Business

Privacy breach reporting

This update runs through the types of breaches that have been reported so far under the Privacy Act 2020, and new guidance issued by the OPC in relation to breach reporting.

Published on 30 Aug, 2021

The Privacy Act 2020 (Act) is now more than six months old. Under the Act, organisations must report serious privacy breaches to the Office of the Privacy Commissioner (OPC) – predictably, this has resulted in a large increase in the number of privacy breaches being reported. 

This update runs through the types of breaches that have been reported so far, and new guidance issued by the OPC in relation to breach reporting.

BREACH NOTIFICATIONS SO FAR – KEY PATTERNS 

In May, the OPC published this breach notification infographic, analysing the serious privacy breaches notified to the OPC during the first four months of the Act. The key patterns identified are:

  • Reported breaches have almost doubled following the introduction of the Act, with 76 serious privacy breaches notified in the first four months of the Act.
  • Email error was the most common type of privacy breach reported, making up 25 percent of all reported breaches.  It was closely followed by unauthorised sharing of personal information (21%).
  • Notification of individuals – only 65% of serious breaches reported to the OPC had also been notified to individuals at the time of reporting. The OPC has commented that as the grounds for not notifying individuals are narrow, they will be looking into this further.

OPC GUIDANCE ON BREACH REPORTING 

The OPC recently published an article on privacy breaches, in which they said they were now taking a “more proactive approach” to remind and warn organisations about their responsibilities.

The OPC criticised the time it was taking some organisations to notify breaches, and said that, unless there were “extenuating circumstances”, a serious privacy breach should be reported within 72 hours of the organisation becoming aware of it.

image

KEY TAKEAWAYS

There are simple practical steps you can take to minimise your risk of a serious privacy breach and ensure that you report any notifiable breaches promptly:

  • Email: double check the recipient and attachments before sending, to ensure they are correct.  Use the “BCC” function where appropriate.
  • Security: restrict access to personal information to only those people who need to see it.
  • Educate: educate your staff on privacy. This will help prevent breaches occurring, and increase your likelihood of identifying and responding to a privacy breach quickly.
  • Response Plan: have a privacy breach response plan in place – so you are ready to respond if a breach occurs.
  • Audit: audit your privacy practices using our “Privacy Warrant of Fitness”, available here.

If you have any questions about privacy, or would like our help to comply with the Act, please get in touch.

Disclaimer: The information contained in this publication is of a general nature and is not intended as legal advice. It is important that you seek legal advice that is specific to your circumstances.