Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

The Office of the Privacy Commissioner (OPC) received a 97 percent increase in privacy breach notifications in the first four months of the new Privacy Act, compared to the previous six months.

OPC is marking Privacy Week (10-14 May 2021), an annual event for promoting privacy awareness, by publishing its first stocktake of privacy breach reporting after the Privacy Act changed on 1 December 2020. 

Under the new Act, organisations or businesses which experience a privacy breach that has caused, or has the potential to cause serious harm, must now report it to the Privacy Commissioner. They can do this by using OPC’s online NotifyUs reporting tool.

More than half of the privacy breaches reported to OPC involved emotional harm, and about one third resulted in a risk of identity theft or financial harm.

Failure to report a serious privacy breach is a criminal offence which may result in a fine of up to $10,000.

Privacy Commissioner John Edwards says in the first six months of Privacy Act 2020, OPC has been focusing on educating organisations and businesses to help them understand their obligations.

“The law change means that if an organisation suffers a serious privacy breach, it should tell my Office as soon as practicable after becoming aware of the breach.

We’ve found that breaches can occur in any industry with reports from organisations in the financial and insurance services, the public sector, education and training, retail and accommodation, and even mining.

“The law change means that the privacy breach information we receive will now be comprehensive and more accurate. We intend to publish this information as a regular anonymised summary to help all organisations know where the greatest privacy risks are.”

The most common category of privacy breaches were email errors (25 percent), with emails containing sensitive information going to the wrong person. Other common types of breaches were the unauthorised sharing of personal information (21 percent) and unauthorised access to information (17 percent).

Prevention is better

Organisations can easily prevent email errors with the right training and procedures. Organisations should:

• Take extra care when including personal information in emails
• Double check attachments
• Implement a send delay
• Use Bcc when sending emails to multiple recipients.

Mr Edwards says organisations and businesses should use Privacy Week to raise privacy awareness in their workplaces. It is also a good opportunity to help their staff become familiar with their Privacy Act obligations and to ensure their workplace has a privacy breach plan in place.

ENDS

For more information:

Alix Chapman – 021 509 389, alix.chapman@privacy.org.nz
Charles Mabbett - 021 509 735, charles.mabbett@privacy.org.nz