Red X iconGreen tick iconYellow tick icon
Skip to main content
Category Administration and Management
Type Procedure
Approved by Registrar and Secretary to the Council, 5 March 2025
Date Procedure Took Effect 5 March 2025
Last approved revision 
Sponsor Registrar and Secretary to the Council
Responsible officerGeneral Counsel

Purpose

To outline the University's protocol for managing privacy breaches, ensuring compliance with the Privacy Act 2020 and the Privacy Policy.

Organisational scope

This Procedure applies to all members of the University community.

Definitions

Incident Management Team
Has the same meaning as that term is defined in the Emergency Management Policy.
IT Security Incident
Includes attempted or successful unauthorised access, use, disclosure, modification or destruction of information; interference with IT operations; impersonation of any member of the University community through electronic and/ or social media; spoofing, or setting up any web presence (including presence on social media) that purports to be, or might reasonably be perceived to be, an official University of Otago website or social media group, page or account.
Notifiable Privacy Breach
A Privacy Breach that has caused, or is likely to cause Serious Harm to an individual.
Personal Information
Any information whether electronic or hard copy about an identifiable individual, whether or not the information directly identifies the individual, and includes but is not limited to contact details, demographic, images, financial, health and academic information (including course results), staff employment and performance information, emails and other correspondence about the individual.
Privacy Breach
An event (whether intentional or unintentional) in which Personal Information held by the University of Otago is lost or accessed, altered, disclosed or destroyed without authorisation, including but not limited to:
  1. accidental disclosure of Personal Information to the wrong recipient;
  2. employee browsing of Personal Information without a legitimate business reason;
  3. an external attack on a University system; or
  4. a lost or stolen University device or document.
Privacy Incident Register
A formal register maintained by a Privacy Officer to record details of all Privacy Breaches, including type of breach, date occurred/detected, response to the breach and notifications provided.
Privacy Officer
The person in the University who is responsible for ensuring compliance with the privacy laws. The current Privacy Officers are:
  1. for all staff related matters, the Director of Human Resources or their delegate; or
  2. for all other matters, the Registrar and Secretary to the Council or their delegate.
Serious Harm
Serious harm as assessed in accordance with section 113 of the Privacy Act 2020.
State of Campus Emergency
Has the same meaning as that term is defined in the Emergency Management Plan.
University community
All University of Otago staff (whether permanent, temporary or part-time), students (whether permanent, temporary, or part-time, and including prospective students and students visiting from other institutions), members of the Council of the University, honorary staff, or any other member of the University and any contractors, sub-contractors, consultants, or official visitors.

Content

  1. Overall objectives

    1. The focus is on protecting the individuals whose privacy has been breached, minimising the impact of the Privacy Breach where possible, and preventing further breaches.
    2. This Procedure is intended to ensure transparency and accountability, not blame.
    3. The University community should feel safe to speak up.
    4. The University must manage Privacy Breaches with speed and care.
    5. It is important to include the right people at the right time.

  2. Report

    1. Any person who causes or discovers a Privacy Breach must as soon as practicable after becoming aware of it report the breach to their line manager or supervisor (where applicable).
    2. A Privacy Breach must also be reported to a Privacy Officer as soon as possible.
      Contact details for the University’s privacy office
    3. Even minor Privacy Breaches (such as accidental email errors) must be reported.
    4. A Privacy Officer will advise if a Privacy Breach Notification Form needs to be completed.

  3. Assess

    1. A Privacy Officer must, on receipt of a report determine the scope of the Privacy Breach, including:
      • what has happened and how it has happened;
      • identifying the types of individuals affected (e.g. staff, students, third parties);
      • identifying the type and sensitivity of the Personal Information at risk (e.g. health information, highly sensitive)
      • evaluating the nature and likelihood of harm to the individuals affected (e.g. emotional harm, physical harm, financial harm, reputational harm, identity theft, loss of access to information);
      • what systems or processes are involved/affected (e.g. email, learning management system etc);
      • whether the breach occurred within the organisation or via a third party;
      • the scale of the Privacy Breach;
      • any security measures in place;
      • whether any Personal Information has been partially or wholly published on a data leak site or similar;
      • who has obtained or may obtain the information; and
      • whether the information can be recovered from the unauthorised party and/or deleted.
    2. A Privacy Officer must determine whether the Privacy Breach is a Notifiable Privacy Breach. Factors that may be relevant to this determination include:
      • the sensitivity of the Personal Information involved (e.g. about someone’s health, financial information, political or religious beliefs);
      • the number of individuals affected;
      • types of harm identified, likelihood and likely impact;
      • the distribution of the information;
      • the nature of the recipient (e.g. someone uncooperative or likely to cause harm);
      • whether the information is protected by one or more security measures and the likelihood these security measures could be overcome;
      • whether any security technology has been used and designed to make the information unintelligible or meaningless to persons who are not authorised to obtain it; and
      • the ability to contain the Privacy Breach or its consequences.
    3. To assess the scope of the Privacy Breach, a Privacy Officer may:
      • use the NotifyUs tool on the Privacy Commissioner's website to help with this assessment;
      • consult relevant staff;
      • consult external legal counsel if determined necessary; and
      • seek guidance from the Privacy Commissioner if determined appropriate.

