Charles Mabbett writes:
In recent weeks, the Office of the Privacy Commissioner has been contacting individual organisations about specific privacy breaches that have been raised with us. We’re taking a more proactive approach to remind and warn individual organisations of their statutory responsibilities under the Privacy Act 2020.
There is, in particular, the requirement that organisations notify the Privacy Commissioner of a serious privacy breach. This would include a ransomware attack when personal information is either accessed, stolen, or rendered inaccessible. Section 114 of the Privacy Act 2020 says an organisation must notify the Commissioner as soon as practicable after it becomes aware that a notifiable privacy breach has occurred. Although the Act is silent on precise timing, we have determined that, unless there are extenuating circumstances, this should be within 72 hours.
If an organisation fails to do so, we can consider prosecuting a case against it. If convicted, it would have committed an offence under section 118 of the Act, making it liable for a fine of up to $10,000.
The remainder of the post describes three cases where the OPC took such proactive steps. The organizations are not named, but the cases are illustrative. This blogger noted, in particular, that although NZ law doesn’t specify an exact deadline for notifying the regulator of a notifiable privacy breach, the office interprets it as within 72 hours. In Case C in the remainder of the post, they write:
Organisation C notified our Office two months after it identified a serious privacy breach had occurred. Upon our request, the organisation gave us a copy of its policy regarding privacy breach management for our review.
The policy said the organisation should notify our Office as soon as practicable. It also set out what kind of information should be given to us.
We advised the organisation it should have reported the breach to our Office at the same time as it tried to rectify the breach. It was unnecessary to wait until all steps had been taken to resolve the matter before notifying us.
We informed the organisation we did not intend to prosecute. This could change if we identified similar non-compliance in the future.
While many organizations would prefer to get incident response further along so that they can notify a regulator and present what positive steps they have already taken, including steps to prevent a recurrence, the OPC’s comments make it clear that entities in NZ should not wait and should notify promptly absent some really good justification.