Ahead of the introduction of the Privacy Act 2020 (Act) on 1 December, the Office of the Privacy Commissioner (OPC) has this week launched its “NotifyUs” tool. The tool is designed to assist organisations with one of the key changes under the Act – the requirement to notify the OPC of certain data breaches.
This fact sheet gives an overview of the new breach reporting requirements and how you can prepare for them.
WHAT IS CHANGING?
From 1 December, if your organisation suffers a privacy breach that causes (or may cause) serious harm, you will need to report that breach to the OPC as soon as possible. You may be fined up to $10,000 if you fail to report a breach.
HOW DO YOU PREPARE?
You should make yourself familiar with the “NotifyUs” tool and the other information released by the OPC on privacy breaches, available here. A useful exercise is to consider the risks of any relevant privacy breaches that may apply to your organisation and use the tool to work through simulated breach situations. You can use the NotifyUs tool to do this without the need to report any information to the OPC.
Your organisation will need to have policies in place to ensure that you are able to identify, manage, assess and (if necessary) report a privacy breach. The information below provides an overview of this process
Identify the breach:
The first step is identifying the breach. If your staff have knowledge of your obligations under the Act, and feel comfortable approaching their manager or your Privacy Officer, then you are more likely to be able to identify a breach early. Your policy should clearly specify to whom breaches should be reported, and an escalation path for managing the breach.
Manage the breach:
You will need to assess what has happened, who has access to the personal information, and what steps can be taken to retrieve or secure the information. For example, if the breach has occurred as a result of a website vulnerability, then shut down the website.
Address the breach:
You will then need to consider the harm that has occurred (or is likely to occur) to the individuals whose data has been breached, and whether the Privacy Commissioner and the individuals involved need to be notified under the Act. The OPC’s tool “NotifyUs” will help with this. The tool asks you to consider:
- how sensitive the information is;
- who has obtained or may obtain the information;
- what types of harm might be caused (e.g. emotional, financial) and its severity;
- how likely it is that harm will occur;
- what you have done to reduce the harm; and
- whether anyone is at immediate risk of physical, financial or psychological harm.
Notify the breach:
If the data breach has caused serious harm, or is likely to do so, you will need to report the breach to the OPC and (in most cases) the affected individuals.
Notification must be made as soon as practicable after you become aware that a notifiable breach has occurred. In some circumstances you can delay notification to individuals.
Learn from the breach:
All breaches (or near misses) should be assessed internally to see if your organisation can learn from them, so that future breaches can be avoided if possible.
Please contact us if you would like assistance with compliance with the new privacy legislation.