privacy breach is a time of high stress and requires that you act quickly, and a plan will guide you through the response process. A plan should set out details such as:
- the steps to take throughout the contain, assess, notify (if applicable) and review/future prevention process;
- who in the business is responsible for dealing with the different elements of the breach; and
- information about how to determine whether the breach requires notification.
The use of the internet to electronically store and transmit personal information in large quantities and at a high frequency has increased the risk of privacy breaches. Accordingly, it is important that your business is taking steps to prevent the occurrence of a breach. Your business should also be well prepared to address electronic and offline privacy breaches. For example, you should have a plan for responding to a suspected breach.