designcom systems - Breach Notification Policy

Breach Policy
1. Purpose
2. What is a Privacy Breach?
3. Reporting Suspected Breaches
4. Containment and Assessment
5. Notification Process
6. Record Keeping
7. Staff Responsibilities
8. Review

Privacy Breach Notification Policy

Designcom Systems Ltd (dcom) Privacy Breach Notification Policy (to comply with the New Zealand Privacy Act 2020)

1. Purpose

This policy sets out how designcom systems ltd ("we", "us", "our", "dcom") will respond to any privacy breach. It ensures we meet our legal obligations under the Privacy Act 2020, including notifying the Office of the Privacy Commissioner (OPC) and affected individuals where a breach is likely to cause serious harm.

2. What is a Privacy Breach?

A privacy breach is any event where personal information we hold is:

accessed without authorisation
disclosed without authorisation
lost, altered, or destroyed by accident or unlawfully
rendered unavailable (e.g. ransomware prevents access)

3. Reporting Suspected Breaches

All dcom staff must immediately report any suspected or actual privacy breach to the Privacy Officer (or a Director if unavailable).
Dcom staff should not attempt to cover up or fix a breach on their own.

4. Containment and Assessment

The Privacy Officer will:

Contain the breach – secure systems, recover records, change access rights, etc.
Assess the breach – determine what happened, what information was affected, and the likely impact.
Decide if it is "notifiable" – i.e. whether the breach is likely to cause serious harm.

5. Notification Process

If a breach is likely to cause serious harm:

The Privacy Officer will notify the Office of the Privacy Commissioner via the NotifyUs tool: https://www.privacy.org.nz/responsibilities/privacy-breaches/notify-us/
Affected individuals will be notified as soon as practicable, unless an exception applies (e.g. notification would endanger someone's safety or prejudice law enforcement).

Notifications to affected individuals will include:

A summary of what happened
What information was involved
What actions we are taking to reduce harm
Steps the individual can take to protect themselves
Our contact details for questions

6. Record Keeping

All breaches (whether notifiable or not) will be logged in the Breach Register.
The record will include the date, description of the breach, actions taken, and whether notification occurred.

7. Dcom Staff Responsibilities

All dcom staff must follow this policy and report breaches immediately.
The Privacy Officer is responsible for assessments, notifications, and record-keeping.
Directors are responsible for ensuring adequate resources and training are in place.

8. Review

This policy will be reviewed if required by changes in law or business practice.

-- end