Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

Website logo 275x60

Your responsibilities

Print | Email this page

Privacy breaches

Preventing privacy breaches

Responding to privacy breaches

Reporting privacy breaches (NotifyUs)

What is a privacy breach?

A privacy breach occurs when an organisation or individual either intentionally or accidentally:

  • Provides unauthorised or accidental access to someone's personal information.
  • Discloses, alters, loses or destroys someone's personal information
  • A privacy breach also occurs when someone is unable to access their personal information due to, for example, their account being hacked.
Under the Privacy Act 2020, if your organisation or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.

As a guide, our expectation is that a breach notification should be made to our Office no later than 72 hours after agencies are aware of a notifiable privacy breach.

What is serious harm?

The unwanted sharing, exposure or loss of access to people’s personal information may cause individuals or groups serious harm. Some information is more sensitive than others and therefore more likely to cause people serious harm.

Examples of serious harm include:

  • Physical harm or intimidation 
  • Financial fraud including unauthorised credit card transactions or credit fraud 
  • Family violence
  • Psychological, or emotional harm

You can report your privacy breaches to us through NotifyUs.

Other types of privacy breach

  • If you want to notify us about a privacy breach of your own information, or on behalf of someone about a breach of their personal information, please make a privacy complaint.
  • If you have received someone else's information or you want to alert us to a privacy breach by an organisation but you are not reporting it on their behalf, please contact us on 0800 803 909 or use our secure online enquiries form. Find out more about receiving other people's information here.
  • Please report any computer system vulnerability issues to CERT NZ
     

Further information 

Read our Privacy breach guidelines - How to Prevent and Respond to Privacy Breaches

Back to top