Introduction to the Privacy Bill 2018 – mandatory reporting of privacy breaches
By: Bethany Entwistle
Published: 6/12/2018
The highly anticipated Privacy Bill (the Bill) was introduced to Parliament in March 2018 and is due to come into effect in July 2019.  It will replace the Privacy Act 1993 and aims to bring New Zealand’s privacy law framework up-to-date with the digital society we live in.  The reform also brings New Zealand in line with international laws, including the European General Data Protection Regulation (the GDPR).

Mandatory reporting of privacy breaches

A key change introduced by the Bill is the mandatory requirement to notify a privacy breach to the New Zealand Privacy Commissioner (the Commissioner) and the individual affected, reflecting the reporting process under the GDPR.

Clause 118 of the Bill provides that an agency must notify the Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred.  An agency must notify any affected individuals or give public notification where a privacy breach has, or is at risk of causing real harm.[1]  “Harm” can include loss, detriment or damage to an individual; an adverse affect on the rights, benefits, privileges, obligations or interests of the individual; or humiliation, loss of dignity or injury to feelings.

Under the Bill, a “privacy breach” means:[2]
  • Any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
  • An action that prevents the agency from accessing the information on either a temporary or permanent basis.

Some examples might include:
  • Inadvertently seeing information;
  • Inadvertently sending information to the wrong person (often caused by autocompletion);
  • A device containing customers’ personal information is lost or stolen;
  • A database containing personal information is hacked;
  • Disposal of confidential papers incorrectly;
  • Sharing of passwords; and
  • Sharing data via USB.

Notification requirements

Where notification is required, the agency must inform the Commissioner of the following (inter alia):[3]
  1. The number of affected individuals (if known);
  2. The identity of any person or body the agency suspects may be in possession of personal information as a result of the privacy breach (if known);
  3. The steps taken or intended to be taken in response to the breach, including whether any affected individual has been or will be contacted;
  4. The names of any other agencies that the agency has contacted about the breach and the reasons; and
  5. Details of a contact person within the agency for inquires (usually the Data Protection Officer).

An agency is required to notify the affected individual of the same matters but must also confirm that the Commissioner has been notified and inform the individual of his or her right to make a complaint to the Commissioner.[4]

Failure to comply with these requirements could result in a fine of up to $10,000.[5]  Individuals may also have recourse to the Human Rights Tribunal for damages, on the basis of an interference with their privacy.

What does this mean for you?

To ensure compliance, we recommend that all agencies:
  1. Keep records of where information is stored, who has access to it, when it is shared and to who;
  2. Implement a Data Protection Officer who has the responsibility to deal with privacy breaches when they arise and to carry out the notification process;
  3. Provide internal training for staff to ensure they are aware of their privacy obligations;
  4. Maintain watertight security systems; and
  5. Implement internal and external privacy policies.

If you need assistance reviewing your company's privacy policy and practices, or reporting processes, the experienced team at Wynn Williams is here to help.
 
[1] Privacy Bill 2018, clause 119.
[2] Clause 117.
[3] Clause 121.
[4] Clause 121.
[5] Clause 122. Note this penalty is low compared to that under the GDPR (up to €20 million).
Download article in PDF format



Enter security code:
 Security code

Wynn Williams Christchurch
Level 5, Wynn Williams House, 47 Hereford Street, Christchurch 8013, New Zealand.
PO Box 4341, DX WX11179, Christchurch 8140.
+64 3 379 7622
+64 3 379 2467
Wynn Williams Auckland
Level 25, Vero Centre, 48 Shortland Street, Auckland 1010, New Zealand.
PO Box 2401, Shortland Street, Auckland 1140.
+64 9 300 2600
+64 9 300 2609
Top

This page is best viewed in an up-to-date web browser with stylesheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so. The latest version of Firefox, Safari or Google Chrome will work best if you're after a new browser.