Privacy Breach Management Procedures
These procedures apply to all members of the University community, whether at the University or elsewhere.
A privacy breach in relation to personal information about the University’s data subjects could cause harm to students, staff, alumni or other individuals. A privacy breach could also, if managed badly, significantly damage the University’s reputation. When there is a likelihood that a privacy breach could cause serious harm, the University is required to notify the Privacy Commissioner and the data subjects affected. This is called a notifiable privacy breach.
Note – ‘Data subjects’ is the global term for the individual to whom personal information relates. The Privacy Act 2020 uses the term ‘individual concerned.’
These procedures – and New Zealand’s breach notification regime – are intended to ensure transparency and accountability, not blame. All members of the University community should feel safe to speak up. Once alerted to a privacy breach, the University can take steps to manage it. The procedure requires speed, care and collaboration. It is important to include the right people at the right time.
Report (University community)
1. Any member of the University community who causes or discovers a privacy breach must as soon as practicable report the breach to their line manager and/or the Privacy Officer, using the Privacy Breach Reporting Form.
2. Where the privacy breach is also an IT security incident, the breach must also be reported in the manner set out in the Cyber Security Incident Reporting Standard.
3. Where the privacy breach is not also an IT security incident, the Privacy Officer must report the privacy breach to Performance and Risk within 24 hours of becoming aware of the breach.
Evaluate and contain (Privacy Officer, Cyber Security Incident Response Team (CSIRT), relevant manager)
4. The Privacy Officer must, on receipt of a report and in liaison with the relevant manager and/or the CSIRT, determine the scope of the privacy breach, including the types of data subjects affected and the sensitivity of the personal information at risk, and evaluate the likelihood of harm to the data subjects affected.
5. The relevant manager must, under the guidance of the Privacy Officer and/or the CSIRT, determine what steps, if any, are required to contain the privacy breach, including steps that the data subjects affected might take.
Notify (Privacy Officer)
6. The Privacy Officer must determine whether the privacy breach is a notifiable privacy breach.
Note: Factors that may be relevant to this determination include the sensitivity of the personal information involved, nature of the harm that may be caused, whether the information was protected by security measures, the distribution of the information and the nature of the recipient, and the ability to contain the breach or its consequences. It should also be noted that the test for emotional harm is subjective, and so consideration should be given to the particular sensitivities of the data subject(s) affected.
7. Where the Privacy Officer has determined that the privacy breach is a notifiable privacy breach, the Privacy Officer must prepare notifications to the Privacy Commissioner, or any other relevant regulator, and the data subjects affected, using the Privacy Breach Notification Form.
8. Privacy breach notifications must be made to the Privacy Commissioner and data subjects affected as soon as practicable after the University has become aware of the privacy breach.
9. Notification to the Privacy Commissioner may only be made by the Privacy Officer, Registrar or Vice-Chancellor.
10. The Privacy Officer may, where appropriate, direct the relevant manager or another employee to manage the notification of the data subjects affected.
Prevent (Registrar, CSIRT)
11. The Registrar will cause an investigation into the reasons for the breach. This investigation may be completed by relevant employees or an external agency, as the Registrar considers appropriate.
12. If the privacy breach is also an IT security incident, the investigation must be conducted by the CSIRT or designated employee on its behalf. Any findings must be reported to the Registrar and the Privacy Officer.
13. Having considered the findings the Registrar will determine what, if any, action is to be taken.
The following definitions apply to this document:
Data subject means any natural person about whom the University collects and holds personal information and includes students, staff members, contractors, alumni and friends, donors, and visitors to the University’s websites or campuses.
Note - This is a global term which we are using to ensure consistency. The Privacy Act 2020 uses the term ‘individual concerned.’
IT security incident includes attempted or successful unauthorised access, use, disclosure, modification or destruction of information, interference with IT operations, impersonation of any member of the University community through electronic and/ or social media, spoofing, or setting up any web presence (including presence on social media) that purports to be, or might reasonably be perceived to be, an official University of Auckland website or social media group, page or account.
Notifiable privacy breach means a privacy breach that it is reasonable to believe has caused, or is likely to cause, serious harm to a data subject.
Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff performance information, emails and other correspondence, and opinions about the data subject.
Privacy breach means an event (whether intentional or unintentional) in which personal information is lost or is accessed, used altered, disclosed or destroyed without authorisation, or is at increased risk due to poor security safeguards, including but not limited to:
- an IT security incident that relates to personal information;
- accidental disclosure of personal information to the wrong recipient;
- employee browsing of personal information without a legitimate business reason; or
- a lost or stolen University device or document.
Serious harm means serious harm so assessed in accordance with sections 69(2)(b) and 113 of the Privacy Act 2020.
University means the University of Auckland and includes all subsidiaries.
University community includes all staff members (whether permanent, temporary or part time), honorary staff members, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University or UniServices.
Key relevant documents
Include the following:
- Privacy Act 2020
- Health Information Privacy Code 2020
- Cyber Security Incident Reporting Standard
- Data Governance Policy
- IT Acceptable Use Policy
- IT Security Policy
- Privacy Centre
- Employee Privacy Statement
- Privacy Statement
- Personal Information Request Form
- Privacy Breach Reporting Form
- Privacy Impact Assessment Checklist
Document management and control
Content manager: General Counsel and Privacy Officer
Approved by: Vice-Chancellor
Date approved: 10 November 2020
Review date: 10 November 2025