What should I do if there has been or if I have caused a data breach?

If you have become aware that your agency has been involved in a data breach (personal information has been lost or accidentally disclosed), there are four key steps for you to work through:

  1. Containment: Your preliminary assessment - what has happened, and is there anything you can do to retrieve or secure the personal information?                                            
  2. Evaluation: Consider the risk associated with the breach – what potential harm could result in this case, and is there anything you can do to minimise this harm?                                                                                               
  3. Notification: Should affected parties be made aware of the breach, and, if so, how will you notify them?                                                                                                                                    
  4. Prevention: What lessons can be learned from this experience to prevent future breaches or to better respond if there is another breach?

For more information on each of the above steps, along with a helpful checklist you can use, see the OPC’s ‘Data Safety Toolkit’.

New Zealand currently falls into a group of countries in which breach reporting is not mandatory. Breach notification is voluntary but that is likely that will change in the future. The Government has indicated that a mandatory requirement to report data breaches is going to be part of the changes made in a new Privacy Act. The Law Commission, in its 2011 privacy law review, recommended mandatory data breach reporting, and the Government agreed with that recommendation, among others.