2012-Nov 23: Breaches of the Privacy Act

Visa Pak 92: Guidelines for branches to follow if a breach of the Privacy Act is identified.

Visa Paks

23 November 2012

Operations Support has received 14 Parliamentary Questions in the last two months regarding breaches of the Privacy Act by INZ. Such scrutiny emphasises the importance of maintaining the privacy of the individual and of following the guidelines below if privacy is breached. Deliberate breaching of privacy is also a breach of the Code of Conduct.

The Immediate actions are compulsory for all breaches.

Follow these guidelines if a breach of the Privacy Act is identified.

Immediately:

  • Advise Operations Support noting whether the affected person can be identified from the information released.
  • Managers must as soon as possible verbally apologise to the affected person and advise them of the breach; what information was released and whether they can be identified from the information released. If the person cannot be reached by phone, then email or write to the person. A phone call should be followed up with written confirmation of the breach and a copy of the information released.
  • Contact the person to whom the information was sent and arrange to retrieve it; they should either delete the email, if appropriate, and email the branch manager with confirmation that this has been done. Alternatively, any hard copies of released information should be returned to the branch manager.

Next steps:

  • Operations Support will advise appropriate offices and provide a record of the remedial action already taken (as above)
  • Action following this will depend on the sensitivity of the information released and advice received.

Note: The Office of the Privacy Commissioner has provided the following guidelines:  
Processes following a breach of the Privacy Act