New Zealand: Implemented Privacy Act 2020 including cybersecurity regulation (Act 2020 No. 31)

On 1 December 2020, the Privacy Act (2020 No. 31) entered into force. The Act includes provisions for cybersecurity regulation and mandates that agencies covered by the Bill must report data breaches. Specifically, the cybersecurity regulations, which are outlined in part 6 of the Act, delineate the procedures for handling notifiable privacy breaches and compliance notices. A notifiable privacy breach is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or is likely to do so. In assessing serious harm, agencies must consider actions taken to mitigate the risk, the sensitivity of the personal information involved (e.g., health records), the potential harm to individuals, the identity of the party obtaining the information (if known), whether security measures and any other relevant factors protect the information. Agencies are required to inform the Privacy Commissioner and affected individuals upon discovering a breach, with provisions for public notice if individual notifications are impractical. Barring extenuating circumstances, agencies should notify the Privacy Commissioner within 72 hours of becoming aware of a breach. The Act outlines exceptions and delays for situations involving national security concerns or personal safety risks. Failure to notify the Commissioner of a notifiable privacy breach constitutes an offence punishable by a fine of up to NZD10’000.