Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Privacy for agencies

Print | Email this page

Sorting out privacy breaches

A privacy breach happens when personal information that is supposed to be securely held by an agency (business or organisation) ends up somewhere it shouldn’t be. It can be accidental or on purpose. These are all examples of privacy breaches:

  • Unauthorised or accidental access to someone's personal information.
  • Hacking
  • Phishing attack that tricks you into revealing personal information.
  • Employee browsing.
  • Sharing, altering, losing, or destroying someone’s personal information, regardless of whether that is physical or electronic.
  • Being unable to access the information you hold because, for example, your account has been subject to a ransomware attack.

Under the Privacy Act 2020, if your organisation or business has a privacy breach that either has caused (or is likely to cause) anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.

A red headed woman sitting at a desk has her head in her hand looking stressed. Some say it’s not a matter of “if” an agency will have a privacy breach but “when”. We recommend agencies prepare by having a breach management plan and that they practice it through group scenarios so they are prepared and can act efficiently when the time comes. 

Poupou Matatapu is a free, online toolkit to help agencies (businesses and organisations) do privacy well . 

Doing privacy well is essential for compliance and risk management, but it also helps your organisation to improve its data quality, innovation, customer and stakeholder trust, and decision-making processes. A strong privacy culture is increasingly a competitive advantage. 

You might receive a complaint from a person affected by a privacy breach, and it’s important that you have good processes in place to deal with that. Read our guidance about responding to requests and complaints well. 

What is serious harm?

Some types of information are inherently more sensitive than others, and therefore more likely to cause serious harm. You should also consider what you know about the people who have been impacted by the breach, as some people are particularly vulnerable or at a greater risk of harm, for example, victims of family violence. 

Types of serious harm include:

  • Physical harm or intimidation.
  • Financial fraud, including unauthorised credit card transactions or credit fraud.
  • Identity theft.
  • Psychological or emotional harm.
  • Employment harm such as the loss of a job opportunity or work assignment.
  • Blackmail e.g. threat of publishing sensitive information.
  • Threats to national security.
  • Kidnapping.
  • Theft of significant amounts of money.
  • A risk that an individual’s life could be in danger.                                                                                                                                                                         

Organisations should work with affected individual(s) to identify the type of serious harm suffered as a result of a privacy breach.  You should also consider the cultural perspectives of people who’ve had their privacy breached. 

If you suspect a privacy breach may result in imminent harm to an individual, you should call NZ Police on 111 immediately before reporting the breach to OPC through Notify Us

Other types of privacy breach

  • If you want to tell us about a privacy breach of your own information, or tell us on behalf of someone else (with their permission), please complain to the Privacy Commissioner.
  • If you’ve received someone else's information or you want to alert us to a privacy breach by an organisation but you’re not reporting it on their behalf, please contact us
  • Please report any computer system vulnerability issues to National Cyber Security Centre (NCSC)
Back to top