Your responsibilities

What is a privacy breach?

A privacy breach occurs when an organisation or individual either intentionally or accidentally:

Provides unauthorised or accidental access to someone's personal information.
Discloses, alters, loses or destroys someone's personal information
A privacy breach also occurs when someone is unable to access their personal information due to, for example, their account being hacked.

Under the Privacy Act 2020, if your organisation or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.

As a guide, our expectation is that a breach notification should be made to our Office no later than 72 hours after agencies are aware of a notifiable privacy breach.

What is serious harm?

The unwanted sharing, exposure or loss of access to people’s personal information may cause individuals or groups serious harm. Some information is more sensitive than others and therefore more likely to cause people serious harm.

Examples of serious harm include:

Physical harm or intimidation
Financial fraud including unauthorised credit card transactions or credit fraud
Family violence
Psychological, or emotional harm

You can report your privacy breaches to us through NotifyUs.

Other types of privacy breach

If you want to notify us about a privacy breach of your own information, or on behalf of someone about a breach of their personal information, please make a privacy complaint.
If you have received someone else's information or you want to alert us to a privacy breach by an organisation but you are not reporting it on their behalf, please contact us on 0800 803 909 or use our secure online enquiries form. Find out more about receiving other people's information here.
Please report any computer system vulnerability issues to CERT NZ.