  4. Inform relevant staff

    1. A Privacy Officer must on receipt of a privacy breach report inform and liaise with the University’s Chief Digital Officer if the Privacy Breach involves a possible IT Security Incident.
    2. For more serious Privacy Breaches (for example a cyber-attack or disclosure of a significant volume of sensitive Personal Information), a Privacy Officer must also immediately inform:
      • the Vice-Chancellor;
      • the members of the University’s Audit and Risk Committee; and
      • the Director of Communications.

  5. Contain

    1. A Privacy Officer should in liaison with the relevant manager or supervisor and other relevant staff members as appropriate, act immediately to contain the Privacy Breach, including limit or prevent any further access to or distribution of the affected Personal Information.
    2. Depending on the nature of the Privacy Breach, steps to help contain the Privacy Breach could include:
      • diagnosing what went wrong and disabling any IT or other systems that may be compromised until they have been secured;
      • in the case of an email error, attempting to recall the email;
      • where possible, remotely wiping information from devices that was mistakenly sent to someone;
      • trying to retrieve lost information, such as hard copy documents e.g. if a degree certificate is sent to the wrong person, try to get the recipient to send it back unopened;
      • cancelling or changing computer access codes and fixing any weaknesses in the physical or electronic security;
      • changing authentications and permissions;
      • if any systems were involved in the breach, referring to any applicable technical data breach response playbook;
      • contacting the recipient of the information to assess whether or not the information has been viewed and, where appropriate, requesting that they permanently delete the information;
      • if Personal Information has been viewed, arranging for the recipient to sign a non-disclosure agreement;
      • appointing someone within the University or an external party, if external expertise is required, to lead and conduct an initial investigation into what has happened.
    3. For serious Privacy Breaches, the Vice-Chancellor must consider whether to declare a State of Campus Emergency under the Emergency Management Policy and instigate an Incident Management Team.

  6. Notify Privacy Commissioner

    1. Where a Privacy Officer has determined that the Privacy Breach is a Notifiable Privacy Breach, the Privacy Officer must notify the Privacy Commissioner as soon as practicable.
    2. The Privacy Commissioner has an expectation that notification of a Notifiable Privacy Breach be made no later than 72 hours after becoming aware that a Notifiable Privacy Breach has occurred.
    3. Where it is not clear whether the Privacy Breach is a Notifiable Privacy Breach, a Privacy Officer may consider:
      • seeking advice from internal and/or external legal counsel;
      • consulting with the Office of the Privacy Commissioner;
      • reporting the breach to the Privacy Commissioner.

  7. Notify Affected Individuals

    1. a.In the ordinary course, where a Privacy Officer has determined that the Privacy Breach is a Notifiable Privacy Breach, notification must also be given to the individuals affected by the breach as follows:
      1. Notification to affected individuals should usually be made by the relevant manager or as otherwise agreed with a Privacy Officer.
      2. Notification must be made as soon as practicable after the University has become aware of a Notifiable Privacy Breach unless a Privacy Officer determines that a delay is necessary in accordance with section 116 of the Privacy Act 2020. This includes where the risks for the security of Personal Information held by the University outweighs the benefit of informing the affected individuals.
      3. If it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, a Privacy Officer must organise for the University to give public notice of the Privacy Breach. Public notice must be given in a form in which no affected individual is identified.
      4. A Privacy Officer may determine that the University is not required to notify an affected individual or give public notice of a Notifiable Privacy Breach in accordance with section 116 of the Privacy Act 2020 e.g., where the notification or notice would be likely to endanger the safety of any person.
    2. A Privacy Officer may determine that an affected individual should be notified of a Privacy Breach, even though the breach is not assessed as a Notifiable Privacy Breach Breach. Each instance must be considered on a case by case basis.
    3. A Privacy Officer must advise the best way to notify the affected individuals (e.g. by phone, letter, email or in person), and must also consider whether notifying them through or with a support person is appropriate.

  8. Other Formal Notifications

    1. A Privacy Officer must consider any others who need to be informed about a Notifiable Privacy Breach, including:
      • the Police (if the breach involves theft or other criminal activity);
      • CERT (where the breach relates to cyber security);
      • NetSafe (specialist online incident advisers);
      • the University’s insurers;
      • the University’s auditors;
      • Tertiary Education Commission;
      • Minister of Education.

  9. Prevent

    1. A Privacy Officer must investigate the reasons for the Privacy Breach. This investigation may be completed by relevant staff or an external agency, as the Privacy Officer considers appropriate.
    2. If the Privacy Breach is also an IT Security Incident, the investigation must be conducted by the Chief Digital Officer or designated employee on its behalf. Any findings must be reported to a Privacy Officer.
    3. Having considered the findings, a Privacy Officer may determine what, if any, actions are to be taken or improvements are to be made to prevent a similar breach in the future (e.g. privacy training, reviewing security settings).

  10. Monitor

    1. A Privacy Officer must maintain a Privacy Incident Register.
    2. A Privacy Officer may use the Privacy Incident Register to identify trends in Privacy Breaches and determine what processes and systems should be improved.
    3. A Privacy Officer must report on a quarterly basis, relevant details and statistics of Privacy Breaches for that period, to the Director of Risk Assurance and Compliance and the University’s Audit and Risk Committee.
    4. Refer Privacy Policy for specific roles and responsibilities in respect of privacy at the University of Otago.

Related policies, procedures and forms

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, please contact the General Counsel.

Email generalcounsel@otago.ac.nz

Back to top