19 Dec 2022, 14:00

Urgency and care are always needed when a data breach occurs. 

There are lessons to be learned from the Archives New Zealand data breach that resulted in records containing sensitive health information being made publicly accessible, says Privacy Commissioner Michael Webster.

“We acknowledge today’s public apology from Archives New Zealand to the affected individuals. People need to be put first and this Office expects notification of breaches to be carefully handled and with pace.

“We understand the mere knowledge that someone may have looked at your sensitive health information could be triggering and cause distress. We encourage you to reach out to people you trust for support.” 

Every government agency and every business that holds people’s personal information must take their obligations to protect it seriously and that includes letting people know when their data has been accessed by someone who should not be accessing it. Care also needs to be taken when informing individuals, Mr Webster said.

The Privacy Act allows for individuals to not be informed where knowing that their data had been breached would cause them greater harm, but this is the exception not the rule.

“Agencies holding sensitive and personal information need to include in their incident response planning how they are going to make decisions whether to contact and how they will go about contacting affected individuals. This will allow good decisions to be made safely and quickly. This is even more important when there are multiple agencies involved as there are in this case.”

Anyone harmed by the privacy breach can make a complaint to the Office of the Privacy Commissioner.

Please contact the Office via online or call 0800 803 909.

For media enquiries: 021 959 050