3 minute read
Notifiable privacy breaches
Keeping up-to-date with the latest terms in The Privacy Act 2020 means that you could avoid a potential privacy breach in your workplace, or with a customer. Here’s what you need to know.
The Privacy Act 2020 (the Act) introduced the new concept of a “notifiable privacy breach”. This term is defined in the Act as follows:
Advertisement
notifiable privacy breach— (a) means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so (see section 113 for factors that must be considered by an agency when assessing whether a privacy breach is likely to cause serious harm); but
(b) does not include a privacy breach if the personal information that is the subject of the breach is held by an agency who is an individual and the information is held solely for the purposes of, or in connection with, the individual’s personal or domestic affairs If there is a privacy breach or potential privacy breach within your workplace, seek legal advice to ensure that you comply with the new notification obligations.
A “privacy breach” is also defined in the Act. Under section 115 of the Act, an agency (which will usually include an employer) must notify an affected individual or give public notice of a notifiable privacy breach (if it is not reasonably practicable to notify an affected individual/s). There are some limited exceptions to these requirements.
We have been involved in having to assist clients to notify privacy breaches under the Act. One important factor is to comply with the specific requirements for notification under the Act. For a notification to the Privacy Commissioner, the requirements are as follows (under section 117 of the Act): (1) A notification to the Commissioner under section 114 must—
(a) describe the notifiable privacy breach, including— (i) the number of affected individuals (if known); and
(ii) the identity of any person or body that the agency suspects may be in possession of personal information as a result of the privacy breach (if known); and
(b) explain the steps that the agency has taken or intends to take in response to the privacy breach, including whether any affected individual has been or will be contacted; and (c) if the agency is relying on section 115(2) to give public notice of the breach, set out the reasons for relying on that section; and
(d) if the agency is relying on an exception, or is delaying notifying an affected individual or giving public notice, under section 116, state the exception relied on and set out the reasons for relying on it or state the reasons why a delay is needed and the expected period of delay; and (e) state the names or give a general description of any other agencies that the agency has contacted about the privacy breach and the reasons for having done so; and
(f) give details of a contact person within the agency for inquiries.
There are other notification requirements under section 117 for notification to an affected individual.
It is an offence to fail to notify a notifiable privacy breach.
The key message is that, if there is a privacy breach or potential privacy breach within your workplace (which may include a breach involving you as employer, another employee, a customer, or another third party), seek legal advice to ensure that you comply with the new notification obligations.
To view the sections in full as mentioned within this article you will find the Privacy Act 2020 at www.legislation.govt.nz
Danny Jacobson and Trudy Marshall are Partners at Employment Lawyers Tauranga and they specialise exclusively in employment law. They operate our Employment Helpline for NZCB members: phone 07 928 0529 for 10 minutes free advice on any employment related issue. (The above is by its nature general, and is not intended to be a substitute for legal advice.)
