Does your data breach constitute serious harm?

privacy Nov 16, 2020

From 1 December 2020, if your organisation or business suffers a privacy breach likely to cause anyone serious harm, the law requires notification to the Privacy Commissioner and affected persons as soon as practicable.

But how does one judge ‘serious harm’?

To help answer this question the Office of the Privacy Commissioner (OPC) recently released an online tool ‘NotifyUs’ to step you through assessing the breach in a logical way and also to report it.  This blog post provides an overview of the tool and the type of questions it asks.

To start, you must first enter some basic contact details and breach information such as when and what happened.  You must then provide some specifics about the information involved including:

·         How sensitive is it?

·         What type of information (e.g. contact details, health, financial, employment data)

·         Who obtained, or who may obtain the information?

·         Are they uncooperative, and do you think they are likely to cause harm?

You will need to apply your best judgement to these questions, considering your specific situation.  The tool is good at providing you ‘Don’t know’ or ‘It’s under investigation’ options

NotifyUs then asks you to consider different types of harm that might result.  These include:

·         Physical safety and threats of harm

·         Discrimination

·         Threats to employment

·         Identity theft

·         Lost opportunities

·         Reputational harm

·         Emotional harm

·         Financial harm

For any that you consider likely you will be asked to judge if it is Low or High impact.  You can also state that ‘harm has already occurred’ or ‘don’t know’.

You may be prompted along the way to consider actions you might not have thought of – such as contacting those who might help (such as the Police, or CERT), and what more you might do to control the situation and prevent (further) harm.

The tool dynamically updates on the fly based on your previous answers.  It’s not onerous and the OPC has done a good job.  I expect they’ll continue to fine-tune it over time (as it has already changed significantly in the two weeks since I first saw it before writing this blog).

It’s a welcome addition to the https://privacy.org.nz website and an essential element to support the requirements of the new privacy act.  It’s easy to use and I wouldn’t hesitate to use it if you’re managing a data breach at your organisation.

One good thing is that, after answering all the questions, if you don’t feel like hitting the final ‘Submit notification’ button you don’t have to.    Stepping through the form may well be enough to help you answer the ‘serious harm’ question all by yourself 😊

You can try out the tool by yourself by visiting https://privacy.org.nz/privacy-for-agencies/privacy-breaches/notify-us/report-a-breach/

Peter Brook

Peter is our vBridge Operations and Information Security Manager. He has over 20 years experience in many NZ organisations including PGG Wrightson, CDHB, Lyttelton Port Company and Spark Digital.