The Privacy Act 2020 (Act) is now more than six months old. Under the Act, organisations must report serious privacy breaches to the Office of the Privacy Commissioner (OPC) – predictably, this has resulted in a large increase in the number of privacy breaches being reported.
This update runs through the types of breaches that have been reported so far, and new guidance issued by the OPC in relation to breach reporting.
BREACH NOTIFICATIONS SO FAR – KEY PATTERNS
In May, the OPC published this breach notification infographic, analysing the serious privacy breaches notified to the OPC during the first four months of the Act. The key patterns identified are:
- Reported breaches have almost doubled following the introduction of the Act, with 76 serious privacy breaches notified in the first four months of the Act.
- Email error was the most common type of privacy breach reported, making up 25 percent of all reported breaches. It was closely followed by unauthorised sharing of personal information (21%).
- Notification of individuals – only 65% of serious breaches reported to the OPC had also been notified to individuals at the time of reporting. The OPC has commented that as the grounds for not notifying individuals are narrow, they will be looking into this further.
OPC GUIDANCE ON BREACH REPORTING
The OPC recently published an article on privacy breaches, in which they said they were now taking a “more proactive approach” to remind and warn organisations about their responsibilities.
The OPC criticised the time it was taking some organisations to notify breaches, and said that, unless there were “extenuating circumstances”, a serious privacy breach should be reported within 72 hours of the organisation becoming aware of it.