The obligation on agencies to take reasonable steps to prevent loss, unauthorised access, disclosure or misuse is just as important as ever. Both the 1993 Act and the Privacy Act 2020 refer to an agency being required to protect information “by such security safeguards as it is reasonable in the circumstances to take”. This can mean that where the information is particularly sensitive, an agency should take additional steps to secure that information.
Earlier this year we were notified of a privacy breach which illustrated the importance of offsite backups for data storage. A law firm was burgled, and their computers were taken. The law firm had relied on the physical security of their building as their main security protection. An external hard drive which included backups of the data did exist, but it was stored on-site, and the data was not encrypted. The hard drive was also stolen during the burglary.
The law firm stored records which contained sensitive personal information about clients, and the disclosure of that information could have caused serious harm to many people.
We strongly encourage all agencies that hold personal information, and particularly those agencies that hold sensitive personal information, to have a comprehensive approach to encryption and offsite storage of backup servers or hard drives. Not only does this help to mitigate the risk of loss in the event of a burglary, it can be useful in case of a fire, earthquake damage, or other event which necessitates offsite working (such as an unexpected pandemic!).
If you’re a small health agency and you’re not sure where to start with your security processes and policies, talk to your sector’s industry body about what advice or support they can provide you with. We also encourage all agencies to use CERT NZ’s resources and guidance on backups and security: https://www.cert.govt.nz/business/
If things do go wrong and your practice has a privacy breach, you’ll want to use the online privacy breach reporting tool, NotifyUs. See below for further information.