New Zealand Privacy Commissioner launches a privacy breach reporting tool

October 21, 2020 |

New Zealand has come even later to mandatory data breach reporting.  Its legislation comes into effect on 1 December 2020. The New Zealand Privacy Act 2020 is, like Australia’s, far from the gold standard. But New Zealand does have a tort of interference with privacy which puts it well ahead of Australia.

Determining whether a data breach is notifiable can be a difficult weighing exercise under both the Australian and New Zealand legislation. Both Acts use serious harm as a threshold but provide no definition of what that is.  In the New Zealand Act the process involves consider quite general factors in section 113 which provides:

Assessment of likelihood of serious harm being caused by privacy breach
When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:

(a) any action taken by the agency to reduce the risk of harm following the breach:

(b) whether the personal information is sensitive in nature:

(c) the nature of the harm that may be caused to affected individuals:

(d) the person or body that has obtained or may obtain personal information as a result of the breach (if known):

(e) whether the personal information is protected by a security measure:

(f) any other relevant matters.

Mandatory data breach notification is a complicated process . The Privacy Commissioner has issued an on line tool to help businesses to assess whether a privacy breach notifiable.  That is quite a useful tool.

The Commissioner’s media release provides:

The Office of the Privacy Commissioner (OPC) has today launched NotifyUs—a new online tool enabling businesses and organisations to easily assess whether a privacy breach is notifiable.

Under the Privacy Act 2020—which comes into effect on 1 December—it will be mandatory for organisations to notify OPC if a privacy breach has caused, or is likely to cause, serious harm. Businesses and organisations which fail to report a notifiable privacy breach to OPC may receive fines of up to $10,000.

Privacy Commissioner John Edwards says NotifyUs will help organisations determine whether a breach has caused, or could cause, serious harm, and guide them through the reporting process.

“We want the privacy breach pre-assessment and reporting process to be straightforward,” says Mr Edwards. “NotifyUs has undergone extensive testing ahead of today’s launch to ensure the guidance is clear and easy to follow. I encourage people to use it in advance of the new legislation taking effect on 1 December.”

Visit NotifyUs.

Explore OPC’s new resources on privacy breach reporting, including a short e-learning module and breach reporting brochure.

What is serious harm?

The unwanted sharing, exposure or loss of access to people’s personal information may cause individuals or groups serious harm. Some information is more sensitive than others and therefore more likely to cause people serious harm.

Examples of serious harm include:

    • Physical harm or intimidation 
    • Financial fraud including unauthorised credit card transactions or credit fraud 
    • Family violence
    • Psychological, or emotional harm





Leave a Reply

Verified by MonsterInsights