Mandatory privacy breach reporting one year on – Privacy Commissioner Insight Report 2021

On 1 December 2020, the Privacy Act 2020 (Act) introduced some new changes to New Zealand’s privacy regime. One key change was the introduction of mandatory breach reporting. You can find out more about the changes in our previous articles, starting here.

A year on from its enactment, the Privacy Commissioner has produced a short 5 page report summarising its key findings on the reported breaches for the period between 1 December 2020 and 31 October 2021 (and a comparison to the same period a year prior).

The main takeaways from this report are:

  • There has been a nearly 300% increase in the number of reported breaches compared to the prior period, with around 65 or so breaches being reported each month.
  • Human error is still the greatest cause of the breaches, with about 62% of all reported breaches being attributable to human error. The report includes recommendations targeted at reducing human error, including imposing robust processes such as double-checking attachments and recipients names and using delayed sending technology.
  • Many of the breaches reported did not meet the reporting threshold of serious harm. In fact, only a third of the reported breaches met that threshold. Of those breaches that did meet the threshold, around 35% involved emotional harm to the affected individual.
  • Privacy breaches occur across all sectors, with the health care and social assistance sector having the highest rates of privacy breaches.
  • Only 44% of breaches were reported within the Privacy Commissioner’s expectation for breach reporting of 72 hours.

The report indicates that a cautious approach to breach reporting has been taken. Assessing serious harm is not a simple task, and one that we think is better done at the time an organisation’s breach reporting plan is prepared, rather than when a breach occurs. The Privacy Commissioner has also developed an online tool, NotifyUs, to help with this assessment. This is a useful check if you are unsure whether a particular breach meets the serious harm threshold.

However, if an organisation is still unsure if a breach meets the threshold then we recommend reporting it to the Privacy Commissioner and notifying the affected individuals. The breach reporting regime is intended to help reduce harm from privacy breaches, and having strong processes and prompt reporting can help to mitigate the distress and humiliation caused. The Privacy Commissioner also urges organisations to play it safe and report.

If you need any help with your breach reporting obligations please get in touch with us. We can help guide you through the requirements.

Meet the team that makes
things simple.

Graeme Crombie