~ Privacy Commissioner \Cl T e Mana Matapono Matatapu Office of the Privacy Commissioner PO Box 10094, The Terrace, Wellington 6143 Level 8, 109 - 111 Featherston Street Wellington, New Zealand P +64 4 474 7590 F +64 4 474 7595 E enqulries@privacy.org.nz 0800 803 909 Enquiries privacy.org.nz 20 August 2019 Emailed to: fyi-request-10798-86ac29bd@requests.fyi.org.nz Kia ora Ryan Official Information request - De-identified information on reported breaches for the years 2010-2019 Thank you for the following request for information we received on 24 July 2019: "I would like to r equest a de-identif ied li st of br eaches reported to the pr ivacy off ice f or each year since 2010 ( or ear li er if pr act icable ), and including the curr ent year to date, along with: - the or der of the number of aff ected parties (ie. 1 OOs, -1 Ok, -1 m) - whether t hese br eaches contained per sonal ( physical address, phone number , etc.) and / or f i nancial (car ds, bank details, etc.) and / or health inf or mat ion - whether these br eaches wer e report ed to those aff ected by a) the br eached or gani sation and / orb ) the pr ivacy off ice T hese may be aggr egated wher e reasonable to do so, f or example: 2019: - 10x br eaches with -10k people i mpacted, contai ni ng per sonal and f inanci al inf or mation - 2x br eaches wit h -100k people i mpacted, containi ng per sonal and healt h i nf or mat ion." In response to your request we are able to provide the following data: Number of Breaches Reported Year Public sector Private sector Total notifications 08/09 13 3 16 09/10 10 3 13 10/11 19 12 31 11/12 34 12 46 12/13 84 23 107 13/14 90 26 116 14/15 71 50 121 15/16 97 51 148 16/17 79 53 132 17/18 91 77 168 18/19 95 127 222 1 1 In respect of the figures for 2018/2019, these are due to be published in our next Annual Report in late November/ early December 2019. The published figures may vary slightly to the ones we have provided here. OPC/3213/A651443

Cl Privacy Commissioner Office of the Privacy Commissioner ... · Employment= 6 (e.g. CV, HR information) Financial = 14 Health= 19 Identity= 7 (e.g. name without contact information)

  • Upload

  • View

  • Download

Embed Size (px)

Citation preview

Page 1: Cl Privacy Commissioner Office of the Privacy Commissioner ... · Employment= 6 (e.g. CV, HR information) Financial = 14 Health= 19 Identity= 7 (e.g. name without contact information)

~ Privacy Commissioner \Cl Te Mana Matapono Matatapu

Office of the Privacy Commissioner

PO Box 10094, The Terrace, Wellington 6143

Level 8, 109 - 111 Featherston Street

Wellington, New Zealand

P +64 4 474 7590 F +64 4 474 7595

E [email protected]

0800 803 909 Enquiries


20 August 2019

Emailed to: [email protected]

Kia ora Ryan

Official Information request - De-identified information on reported breaches for the years 2010-2019

Thank you for the following request for information we received on 24 July 2019:

"I would like to request a de-identified list of breaches reported to the privacy office for each year since 2010 (or earlier if practicable), and including the current year to date, along with:

- the order of the number of affected parties (ie. 1 OOs, -1 Ok, -1 m) - whether these breaches contained personal (physical address, phone number, etc.) and/or financial (cards, bank details, etc.) and/or health information - whether these breaches were reported to those affected by a) the breached organisation and/orb) the privacy office

These may be aggregated where reasonable to do so, for example:


- 10x breaches with -10k people impacted, containing personal and financial information - 2x breaches with -100k people impacted, containing personal and health information."

In response to your request we are able to provide the following data:

Number of Breaches Reported

Year Public sector Private sector Total notifications

08/09 13 3 16 09/10 10 3 13 10/11 19 12 31 11/12 34 12 46 12/13 84 23 107 13/14 90 26 116 14/15 71 50 121 15/16 97 51 148 16/17 79 53 132 17/18 91 77 168 18/19 95 127 2221

1 In respect of the figures for 2018/2019, these are due to be published in our next Annual Report in late November/ early December 2019. The published figures may vary slightly to the ones we have provided here.


Page 2: Cl Privacy Commissioner Office of the Privacy Commissioner ... · Employment= 6 (e.g. CV, HR information) Financial = 14 Health= 19 Identity= 7 (e.g. name without contact information)


These figures up to 2017/18 are by financial year (1 July to 30 June) and are available in our Annual Reports. They relate to voluntarily reported breaches as currently there is no requirement to report data breaches under New Zealand legislation. A mandatory breach reporting scheme is included in the Privacy Bill currently being considered by Parliament.2

Other information you have requested

In respect of the 2018/2019 year I can provide the following additional information requested as we are now recording this data in a readily accessible form.

Number of affected parties

Less than 10 = 112 Less than 100 = 24 Less than 1,000 = 26 1,000 or more = 13 Not reported = 4 7

Type of personal data:3 (Note: Some breaches involved more than one type of information.)

Contact= 24 (e.g. address) Credential= 4 (e.g. system access token) Employment= 6 (e.g. CV, HR information) Financial = 14 Health= 19 Identity= 7 (e.g. name without contact information) Legal= 5 (e.g. information from legal processes) Social Welfare= 4 (e.g. social services other than financial) Total of types= 83

Who Reported the breaches?

In respect of your request for information about 'whether these breaches were reported to those affected by a) the breached organisation and/orb) the privacy office' our office would not have reported any of these breaches to those affected, as this is not part of our role. Whether a data breach is reported to the individual/s affected is currently at the discretion of the agency concerned, however this will become an obligation for agencies once the Privacy Bill is passed and comes into force.

In relation to whether these breaches were reported to the individuals affected by the agency concerned, to the extent that we hold that information, your request is declined under section 18(f) of the Official Information Act 1982, as explained below.

Request otherwise refused

Your request is otherwise refused under section 18(f) of the Official Information Act 1982 due to the substantial collation or research that would be required to obtain the information you have requested. To find the information we would need to manually search hundreds of files.

2 See Part 6 - http://www. legislation.govt. nz/bill/government/2018/0034/latest/whole.html#LMS23530. 3 The "type of personal data" information covers the period 1 July 2018 - 31 October 2018 (which is the period we have this data for in a readily accessible form).


Page 3: Cl Privacy Commissioner Office of the Privacy Commissioner ... · Employment= 6 (e.g. CV, HR information) Financial = 14 Health= 19 Identity= 7 (e.g. name without contact information)


The amount of time this would take a staff member would necessarily negatively impact on our other operations and could result in the compromise of our other statutory functions. We do not consider that either charging or extending the timeframe for responding would help in these circumstances as neither of these would practically avoid the undue impact of having a staff member of our small organisation being diverted from conducting our Offices' ordinary business.

You have the right to contact the Ombudsman to seek an investigation and review of this decision.4

John Edwards Privacy Commissioner

4 http://www.ombudsman.parliament.nz/make-a-complaint.
