New European guidelines on Data Breach notification provide helpful guidance for New Zealand agencies

Since 1 December 2020, all agencies in New Zealand have been obligated to notify the Office of the Privacy Commissioner (OPC) and any affected individuals where there has been a privacy breach that is likely to cause serious harm. Determining the severity of a privacy breach can be difficult for many agencies, especially without the benefit of hindsight and the consequences of getting this assessment wrong can be high – an agency that fails to notify can commit an offence and it can result in negative publicity. On the other hand, notifying the Privacy Commissioner when not legally required to creates additional strain on resource for both the agency and the OPC, and can cause notified individuals unnecessary distress.  

While New Zealand's breach notification scheme is still in its infancy, the General Data Protection Regulations (GDPR) introduced mandatory data breach reporting to the European Union two and a half years ago. Over this period, a number of supervisory authorities have noted a trend of "over-reporting" data breaches, where agencies took an overly conservative view and notified less-serious privacy breaches in the interests of transparency. However, there have also been agencies that have failed to notify some of the more serious breaches that have occurred.   It will be interesting to see how breach notification will develop in New Zealand, and whether the same over-reporting trend will emerge. Helpfully, the Privacy Act includes a short list of mandatory considerations that agencies must take into account when determining when to notify. These are:

• any action taken by the agency to reduce the risk of harm following the breach;

• whether the personal information is sensitive in nature;

• the nature of the harm that may be caused to affected individuals;

• the person or body that has obtained or may obtain personal information as a result of the breach (if known); and

• whether the personal information is protected by a security measure.

 
To help evaluate the above list, the OPC also provides a self-assessment tool, which will make a preliminary recommendation to the agency as to whether it should notify or not. This can be found here.
 
For the European Union, the European Data Protection Board has recently released additional guidelines and a number of helpful case studies. As the GDPR breach notification scheme has a similar test to the New Zealand scheme (European agencies are required to notify breaches unless they are "unlikely to result in a risk to the rights and freedoms of natural persons"), the case studies provided are worth reviewing. Further, there are a number of take home points relevant to New Zealand agencies: 

• A breach notification assessment should be made at the time the agency becomes aware of the breach. Agencies should not wait for a detailed examination and mitigation to begin before notifying. The OPC helpfully provides a tool where a privacy breach can be "updated" later, so agencies can revise their assessment once they have more detail.

• Where a breach results in an agency being unable to access personal data, notification will probably be necessary if access cannot be regained quickly. For this reason, the Data Protection Board recommends always keeping a backup database so that lost information can be quickly restored. 

• It is strongly advised that any data breaches involving passwords are communicated to the individuals concerned. This should be the case even if the data breach does not reach the "serious harm" threshold.

• The Data Protection Board emphasises the importance of regularly evaluating your data security to identify weaknesses and security holes. With cyber-attacks becoming more common, the Privacy Commissioner will not look upon an agency's ignorance of gaps in its security, or a failure to train employees on data safety kindly. 

 
The full guidelines are available here.