Office of the Privacy Commissioner | How long is 72 hours?
During Privacy Week when we talked about notifying individuals about privacy breaches, we got asked a lot of questions about our guideline around 72 hours.
Here’s what we mean when we say 72 hours
You must inform the Privacy Commissioner of serious privacy breaches as soon as you practically can after becoming aware of them. Our expectation is that you will do this within 72 hours of becoming aware that it’s a notifiable breach. This timeframe is a guide only and is intended to initiate prompt notification to us.
In some cases, it will be clear from the outset that a breach has occurred and that it is notifiable. In other cases, an organisation may not discover the breach immediately or may need to undertake some enquiries to figure out whether a breach has occurred or is serious (for example, where an audit of an employee’s access raises questions about inappropriate access).
Our NotifyUs tool can help you assess how serious your breach is and whether you will need to notify the Privacy Commissioner. This tool is a guide only, so if you're not sure, please notify. If you do need to notify OPC, you can also do this using Notify Us.
What does ‘becoming aware’ mean?
Becoming aware of a notifiable breach requires some degree of knowledge or an assessment about the risk of harm from the privacy breach. This will be a straightforward assessment for some breaches, while others may be more complex or have unique facts or circumstances.
The key thing is once your initial assessment indicates that harm is likely based on what you know at that time (e.g. sensitivity of the information, weakness in security measures, and probable harm to individuals) you should be thinking about prompt notification, even if there are still some unknowns (such as who has obtained or could obtain the information).
Information known by your employees or agents is treated as being known by the organisation. This means that a privacy breach can be notifiable as soon as any employee or agent identifies that it is notifiable, not just your privacy officer. You need to ensure that your processes support prompt disclosure of privacy incidents to your privacy function and that you promptly act upon that information, including undertaking further investigation and assessment where necessary.
Incremental notification
We understand that not all information will be available at the same time. An organisation can fulfil its notification requirements to our Office and affected individuals on an incremental basis, under section 117(5) of the Privacy Act, so long as the agency does this as soon as reasonably practicable after finding out that information.
However, you should still let us know as much as you can. You can provide any subsequent updates to us at notifyus@privacy.org.nz using the PBN/xxxx number provided.