Reading time: 5 minutes

When your business handles customers’ personal information, they expect you to do so with due diligence and care. The law also implies a set standard for how you manage that information and what you tell your customers when you collect it. Some personal information is quite sensitive and can be reputation-damaging in the wrong hands. Breaches of privacy are serious, and you could face severe consequences if you do not take adequate steps to prevent them and deal with their aftermath appropriately. To adequately prevent privacy breaches, you need to know what they may look like and how they may occur within your business. This article will go through what a breach of privacy is and how this relates to your business.

What Is a Breach of Privacy?

A privacy breach can occur in two ways when:

  • an unauthorised person has accessed, misused, lost, shared, or destroyed personal information you hold; or
  • something is preventing you from accessing your databases that store customer personal information. This applies to both permanent and temporary breaches.

Personal information is any information that applies to an identifiable individual. This means that you can use this data to identify a living person. Such information would include:

  • names;
  • credit card details;
  • photos;
  • geolocation data;
  • email addresses; or
  • physical addresses.

Breaches of privacy can occur intentionally or as the result of an accident. They are more likely to occur if you do not have adequate security measures in place or appropriate workplace policies around handling customer privacy. Examples of potential privacy breaches include where you lose personal information through:

  • unknown third party access to your files;
  • stolen passwords;
  • losing a key to a filing cabinet with important customer information;
  • cyberattacks, such as a denial of service or malware attack;
  • lost devices with sensitive information on them; or
  • sending emails to the wrong person.

Privacy Breaches and Your Responsibility

If your business handles any personal information, you are an agency under New Zealand law. Therefore, you must comply with the standards the law sets for dealing with personal data. This includes disclosing necessary information to customers when collecting their personal data, such as their rights to access and correct that information. You also need to ensure you enact security measures that are adequate for the information you protect.

If there is a privacy breach within your business that is likely to cause someone serious harm or has already done so, you must notify any affected parties. You must also notify the Privacy Commissioner as soon as possible. If you do not comply with this reporting requirement, you can face financial penalties.

Serious harm can refer to:

  • violence or threats of violence;
  • loss of benefits or opportunities;
  • identity theft;
  • employment impacts, such as losing their job;
  • emotional harm;
  • reputational damage;
  • discrimination;
  • financial losses; or
  • threats of future harmful action.

How serious a breach is will depend on the context of the situation and the extent of the privacy impacts on the affected individual. This will determine whether you need to notify the Privacy Commission.

Interference With Customer Privacy

When you fail to meet your obligations under the Privacy Act as an agency, the law calls this an “interference with privacy”. Customers can complain to the Privacy Commission if they think you have breached any of the law’s privacy principles. They may do so if they find out that their information has fallen victim to a breach of privacy that you had not informed them about, or they do not think you handled the aftermath appropriately and caused them harm.

Not every privacy breach will qualify as an interference with privacy. It will depend on the facts of the situation and whether you did enough to meet your privacy law obligations. If a breach of privacy did not harm an individual, then it will not be an interference with their privacy.

However, there is an exception. When you hold their personal information, customers have a right to access their information and correct it if need be. In most cases, you have to comply with such a request. 

Despite this, if you can provide a justifiable reason for refusal, then you do not. Be careful with this because customers can still report to the Privacy Commission that you interfered with their privacy because you did not allow access to their information. If the Commission finds that your reason is legitimate, it will not be an interference.

For example, a legitimate reason may be that releasing that information would breach another person’s privacy, or they gave you the information in confidence. Therefore, you cannot allow access to it.

Key Takeaways

A breach of privacy refers to when an unauthorised person has accessed, misused, or shared personal information that your business holds. It may also refer to when something (or someone) stops you from accessing this personal information. Be sure to note the difference between this and interference with privacy, which a customer can complain about if they think you have breached privacy law. If you would like more information or help with a privacy breach at your business, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any information about an identifiable individual. This means that you can use the information to identify a living person. Examples include names, images, or email addresses.

What is a breach of privacy?

A breach of privacy is a broad term but generally refers to an instance at your business where personal information you hold was compromised. This could mean that an unauthorised person has accessed or misused your personal information.

What is an interference with privacy?

An interference with privacy is a legal term that means you have breached one of the principles of the Privacy Act and caused harm to an individual in doing so. Your customers can complain to the Privacy Commission if they think you have interfered with their privacy.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards