Under the Privacy Act 1993, although encouraged as best practice, agencies (which includes Maori Trusts, Incorporations, Businesses and iwi and hapu organisations)  do not currently have to report a privacy breach.

The incoming Privacy Act 2020, set to come into force on 01 December 2020, will make reporting of privacy breaches mandatory, if they classify as a “notifiable privacy breach”.

What is a privacy breach?

The new Act provides two interpretations of what a privacy breach is, in relation to personal information held by an organisation (agency). These include:

  • unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
  • an action that prevents the agency from accessing the information on either a temporary or permanent basis.

The first meanings is what is commonly understood to be a privacy breach. This includes incidents such as unauthorised access to a system, losing devices such as laptops or USBs that contain personal information (eg lists of registered Maori owners, iwi memberships, whakapapa records) or accidentally disclosing personal information to the wrong person.

The second meaning encompasses incidents such as ransomware attacks. This form of cyberattack has become increasingly common in recent years.

In a ransomware attack, an outside user gains access to systems or databases, and either locks the users out or encrypts their files. Often the hacker will subsequently demand a financial payment in return for restoring access or providing a key to decrypt files. There have been several incidents where organisations have refused to make payment, and sensitive information has been deleted or released to the public.

When is a breach notifiable?

A privacy breach is notifiable when it is reasonable to believe the breach has caused, or is likely to cause, serious harm to the affected individual(s). The Act provides several factors that an agency must consider when deciding if a breach is notifiable including:

  • any action taken by the agency to reduce the risk of harm following the breach;
  • whether the personal information is sensitive in nature;
  • the nature of the harm that may be caused to affected individuals;
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known);
  • whether the personal information is protected by a security measure; and
  • any other relevant matters.

It is important to note that the breach is notifiable when it is reasonable to believe the breach has, or is likely to cause, serious harm. If or when the belief is “reasonable” is a matter for the organisation to determine. Organisations need to understand that a failure to notify the Commissioner of the breach, where reasonable belief exists, is an offence punishable with a fine of up to $10,000.

Who must the breach be reported to?

If the breach is notifiable, it must be reported to the Privacy Commissioner and the affected individual. The agency must notify the affected individual as soon as reasonably practicable after becoming aware that a notifiable breach has occurred (unless an exception applies).

The Act provides a detailed list of requirements that must be included in a notification to the Commissioner or affected individual.

A notification to the Commissioner from an organisation must:

  1. Describe the privacy breach, including:

    • the number of affected individuals (if known); and
    • the identity of any person or body that the organisation suspects may be in possession of personal information     as a result of the privacy breach (if known).
  2. Explain the steps that the agency has taken or intends to take in response to the privacy breach, including whether any affected individual has been or will be contacted;

  3. if the agency is intending to give public notice of the breach, set out the reasons justifying that action (this can only be done in special circumstances set out in the Act);

  4. if the agency is relying on an exception, or is delaying notifying an affected individual or giving public notice, state the exception relied on and set out the reasons for relying on it or state the reasons why a delay is needed and the expected period of delay;

  5. state the names or give a general description of any other agencies that the organisation has contacted about the privacy breach and the reasons for having done so; and

  6. give details of a contact person within the organisation for inquiries.

A notification to an affected individual or a representative must:

  1. Describe the notifiable privacy breach and state whether the organisation has or has not identified any person or body that the agency suspects may be in possession of the affected individual’s personal information (but, must not include any particulars that could identify that person or body , unless certain exceptions apply);
  2. explain the steps taken or intended to be taken by the organisation in response to the privacy breach; and
  3. where practicable, set out the steps the affected individual may wish to take to mitigate or avoid potential loss or harm (if any);
  4. confirm that the Commissioner has been notified;
  5. state that the individual has the right to make a complaint to the Commissioner; and
  6. give details of a contact person within the organisation for inquiries.

A notification to an affected individual may identify a person or body that has obtained or may obtain that affected individual’s personal information (where the identity is known) if the organisation believes on reasonable grounds that identification is necessary to prevent or lessen a serious threat to the life or health of the affected individual or another individual.

A notification to an affected individual must not include any particulars about any other affected individuals. Notifications must be done individually or in such a way that others’ personal information is not disclosed. Do not send out bulk emails which show the email addresses etc of everyone.

Notification must be made as soon as practicable, but may be provided bit by bit, provided it is done as soon as practicable.

Mandatory breach reporting will be a new process for Maori organisations. It is important that you understand, and have a plan in place, on how to respond to potential privacy breaches, otherwise you could face expensive fines and damage to your reputation.

Leading law firms committed to helping clients cost-effectively will have a range of fixed-priced Initial Consultations to suit most people’s needs in quickly learning what their options are.  At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.

Alan Knowsley
Privacy Lawyer
Wellington, New Zealand


If you are a New Zealand Super Gold Card Holder (Australian Senior Cards do not qualify) we will give you a 75% discount off our initial 1 hour consultation fee. We will also give you a 17.5% discount off the first matter we handle for you and then 12.5 % off any subsequent matters for you.  These discounts relate to your personal matters only (i.e. not business or organisational matters).