New Zealand Mandatory Data Breach Notification Requirements
The Privacy Act 2020 sets out when an organisation must tell people that their personal information may have been involved in a data breach.
Organisations must tell individuals as soon as practicable after they become aware that there has been a data breach if it is reasonable to believe that the breach is likely to cause serious harm to the individual.
The Act contains two tiers of notification:
- where an organisation must notify the Privacy Commissioner as well as the individual (external notification); and
- where an organisation only needs to notify the individual (internal notification).
What is a data breach?
A data breach happens when personal information is lost or stolen, accidentally or deliberately.
It can also happen when personal information is accessed without permission, or when it is shared in an unauthorised way.
A data breach may be the result of a security breach, such as a hacker breaking into an organisation’s systems.
It could also be the result of human error, for example, if an organisation accidentally emails personal information to the wrong person.
When notification must be made
What does it mean when the Act says an organisation must take action as soon as practicable?
The Act does not say what ‘as soon as practicable’ means in this context. It generally means taking action as soon as is reasonable in the circumstances.
For example, if an organisation becomes aware of a data breach at 2pm on a Monday, it may not be possible to take all the steps required to notify individuals by 5pm that day. In this case, it would be ‘as soon as practicable’ for the organisation to take all the necessary steps to notify individuals by the end of business the following day.
However, if an organisation becomes aware of a data breach at 2pm on a Monday, and it can take all the steps required to notify individuals by 4pm that day, it would be ‘as soon as practicable’ for the organisation to do so.
What is serious harm?
The Act says an organisation must take action as soon as it is reasonable to believe that a data breach is likely to cause ‘serious harm’ to an individual.
The Act does not define what ‘serious harm’ means. However, in our view, it is likely to include physical, psychological, emotional, economic, and reputational harm.
It may also include, in some cases, harm to property.
What steps does an organisation need to take?
The steps an organisation needs to take will depend on whether the data breach is one that requires external or internal notification.
External notification
If a data breach is one that requires external notification, the organisation must take the following steps:
- notify the Privacy Commissioner as soon as practicable after becoming aware of the data breach (this can be done online); and
- take all reasonable steps to notify the individuals affected by the data breach (unless an exception applies).
Internal notification
If a data breach is one that requires internal notification, the organisation must take the following steps:
- take all reasonable steps to notify the individuals affected by the data breach (unless an exception applies); and
- keep a record of the data breach (including the steps taken to notify individuals and any other relevant information).
What are reasonable steps to notify individuals?
The reasonable steps an organisation needs to take to notify individuals will depend on the circumstances of the data breach.
Organisations should consider the following when deciding what steps to take:
- how many individuals are affected by the data breach;
- how difficult it would be to notify the individuals affected;
- the kind of personal information involved in the data breach;
- whether the data breach is likely to cause serious harm to the individuals affected;
- any other relevant factors.
In some cases, it may be possible to notify all affected individuals directly (for example, by email).
In other cases, it may be necessary to use a more general method of notification, such as publishing a notice on the organisation’s website or in a newspaper.
What if an organisation cannot identify all of the individuals affected by a data breach?
If an organisation cannot identify all of the individuals affected by a data breach, it must take all reasonable steps to notify the individuals who are known to be affected.
The organisation should also take all reasonable steps to identify any other individuals who may have been affected by the data breach.
In both cases, the organisation should consider the factors listed above when deciding what steps to take.
What if an organisation cannot notify all affected individuals without undue delay?
If notifying all affected individuals would delay an organisation’s ability to take action to mitigate the effects of the data breach, the organisation may notify only those individuals whose personal information is at greatest risk of serious harm.
However, the organisation must still take all reasonable steps to identify and notify any other individuals who may have been affected by the data breach.
Are there any exceptions to the notification requirements?
Yes. There are three exceptions to the notification requirements:
- If the data breach is unlikely to cause serious harm to any individual, notification is not required.
- If the data breach is the result of an offence under the Privacy Act, notification is not required.
- If the data breach occurs in relation to personal information that has been de-identified in accordance with the Act, notification is not required.
The Commissioner will work with organisations to help them address the data breach and prevent future breaches. In some cases, the Commissioner may take enforcement action if an organisation has failed to take reasonable steps to protect personal information or has failed to notify the Commissioner or affected individuals of a data breach.