Do we have to report data breaches?
While it’s not compulsory to report a data breach, it’s a good idea to be open about what’s happened and the steps you’re taking to fix it.
New Zealand currently falls into a group of countries in which breach reporting is not mandatory. Breach notification is voluntary but that is likely that will change in the future. The Government has indicated that a mandatory requirement to report data breaches is going to be part of the changes made in a new Privacy Act. The Law Commission, in its 2011 privacy law review, recommended mandatory data breach reporting, and the Government agreed with that recommendation, among others.
Our website has a data safety toolkit which takes you through the steps you’ll need to go through if you’ve been involved in a data breach.
One of those steps is deciding whether to inform the people concerned. If the people could suffer harm and need to act to protect themselves, for instance by changing their passwords or monitoring their bank accounts for malicious activity, then you should probably tell them about the breach and steps you are taking to mitigate it.
If there’s no likely consequences from the breach, or if telling people would cause more worry and harm than not telling them, it may be acceptable not to tell affected individuals.
In either case it’s a good idea to let us know if you’ve been involved in a data breach as we can give you guidance on what to do next. If you’d like to report a data breach you can contact us through our enquiries line on 0800 803 909.