Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
To report a privacy breach online, use our NotifyUs tool here. |
If you become aware of a privacy breach at your organisation, respond as quickly as possible. This will help minimise any harm caused to the affected people and your organisation, and help you preserve and rebuild trust with those affected.
These are four key steps in dealing with a privacy breach:
Complete the first three steps either at the same time or in quick succession. Use step four to ensure you learn from the breach and can put in place longer-term solutions and prevention strategies.
Every privacy breach has a different level of risk and impact. Evaluate and respond to them on a case-by-case basis.
Once you discover a privacy breach, contain it immediately and find out what went wrong. You could contain a breach by:
Find the right person in your organisation to do an initial investigation and make recommendations. Your organisation can do a more detailed review later. You may need to put together a team that includes other people with the expertise to deal with the situation, such as IT analysts or risk advisers.
Inform the person in your organisation who is responsible for privacy issues and figure out who else you need to tell. Consider whether to inform your:
Notify Police if the breach appears to involve theft or other criminal activity. Be careful not to destroy evidence that your organisation or Police might need to find the cause of the problem or fix the issue.
Assessing the impactof the privacy breach will help you figure out your next steps. You can take a self-assessment to help you determine the seriousness of your privacy breach using our NotifyUs tool.
You should consider:
The more sensitive the information, the higher the risk of harm to the people affected.
A combination of personal information is usually more sensitive than a single piece of personal information. Health information, driver licence numbers, and credit card details can all cause harm on their own, but together they could be used for identity theft.
For example, a list of customers on a newspaper delivery route may not be sensitive. But the same information about customers who have requested that their deliveries be stopped while on holiday would be useful information to criminals.
If the information doesn’t have a password or encryption, then there’s a greater risk of someone misusing it.
Try and find out what caused the breach and if there’s a risk of further breaches.
Try and identify the size of the breach, including:
Think about this from the point of view of the people affected. Types of harm could include:
Information in the hands of people with unknown or malicious intentions can be of great risk to the people affected. The risk will be lower if you know the information went to a trusted person or organisation, and you expect them to return it.
You should be open and transparent with people about how you’re handling their personal information.
If people could suffer serious harm as a result of your organisation's privacy breach, you should inform them (unless an exception applies) about the breach to give them the opportunity to act to protect themselves. For instance, they may need to change their passwords or monitor their bank accounts for malicious activity.
If the consequences from the breach are minimal or minor, or if telling people would cause more worry and harm than not telling them, it may be acceptable not to tell the affected individuals.
Under the Privacy Act 2020, if your organisation or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able. |
As a guide, our expectation is that a breach notification should be made to our Office no later than 72 hours after agencies are aware of a notifiable privacy breach. Use our online NotifyUs tool to help you assess and report privacy breaches: NotifyUs of a privacy breach.
It isn’t always necessary to notify people of a breach. If there’s no risk of harm, notifying may do more harm than good. You need to consider each incident on a case-by-case basis. Think about:
Use all the facts you have about the situation to decide whether you should notify the people affected. If you decide to notify, do it as soon as reasonably possible. However, if law enforcement is involved, check with them first in case you compromise their investigation.
Under the Privacy Act 2020 it is compulsory to report privacy breaches that have caused serious harm, or are likely to do so.
If you are unsure as to whether the breach is a serious one, our NotifyUs tool will help you make that assessment. You can also contact our office and discuss the matter with us.
It’s usually always best to notify the people affected directly, such as
You should only notify people indirectly (e.g. through website information, posted notices, or the media) if:
Consider notifying vulnerable people through or with a support person.
It may be appropriate to notify people in more than one way.
The organisation that has a direct relationship with the person affected should be the one to notify them.
For example, if a retailer loses the credit card information, the credit card company would be the best organisation to inform the customer. But if a courier company leaves a parcel on a doorstep and it’s stolen, the organisation that sent the parcel should tell the affected person.
Your breach notifications should contain:
Consider any obligations of confidentiality and decide whether you should inform:
You may also have legal obligations to report the privacy breach to other organisations; and you may also have contractual and professional obligations to report the breach to other parties.
If the incident involves computer systems, then you should report the incident to CERT NZ.
If the incident involves the possibility of identity theft, you may want to contact IDCare.
How you respond to media interest in your breach can just as important to your organisation's reputation as the breach itself. Get a senior team together immediately to coordinate your organisation’s media response. Responding to journalists quickly will show that you’re treating the incident seriously and not hiding from news coverage.
Consider your messages carefully before you deliver them. Get the tone right. Accept the blame and apologise if necessary. Demonstrate empathy for those most affected by the breach. Show that the wellbeing of those who may have been harmed is your organisation’s highest priority.
Feed the news cycle and keep journalists informed about what you’re doing. Appointing one spokesperson is the best way to make sure your messages are consistent and not contradictory. Media conferences can be an effective way of getting your organisation’s response in front of the public.
Monitor news media reports and social media about the incident. Address misinformation and disinformation and incorporate your responses into your wider communications and media strategy.
The most effective way to prevent future breaches is to a well-thought out security plan for all personal information. The International Organisation for Standardisation has standards that are a strong starting point:
Information security management systems (ISO/IEC 27001:2013) (external link)
In the aftermath of a breach, take the time to investigate the cause of the breach and update your prevention plan. Review your organisation’s policies so you minimise the collection and retention of personal information.
The amount of effort you put in should reflect the significance of the breach, and whether it happened because of a systemic problem or an isolated event. It could include a:
Review your improved prevention plan regularly to make sure it works, and your organisation is implementing it.