The culmination of a decades-long process, on the 1st of December the Privacy Act 2020 will officially become law. We’ve previously talked about what the act means for your business – you can check out our rundown here – so today we’ll drill down a little further, specifically on the thorny subject of notifiable breaches.
What the Privacy Act 2020 says about security breaches
The main aim of the Privacy Act 2020 is to grant individuals more control over their information in an ever more digital world. With so many third parties now carrying vast amounts of private and personal information, addressing security breaches is a key component of the act.
Where a third party is holding personally identifiable information (PII), the Privacy Act 2020 defines two distinct types of breach:
- A security/integrity breach: “Unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information.”
- An availability breach: “An action that prevents the agency from accessing the information on either a temporary or permanent basis.”
When either of these breaches occur, the third party is required to notify both the Office of the Privacy Commissioner and any individuals affected by the breach. Thus we come to the big question…
What constitutes a notifiable breach?
In short, a breach is notifiable if you have reason to believe that it has caused or might cause serious harm to an individual or individuals whose data you hold. At this point, we’ll need to get a little lawyerly in defining some terms. In the Privacy Act 2020:
- ‘Reason to believe’ means: Considering factors such as the nature of the information, mitigation strategies, security measures, the unauthorised party, the potential harm and any other relevant factors.
- ‘Serious harm’ means: Specific damage, emotional harm, and loss of rights, privileges or benefits.
You’ll note that there aren’t any hard metrics on what constitutes ‘serious harm’. While this can be partly put down to the fact that the Act isn’t yet in force, so no precedents have yet been set, the truth is that it has been designed as a broad outline. The Privacy Commissioner would generally prefer that organisations err on the side of caution, logging all noteworthy breaches.
Exceptions to notification requirements
In certain (and very limited) circumstances, organisations are allowed to delay notifying affected individuals or the public:
- If the notification itself might contribute to more breaches, perhaps by outlining how the original breach occurred.
- If notifying an individual could negatively affect their health or wellbeing.
- If the individual is under the age of 16, and the organisation feels that notification isn’t in their best interests.
In these instances, an organisation must still notify the Office of the Privacy Commissioner as soon as possible.
In summary
While there remains some ambiguity as to what a notifiable breach looks like, organisations should for now take a cautious approach. If a breach feels serious, it most likely is, and should be reported to the Privacy Commissioner as soon as possible. That office will be able to assist you with the rest of the process.
In an ideal world, however, you’ll never have a breach – prevention is better than cure, after all. And if you’d like help in bolstering your defences, our team at OneCall is ready to provide it.