The Privacy Act 2020 (Act) is now more than six months old. Under the Act, organisations must report serious privacy breaches to the Office of the Privacy Commissioner (OPC) – predictably, this has resulted in a large increase in the number of privacy breaches being reported.
This update runs through the types of breaches that have been reported so far, and new guidance issued by the OPC in relation to breach reporting.
BREACH NOTIFICATIONS SO FAR - KEY PATTERNS
In May, the OPC published this breach notification infographic, analysing the serious privacy breaches notified to the OPC during the first four months of the Act. The key patterns identified are:
- Reported breaches have almost doubled following the introduction of the Act, with 76 serious privacy breaches notified in the first four months of the Act.
- Email error was the most common type of privacy breach reported, making up 25 percent of all reported breaches. It was closely followed by unauthorised sharing of personal information (21%).
- Notification of individuals – only 65% of serious breaches reported to the OPC had also been notified to individuals at the time of reporting. The OPC has commented that as the grounds for not notifying individuals are narrow, they will be looking into this further.
OPC GUIDANCE ON BREACH REPORTING
The OPC recently published an article on privacy breaches, in which they said they were now taking a “more proactive approach” to remind and warn organisations about their responsibilities.
The OPC criticised the time it was taking some organisations to notify breaches, and said that, unless there were “extenuating circumstances”, a serious privacy breach should be reported within 72 hours of the organisation becoming aware of it.
There are simple practical steps you can take to minimise your risk of a serious privacy breach and ensure that you report any notifiable breaches promptly:
- Email: Double check the recipient and attachments before sending, to ensure they are correct. Use the “BCC” function where appropriate.
- Security: Restrict access to personal information to only those people who need to see it.
- Educate: Educate your staff on privacy. This will help prevent breaches occurring, and increase your likelihood of identifying and responding to a privacy breach quickly.
- Response Plan: Have a privacy breach response plan in place – so you are ready to respond if a breach occurs.
- Audit: Audit your privacy practices using our “Privacy Warrant of Fitness”, available here.
If you have any questions about privacy, or would like our help to comply with the Act, please get in touch.