Data breaches in New Zealand: You told what, to who? 18 Nov 2016
In an increasingly online world we are sharing and disclosing more and more online and that information is being held digitally. There are frequent examples in the news of leaks and data breaches. This article looks at this issue in detail and examines what the legal requirements are in this area. Understanding what to do when there are data breaches is vital in these times when it is an increasingly common event.
So you’ve had a Data Breach. What are you legally required to do?
In New Zealand there is no legal obligation to notify affected individuals or other bodies about a data breach. Even so, there may be commercial and reputational reasons why you would want to take action right away in the event of data breaches. If you do not take immediate action you are likely to have a large amount of criticism directed your way. By contrast, responding in a proactive way may transform the data breach from a disaster into a positive public relations story.
Privacy Commissioner view: The recommended position
There is no legal obligation to notify affected individuals or other bodies, but the Privacy Act 1993 does provide information privacy principles. Five of these principles require all agencies that hold personal information to take reasonable steps to protect that information. An individual could complain to the Privacy Commissioner about any information leak or other conduct which breaches any of the information privacy principles. By following the process outlined by the Office of the New Zealand Privacy Commission (below), this may show that you have complied with these principles.
Organisations are encouraged by the Office of the New Zealand Privacy Commission to adhere to their Privacy Breach Checklist and guidance material.
The Checklist suggests four key steps in responding to a privacy breach:
- Breach containment and preliminary assessment – immediately take steps to stop the breach from continuing, undertake a preliminary assessment to identify who needs to be contacted, do the police need to be involved, what needs to happen next etc;
- Evaluation of the risks associated with the breach – what personal information was involved, what was the cause of the breach, what is the extent of the breach, who has been affected by the breach, what harm could result from the breach?;
- Notification – decide who to notify, when to notify and how to notify, what information should be provided in the notification; and
- Prevention – investigate the cause and put a prevention plan in place to mitigate the possibility of a reoccurrence.
It is important to note that while this is the current position, it will likely soon change and follow the lead of other jurisdictions. The Law Commission have made a number of recommendations in relation to updating the Privacy Act including provisions making it mandatory to notify data breaches. It is likely an exposure draft of the new Privacy Bill will be released before the end of 2016 prior to being introduced to Parliament in 2017. We will monitor this situation closely and provide updates from time to time as new information emerges.
John Edwards, Privacy Commissioner, has commented that he expects there to be a two-tiered system in the future which would mean an organisation would need to notify the Office of the New Zealand Privacy Commission once it becomes aware of a data breach. The Privacy Commissioner would then decide whether a general alert should go out to customers.
If you have any questions about this topic please contact us and we would be happy to discuss further.
For other articles see: http://www.parryfield.com/resources/articles/