Do we have to report privacy breaches?

You should definitely report the breach to your organisation's privacy officer.

Your privacy officer will have to report a serious privacy breach by your agency to the Privacy Commissioner.

Our privacy breach self-assessment tool will help you assess the seriousness of the privacy breach and whether you have to tell our office. https://privacy.org.nz/responsibilities/privacy-breaches/notify-us/evaluate(external link)

Report privacy breaches to our office by using our online NotifyUs reporting tool.(external link) 

You may also have legal obligations to report the privacy breach to other organisations; and you may also have contractual and professional obligations to report the breach to other parties.

If the incident involves computer systems, then you should report the incident to CERT NZ(external link).

If the incident involves the possibility of identity theft, you may want to contact IDCare(external link).

Updated October 2021