One year after the Privacy Act 2020 took effect in New Zealand, this report investigates the impact of mandatory privacy breach reporting.
Unsurprisingly, breach reporting increased significantly, although currently less than half of entities do report within the mandatory 72 hours timeframe:
From 1 December 2020 it became mandatory to notify the Office of the Privacy Commissioner of privacy breaches that have caused, or have the potential to cause, serious harm to people. Between 1 December 2020 and 31 October 2021, we received a total of 697 privacy breach notifications, nearly four times as many as between 1 December 2019 and 31 October 2020. You can use our tool to help you determine whether you need to notify us of your breach and to complete the notification if you do.
Of note, 35% of serious breaches reported involved emotional harm, which is not particularly surprising when you consider that almost 80% of reports came from the health care and social assistance sector.
The majority of all breaches reported involved human error.
Read these and other findings at https://www.privacy.org.nz/assets/December-2021-Insights-Report.pdf