Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Data breaches

Data breaches happen often. Businesses and organisations can lose or leak personal information through complacency, inadequate security, poor procedures or rare accidents.  

This new section on our website is designed to be a comprehensive resource to help you and your business or organisation with answers and examples for when you have to manage a data breach. 

Taking data breaches seriously

Data breaches can range from the loss of one person’s information to the loss of hundreds of thousands of records. The cause of a breach can be accidental or through the deliberate actions of others.

It is vital to any organisation’s reputation and its relationship with the people who trust it with their information that it does everything it can to prevent a data breach from happening.

But when a data breach occurs, it is important to do everything it can to minimise the harm that it might cause to the individuals whose personal information has been lost, and to your organisation.

What should I do if there has been a data breach?

If you have become aware that your agency has been involved in a data breach (personal information has been lost or accidentally disclosed), there are four key steps for you to work through. Read more ...

Do we have to report data breaches?

While it’s not compulsory to report a data breach, it’s a good idea to be open about what’s happened and the steps you’re taking to fix it. Read more ...

What should I do if I've emailed a wrong address? 

Act quickly and don’t delay. Send a follow-up email to the person or organisation that has been mistakenly sent your email asking them not to open it and delete it as soon as possible. Read more ... 

To find out more, ask us!

If you have more questions about data breaches and other privacy-related topics, try our AskUs resource. If you have a question and AskUs doesn't answer it, let us know.

Privacy breaches reported to Privacy Commissioner (Year ending 30-6-17)

Or use our Data Safety Toolkit

Our Data Safety Toolkit provides tips to help organisations prevent common mistakes that lead to data breaches, and advises what to do when a breach happens.

How to respond to data breaches - four key steps:

1.  Contain the breach and make a first assessment

2.  Evaluate the risks

3.  Notify affected people if necessary

4.  Prevent a repeat

Recognising types of data breaches and ways to prevent them:  


1.    Preventing the theft or loss of computers, mobile devices and documents

2.    Preventing employees deliberately or accidentally disclosing information

3.    Preventing employee browsing

4.    Storing personal information safely and securely

5.    Disposing or re-using information and documents safely

6.    Lessening the chances of emails and faxes going to wrong destinations

7.    When personal information is published on websites or elsewhere

8.    Keeping software up-to-date and using strong password security

Read the full text of our Data Safety Toolkit

Read about actual cases

We publish blog posts (including our Breach Case series), tips, case notes and media releases on data breaches. Below are some examples. 

8 February 2017:   Breach Case 1: Name your documents clearly: It is so easy to send the wrong attachment with an email, especially if the documents you are selecting to attach are not clearly and distinctly named. We see this type of breach fairly regularly so we thought we’d highlight it in this post. Read more

20 March 2017:  Breach Case 2: Don’t bite when a phisher calls: A recent data breach involved a deliberate email phishing* attack on an industry organisation. The email purported to come from the chief executive and requested a copy of the membership list (names and email addresses). Read more …  

7 April 2017:  Breach Case 3: Catches win matches: A recent data breach provided an example of how it is sometimes possible to catch a breach as it is happening and avert potential harm. Read more ...


9 June 2017:  Breach Case 4: Testing with real data:  Sometimes it seems a good idea to use real production data in a test environment.  Security becomes more important.  Read more ...


4 August 2017:  Breach Case 5: Taking client files offsite:  You keep your home safe, don’t you? So there should be no problem taking some work notes home... Read more ...


29 November 2017:  Breach Case 6: Reusing and recycling: Reusing paper that has been printed on only one side can be environmentally friendly and saves costs. But this reuse is not appropriate when dealing with personal information. Read more ...


5 April 2018:  Breach Case 7:  Rubbishing privacyA recent data breach incident provided an example of how your responsibility to protect personal information does not end when you put the rubbish out for collection.  Read more ...


Case note 248601 [2013] NZ PrivCmr 4:  Medical practice mitigates future harm after data breach

A doctor working in a suburban medical practice had his car broken into and a bag stolen. The bag contained a USB stick with the personal information of a number of patients, including their names and details of their prescribed drugs and medical diagnosis. Read more ...

Case Note 211257 [2009] NZPrivCmr 16: Several people complain that a government department lost their personal information

A staff member from a government department dropped a file in an Auckland street. The file contained a list with personal information about a large number of individuals. The information was subsequently passed to media outlets. Read more ..

NZ Doctor series - Privacy matters (#44): Don’t dig a bigger hole

A doctor closed the doors of his practice after years of treating patients, and was left with a substantial amount of information to dispose of. Instead of shredding the documents or arranging for some other type of secure destruction, the doctor decided he would bury the records on a beach. The records were soon uncovered by the tides, littering that part of the coastline. Read more ...

Privacy Commissioner monitoring Yahoo hack (September 2016) 

The Privacy Commissioner is monitoring the Yahoo hack that compromised up to 500 million users’ accounts. The hack affects a small portion of the 825,000 email accounts that Spark provides to users through its partnership with Yahoo. Read more ...