Privacy Act 2020 — Sections 113–120

Privacy breaches — what you must do in New Zealand

If a privacy breach is likely to cause serious harm, you must notify both the Privacy Commissioner and the affected individuals. Here's exactly what that means.

📋 Privacy Act 2020, Sections 113–120 — notifiable breach obligation

What is a privacy breach?

Unauthorised access, disclosure, loss, modification, or inability to access personal information — including hacking, sending to the wrong person, misplacing devices, and documents left in public places.

Not all breaches require notification

Only those likely to cause serious harm

Assess: sensitivity of the information (health, financial, identity), potential for identity theft or fraud, safety implications, number affected, and vulnerability of those affected. When in doubt, notify.

Notifying the Privacy Commissioner

As soon as practicable

Notify at privacy.org.nz/tools. Include: description of breach, information involved, how many affected, steps taken in response.

Notifying affected individuals

Tell them: what happened, what information was involved, what you are doing about it, what they can do to protect themselves, and your contact details.

Penalty for failure to notify

Failing to notify a notifiable breach is an offence — fine up to $10,000. The Privacy Commissioner can also investigate and direct compliance.

Have a response plan

Before you need it: who is responsible, how to assess severity, who to notify internally and externally, how to communicate with affected people, and how to document the incident.

Source: Privacy Act 2020, Sections 113–120. Notify at privacy.org.nz/tools. General information only.

Frequently asked questions

How quickly must I notify?

As soon as practicable — ideally within 72 hours for serious breaches. No specific timeframe in the Act.

What if a third-party caused the breach?

You remain responsible. The notification obligation is yours. Include breach notification requirements in service provider contracts.

Do I notify for a misdirected email?

Depends on content. A single email with non-sensitive information to an internal wrong recipient: unlikely notifiable. Health information to an external party: likely notifiable.

What should our breach response team look like?

Privacy officer (leads), IT/security (contain), legal (advice), communications (messaging). Senior management for serious breaches.

Health and social service providers: manage your privacy obligations

Workstep gives your team instant answers from the Privacy Act, HIPC, and your own privacy policies.

Try Workstep free → Book a 20-minute demo