Reading time: 6 minutes

If your business deals with customers’ personal information, such as their addresses or financial details, then you are an ‘agency’ under privacy law. You have certain responsibilities around how you handle customer personal data. One of these responsibilities is managing privacy breaches and reporting them when necessary. You must notify the Privacy Commission of a privacy breach if it is likely to cause serious harm. Depending on the nature of the breach, you must notify any affected groups as well. This article will explain:

  • what a privacy breach looks like; and 
  • when a privacy breach is serious enough that you need to report.

What Is a Privacy Breach?

As an entity that deals with personal information (which is any information that can identify an individual), certain regulations apply to how you collect, store and use data.

One of these regulations applies to when something goes wrong at your business, and someone’s privacy has been breached. 

There are two types of privacy breach, as set out below. 

Confidentiality or Integrity Breach

Where an unauthorised person has accessed, altered, lost, shared or destroyed personal information.

Availability Breach

Where something (or someone) is temporarily or permanently preventing you from accessing the personal information you have stored, such as a ransomware attack.

This does not just apply to digital databases.

For example, say that you have lost the key to the filing cabinet that holds sensitive client information. You cannot access your stored personal information, and there is a risk that an unauthorised person who finds the key can. This would be a privacy breach.

When Do I Have to Report a Breach?

You do not have to report every privacy breach. However, reporting a privacy breach is mandatory when you have a reasonable belief that it:

  • has caused serious harm to an individual; or
  • is likely to do so. 

A ‘reasonable belief’ means that you can make an objective decision based on the facts before you. You base this on your position as a business, rather than from the point of view of the person affected.

For example, the person affected may consider reputational harm caused by a privacy breach to be more serious than a reasonable person. You have to consider the breach from the reasonable person’s point of view.

Determining How Harmful a Breach Is

You should only report a privacy breach at your business if you think it is likely to cause serious harm, or already has. Harm would be something that negatively impacts the person involved, such as:

  • discriminatory harm;
  • employment harm (for example, losing their job);
  • identity theft;
  • emotional harm;
  • loss of benefits or opportunity (for example, losing the chance to bring a case to court);
  • financial losses;
  • violence, or threats of violence; or
  • threats of further harm.

For example, due to an unauthorised person accessing identifying client details, they could use that information to commit identity theft. This would be a kind of harm.

If a privacy breach at your business has caused harm (or is likely to) you have to make a judgement call about how serious it is. The Privacy Commission has a tool on their website that can help. When making this judgement, consider the following.

Type of Information

How sensitive the information is, what it might show and how easy it is to access. For example, is it password protected?

Information Recipient

Who holds the information now? Is it an unknown, unauthorised person or a trusted organisation?

Types of Potential Harm

What kind of harm could result from this breach? For example, physical harm may be more serious than reputational harm, depending on the context.

Cause and Extent of Breach

How widespread is the breach, and what caused it? How long has it been active?

Actions Already Taken

What have you already done to remedy the breach? Is information still at risk?

Security

How secure was the information? Was it password-protected and encrypted? The more extensive the security measures that were breached, the greater the likelihood the breach was not an idle mistake.

Who Do I Have to Notify?

If you have determined that the privacy breach is likely to cause serious harm, then you must notify the Privacy Commission as soon as reasonably practicable.  You can do this via their website. You should also tell your business’ privacy officer and any contracted parties that are affected, such as your supplier or manufacturer. 

In most cases, you should also notify the affected individual. They may be able to take steps to protect their privacy, such as changing a password or checking their bank activity. However, you may not need to notify them where it would:

  • reveal a trade secret;
  • cause more harm to the individual than the breach itself;
  • put the individual’s health or safety at risk;
  • risk New Zealand’s security or defence;
  • breach your other legal or contractual obligations; or
  • interfere with other legal processes, such as a public-sector organisation’s investigation.

Key Takeaways

You should notify the Privacy Commission and the affected individual (where appropriate) where you reasonably believe a privacy breach at your business is likely to cause serious harm (or already has). If you would like more information or help with your business’ privacy breach notification process, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is a privacy breach?

A privacy breach is when your customers’ personal information has been compromised. This could be through an unauthorised person accessing their information or something stopping you from accessing said information.

What makes a privacy breach notifiable?

A privacy breach is notifiable when you reasonably believe it is likely to cause serious harm (or already has). This means it is serious enough that you have to notify the relevant parties.

Who should I notify if there is a privacy breach at my business?

If you believe your privacy breach is sufficiently serious, you should notify the Privacy Commission. You should also notify the affected individual, as long as no exceptions apply, and any affected contracted parties (such as your suppliers).

What makes a privacy breach seriously harmful?

A privacy breach is seriously harmful when it is likely to cause specific damage, such as financial loss, or prevent some kind of opportunity, such as getting a job. Emotional harm can also be seriously harmful.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards