New Privacy Law: Mandatory Breach Reporting – what does it mean for NZ businesses?
It's not surprising that privacy rights are falling into sharper focus for law makers around the world.
Regulators simply have not kept pace with the exponential rise of technology and its steady intrusion on individual privacy rights.
2018 headlines were dominated by Europe's sweeping changes to privacy law, embodied in the European Union's General Data Protection Regulation or "GDPR". The GDPR even got some attention in New Zealand, among businesses that have a presence in the EU or deal with information from EU residents.
2019 marks the biggest shake-up to New Zealand's privacy laws since the Privacy Act was passed in 1993. These changes introduce a markedly different regime – one that demands a much more proactive approach to privacy compliance – and introduces new penalties for getting it wrong.
Arguably the single biggest change is mandatory breach reporting.
Currently, our Privacy Act does not say anything specific about breach notification. Information privacy principle 5 requires all agencies (in both the public and private sector) that hold personal information to take reasonable steps to protect that information – conceivably, there might be circumstances where notification might be part of those reasonable steps, but this is left to the agency to decide.
The proposed new law will make it mandatory to report notifiable privacy breaches.
If your business already operates in Australia, you'll be aware of the implications of such rules. This article explains and explores the challenges ahead for your New Zealand operations.
What is mandatory breach reporting?
Privacy breaches are often the unintended consequence of simple human error.
But no matter what the cause, if a notifiable privacy breach occurs, your business must notify both the Privacy Commissioner and the people affected as soon as practicable after becoming aware that the breach has occurred. And if it is not reasonably practicable to notify the affected individuals directly, you must instead notify them indirectly by giving public notice of the privacy breach – such as in newspapers or other media channels that are likely to reach the affected individuals.
The content of a notification would typically include information about the breach (such as when it happened), a description of what personal information was leaked, what steps the person can take to further protect themselves, contact details within your business where questions or requests for information may be directed, and so on.
The duty to report your business's mismanagement of customer information (particularly by public notice) is the stuff of PR nightmares. So it's very important to understand what sort of breaches need to be reported, and how to manage the reporting process.
What is a notifiable privacy breach?
The notifiable privacy breaches are not necessarily those that breach the familiar Information Privacy Principles. Rather, there is a short list of actions that are considered sufficiently harmful to require you to notify the Privacy Commissioner and the people affected – namely, where the action of your business:
has caused, or may cause, loss, detriment, damage, or injury to the individual; or
has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations, or interests of the individual; or
has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.
This is not an especially high bar, nor a clear one for that matter. Nearly every privacy breach could "adversely affect… the rights… or interests of the individual" in some way.
And, importantly, your business will need to consider the views of each individual – as to whether he or she might feel that they've suffered a loss or detriment or humiliation, or their rights or interests have been adversely affected.
Unless the bar is raised as the Privacy Bill progresses through its second or third reading, arguably almost all privacy breaches will be notifiable.
As you can well imagine, it's highly likely that there will be over-reporting of such things as the new law beds in – especially when the alternative is a fine (even if the business has taken steps to address the privacy breach).
What privacy breaches will you not need to notify?
Even if you find your business caught up in one of the notifiable breach triggers, there are a few exceptions that may be a useful way to avoid over-reporting.
The exceptions cover:
prejudice to New Zealand security or defence;
prejudice to the maintenance of the law by a public sector agency;
endangering the safety of any person;
revealing a trade secret;
individuals under the age of 16 (where the business determines that notification or public notice would be contrary to that person's interests); and
prejudice to the physical or mental health of an individual (but only where the business has consulted with the individual's health practitioner to form that view).
For most circumstances, these exceptions will not be that useful. And, even if an exception applies, your business will still need to take certain steps – including notifying the Privacy Commissioner.
The GDPR is much clearer
The mandatory breach reporting regime under Europe's GDPR is much clearer.
The GDPR narrows the circumstances in which individuals must be notified of a privacy breach. Essentially, the breach must be likely to result in a high risk to the rights and freedoms of those individuals.
The types of risks envisaged by the phrase "rights and freedoms" include discrimination, identity theft, fraud, financial loss and damage to reputation or confidentiality – a much narrower focus than our Privacy Bill.
However, the GDPR's more useful exceptions also mean that businesses do not need to notify individuals where:
appropriate technical and organisational protection measures (such as encryption) had been applied to the personal information affected by the breach;
measures were taken such that the high risk to those individuals is no longer likely to materialise; or
it would involve disproportionate effort.
How to approach compliance
Mandatory breach reporting will be central to our new privacy laws and deserves your close attention if your business holds or processes personal information.
From a practical perspective, mandatory breach reporting means:
establishing or strengthening roles and reporting lines to proactively manage privacy compliance (moving away from the previous "set and forget" mentality);
updating (or implementing) new policies and procedures, to ensure appropriate responses to privacy breaches – especially notifiable breaches;
investing in technology that helps to streamline data flows and improve security, so as to minimise the likelihood of privacy breaches; and
refining practices as the law develops.
It's not too early to start. There are useful steps you can take in preparation for the new law, and our privacy law experts are here to help you.
Michael leads our IP and Technology teams and is one of the first lawyers in New Zealand to attain the Practitioner Certificate in Data Protection (PC.dp) – the world's leading practical qualification on the European Union's General Data Protection Regulation (GDPR).