Notifications for a privacy breach have increased nearly four-fold since the new Privacy Act 2019 came into force on 1 December 2020. In the period 1 December 2020 to 30 November 2021, 750 privacy breach notifications were received by the Office of the Privacy Commissioner (OPC). One-third of those cases met the threshold for serious harm.
The new legislation makes it mandatory to notify the OPC of privacy breaches that have caused, or have the potential to cause, serious harm to people.
Failure to report a serious breach can result in a Compliance Notice being issued, public notification of the breach and/or a fine of up to $10,000.
Privacy breaches can cause real harm to people. In the serious breach category in the above 12-month period, 36% of serious breaches involved emotional harm, 14% reputational harm and 13% identity theft. Other harms were classified as financial harm, threats of harm and so on.
Take great care with personal information
Human error causes the majority of reported serious breaches. Human error includes accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, postal and courier error.
Email error accounts for over a quarter of all reported serious privacy breaches. The OPC recommends any organisation should have good systems and processes for electronic communications. Emailers should:
- Use the BCC option when sending to multiple recipients
- Double-check attachments are correct, and
- Have a send delay.
Senders should always check their email draft very carefully when including any sort of personal information. It is also useful to ask a colleague to do a fresh-pair-of-eyes review of any draft email that includes personal information.
Privacy breaches occur in the public and private sectors, as well as in not-for-profits; all three sectors store some form of personal information such as health care and social assistance data.
To read more about privacy breaches in the first 12 months of the new legislation, go to the OPC’s website, www.privacy.org.nz, and search for privacy breach reporting.
If you want to either report a serious privacy breach or are unsure if your potential breach meets the threshold for notifying the OPC, use the anonymous self-assessment tool to help you decide. Go to www.privacy.org.nz and click on the NotifyUs button.