Yesterday, the Office of the Privacy Commissioner (OPC) published a blog post on its enforcement actions in relation to the privacy breach notification scheme. As tends to be the case with most of the OPC's publications, it is helpful for businesses because:
it acts as a reminder of the need to notify, and when to notify, when there has been a notifiable privacy breach; and
it gives an indication that, while the OPC has engaged responsibly with agencies who may have failed to meet their notification obligations, the OPC is likely to soon start using its enforcement powers.
As has been our experience, it is evident from the blog post that:
Some agencies have been taking an aggressive approach when deciding that there has not been a notifiable privacy breach. This is despite the Privacy Commissioner (Commissioner) indicating that a lot of businesses have been over-reporting in circumstances where there has not been a notifiable privacy breach.
The OPC has been proactively contacting agencies about their obligations to notify the Commissioner of notifiable privacy breaches, including if they have been victims of a cyber-attack.
Agencies have been warned about not only their privacy breaches, but their failure to notify the Commissioner as soon as practicable where those privacy breaches were notifiable. While this will be context specific, waiting weeks, or even months, is not acceptable.
While the OPC decided not to prosecute the failures to notify the Commissioner as soon as practicable, it indicated to the agencies that it may take further steps if non-compliance continues. This should act as a warning to all agencies.
We consider that the OPC's blog post is a timely reminder, more than six months on from the introduction of the privacy breach notification scheme, that the OPC has a range of enforcement powers under the Privacy Act 2020 (Act). This includes issuing compliance notices for breaches of the Act (which can be enforced by taking enforcement proceedings in the Human Rights Review Tribunal) and bringing a prosecution for failure to notify the Commissioner (which is punishable by a fine of up to $10,000).
While the OPC's enforcement responses have been low level so far, its blog post suggests that the past six months have been an adjustment period and the OPC will be considering high-level enforcement responses, as agencies are expected to have their systems for management of privacy breaches and compliance with the Act in place.
What is a notifiable privacy breach?
A privacy breach means (i) unauthorised or accidental access to, or disclosure, alteration, loss or destruction of, personal information; or (ii) an action that prevents an agency from accessing personal information either temporarily or permanently.
A notifiable privacy breach is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual (or individuals) or is likely to do so. There are mandatory factors under the Act to consider when assessing whether a privacy breach is likely to cause serious harm.
What is the obligation to notify the Commissioner?
The Commissioner must be notified as soon as practicable after an agency becomes aware that a notifiable privacy breach has occurred. The OPC considers that, unless there are extenuating circumstances, such notification should be within 72 hours.
There is also an obligation to notify the affected individual(s) of the notifiable privacy breach or give public notice of the notifiable privacy breach if it is not reasonably practicable to notify the affected individual(s).
If you have any questions about the notifiable privacy breach scheme, the obligations under the Act or how they relate to you, please contact one of our experts.