The new Act introduces a privacy breach notification regime. If you have a breach that has caused, or is likely to cause, “serious harm” you need to notify the Office of the Privacy Commissioner (OPC) and any affected individuals as soon as possible.
The term “serious harm” is not defined, but the Act does set out factors to consider in deciding whether a breach may cause “serious harm”, such as whether that information is sensitive in nature and whether the person or organisation that has obtained the information may obtain further personal information as a result of the breach.
Note that an organisation will be liable for failing to notify a breach, not any individual employee. We suggest you make sure that all of the parties that you disclose information to are required to immediately notify you of any privacy breach so you can then consider whether the breach must be notified and also try to take action to contain it.
A new privacy principle 12 has been added by the Act to regulate the way personal information is sent overseas. Disclosure of personal information to an agency outside of New Zealand can only occur if the receiving agency is subject to similar safeguards to those in New Zealand, or, if the overseas country does not offer similar protections, such disclosure can only occur if the individual concern is informed that their information may not be adequately protected and they expressly authorise the disclosure. Accordingly, please consider whether you do disclose information to any overseas organisation.
Privacy principle 1 has been clarified to ensure that organisations do not collect identifying information from people when that it not necessary.
If your organisation does not already have a privacy officer, you should appoint one. That can be yourselves or an employee. You should have policies regarding how personal information is collected, stored and disclosed. You should also have a privacy breach response plan outlining what you will do in the event of a privacy breach that has caused or may cause “serious harm”.
The OPC’s website contains further information, including e-learning modules and podcasts.
We are happy to advise you further regarding privacy matters if you wish.