My research list

Loading My Research List ...

Save my research

Don't lose any of your research. Fill out the form below and have your research list emailed to you.

Register to receive our latest publications

Privacy law update: Mandatory reporting for notifiable breaches of privacy - are you ready?

October 24, 2019


Partners Jania Baigent, Sally McKechnie, Karen Ngan

Data protection (inc Privacy Bill and GDPR)

A major overhaul of New Zealand’s privacy laws is underway and you need to be ready when it comes into force (currently expected to be on 1 March 2020).

This is the first of four briefings to help you and your organisation prepare.

Mandatory reporting compliance checklist:

Mandatory reporting requirements - have you got policies to deal with the new reporting regime?

There is a new mandatory reporting regime for notifiable breaches of privacy. Data breaches will be notifiable to both the Privacy Commissioner and affected individuals if the breach has caused, or is likely to cause, “serious harm”. This "serious harm" threshold borrows from the Australian threshold for data breach reporting, and until we have more detail on the approach to be taken here, organisations should be guided by our Australian cousins.

The new requirement means you should update your privacy policies and processes to deal with what happens in the case of a notifiable breach.

Matters to think about

  • Do your staff understand what a privacy breach is, and if one occurs, who they should be informing in your organisation?

  • How will you assess whether a breach is a “notifiable breach”?

  • Practices and protocols for containing a breach.

  • Who will notify the Privacy Commissioner and collate and provide all relevant information for the Privacy Commissioner?

  • How will communications with the Privacy Commissioner and affected individuals be handled?

  • What steps will be taken to prevent reoccurrence?

  • How will potential reputational damage be addressed, including queries from the media?

If you don’t notify the Commissioner of a notifiable privacy breach you could be fined up to $10,000. You won’t be at fault if it was reasonable to consider the breach was non-notifiable. This means you will need to have a policy which clearly sets out the steps you will take to reach a reasonable conclusion on whether a breach is notifiable or not.

In lieu of clear guidance from the Privacy Commission at the moment, we recommend erring on the side of caution. Initially apply a low to moderate threshold for determining whether there has been serious harm for any data breach, and maintain an open dialogue with the office of the Privacy Commissioner.

Get in touch / Upcoming workshops

Reviewing and implementing new privacy policies can be a complex and confusing process. Please contact our privacy law specialists if your organisation needs help to get ahead of the 1 March 2020 date. Simpson Grierson are also running workshops in both Auckland and Wellington in early February 2020 to help organisations get to grips with the new privacy regime. Email us here if you are interested in attending.

Privacy Bill progress update

The Bill is currently at the Committe of Whole House stage and has an expected comencement date of 1 March 2020.