Half a year after the Privacy Act 2020 came into force, the Office of the Privacy Commissioner (OPC) has published a warning to organisations about their responsibilities under the new notifiable breach regime.
We’ve published several articles on how the Act changes New Zealand privacy law, including guidance on how businesses can work towards complying with the new regime. One of the key changes introduced by the Act is that an organisation must now notify the OPC of a notifiable privacy breach as soon as practicable after becoming aware that such a breach has occurred.
In May, the OPC published its first stocktake of privacy breach reporting which found that 33% of serious breaches were reported to the OPC within two days, and 54% were reported within five days. The OPC announced on 16 June in a blog post that, unless there are extenuating circumstances, the OPC’s view is that organisations must notify the OPC within 72 hours of the organisation becoming aware of the breach. The OPC also noted that it had issued warnings to organisations that had carried out internal investigations, or had tried to rectify the breach, before notifying the OPC.
This announcement highlights the importance of identifying and assessing privacy breaches early and having a plan in place to respond swiftly. To achieve this, organisations should have in place a response plan for:
- Determining whether a privacy breach meets the threshold of ‘notifiable’ under the Act
- Notifying the breach in a format that complies with the Act
- Responding to and implementing the OPC’s directions on rectifying the breach and preventing similar breaches in the future
- Engaging the right people (both internally and externally) as soon as possible so that both legal compliance obligations and reputational risk can be managed effectively.
Failure to notify breaches when required to do so under the Act can lead to prosecution, which if successful can lead to a fine of up to NZ$10,000.