Privacy Commissioner updates guidelines around notification
The Office of the Privacy Commissioner (OPC) has recently updated its guidelines concerning the prevention and response to privacy breaches and mandatory notification. The updated guidelines provide additional information regarding timeframes for notification of the OPC, as well as additional guidance about what constitutes a privacy breach.
Privacy breach notification
The OPC has indicated that when notifiable privacy breaches occur, their expectation is that agencies should notify the OPC within 72 hours after becoming aware of the breach. Importantly, this timeframe does not factor in business days, so if an agency became aware of a notifiable privacy breach on a Friday afternoon, it would need to be working over the weekend to ensure it meets the expected notification timeframe.
This guidance is particularly important as the Privacy Act does not provide any guidance about the meaning of “reasonably practicable” under section 114 of the Privacy Act 2020. It is interesting to note that the OPC has chosen 72 hours (assuming to align with the GDPR requirements), rather than instituting a ‘business hours’ requirement, as weekends will not be a factor in choosing when to notify the OPC.
The OPC has also provided additional guidance about what may constitute a privacy breach. In particular, the OPC highlighted that prevention of access to information (for example, due to a hack or encryption by ransomware) would constitute a privacy breach, and thus require notification if it meets the serious harm threshold.
It is helpful to have this additional guidance from the OPC regarding the expected timeframes for breach notification. Given the Act is not definitive on the timeframes, we hope that this guidance reinforces best practice around timeframes for notifications, as well as encouraging faster notification of potential breaches.
With this guidance in mind, it will be important for all agencies to review and update their existing data breach response plans to ensure the 72 hour timeframe is incorporated appropriately and complied with. It will be of particular importance to ensure that appropriate resources and processes are in place to manage breach notifications in an expedient manner, as this timeframe may present issues around holidays (such as Christmas closedown periods) where limited personnel are available.
However, we wish to highlight that this timeframe only kicks in after the agency becomes aware that the breach constitutes a notifiable privacy breach under the Privacy Act (e.g. if serious harm has occurred or is likely to occur). The guidance is not intended to place an obligation on all agencies to report all privacy breaches within 72 hours of first discovering a potential breach- the clock only starts once the agency has undertaken the necessary assessment of serious harm. This does not mean that agencies should take their time to undertake this assessment, as the risk of serious harm will only increases as time goes on and the prudent approach to all privacy breaches is to act swiftly and efficiently to contain and remedy the breach.
It is also interesting that the OPC has considered loss of access to private information as constituting a privacy breach. This widens the potential scope of privacy breaches beyond personal information, and potentially into the realms of cybersecurity. This reiterates the importance of agencies having strong cybersecurity protections as well as having robust privacy policies and breach notification plans.
What should agencies do?
- maintain robust risk assessment policies to quickly assess whether serious harm may have resulted from a privacy breach, as this will influence when the OPC and affected individuals should be notified;
- ensure they have processes in place to quickly address and manage privacy breaches by notifying both affected individuals as well as the OPC; and
- maintain strong cybersecurity policies independently of their privacy protections and ensure that they update their privacy breach response plans to reflect the new guidance regarding loss of access to personal information.
If you need assistance with updating your breach notification policies and plans, please contact one of our experts.