Yes, “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Regulator; and .. the data subject” (section 22). Note: This can have serious practical and reputational issues for you and your organisation. Therefore, it is vital that you have an incident response policy in place to address a situation like this. We can also coach you through a breach. We areas have detailed guidance in our programme.
What are reasonable grounds?
Now there is a good question. It is subjective term that will need to be determined over the years. Reasonable is a very subjective term.
How do I report the breach?
For now, you should email the information regulator and try to get an acknowledgment of receipt. The regulator does plan in future to publish a template that responsible parties can use to notify the regulator of a breach. The regulator is going to need software, a portal or a system to receive all the notifications they will be getting. If you want to see an example of how the information regulator might enable you to report a breach see how the ICO does it.
Is there a threshold for data breach notifications?
No, one is enough to require you to notify the regulator. For example, if there’s only one breached record instead of hundreds?
If a staff member’s cellphone or laptop is stolen, would we need to notify the regulator?
No, if it is encrypted. If it is not encrypted, there is are “reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person”.