The Office of the Privacy Commissioner (OPC) has recently been warning individual organisations about specific privacy breaches that have been raised with the OPC.

Mandatory reporting of notifiable privacy breaches

The Privacy Act 2020 took effect on 1 December 2020 and the law has changed.  It is now mandatory to report a “notifiable” privacy breach to the OPC as soon as practicable.  A notifiable breach is any breach with a likelihood of serious harm

Guidance from the OPC indicates that reporting should take place within 72 hours of the breach occurring, unless there is a good excuse for delay. 

The OPC has also indicated that organisations notifying them should do so as information comes to light, even if that means reporting piece by piece, rather than delaying until more information is available or until the matter is resolved.  Notification delays can increase the serious consequences of privacy breaches, resulting in even more harm to the affected individual/s.


The Privacy Commissioner has the power to fine up to $10,000 for failing to notify the OPC of a privacy breach.  There are also other fine and enforcement powers available the Commissioner. 

Privacy breaches can have other significant consequences, including reputational damage (as a breach can seriously damage an organisation’s “brand”) and financial costs in addition to fines such as loss of revenue. 

Recent examples

The OPC has provided three specific examples where organisations were warned for taking too long to report privacy breaches.

  • A former employee of “Organisation A” had been using personal information obtained during their employment to tell customers about their new business. The organisation had a legal responsibility to notify the OPC as this was a serious privacy breach.
  • “Organisation B” sent letters containing sensitive information to some of its clients and discovered that many of the letters had been sent to outdated addresses. During the organisation’s investigation of the situation, it notified the OPC but this was not until three months after the breach had occurred.
  • “Organisation C” did not notify the OPC of a serious privacy breach until two months after it had been identified despite their internal policies requiring that the OPC be notified as soon as possible. The OPC advised that the breach should have been reported as soon as it was identified, and waiting until it was resolved was unnecessary.

In all three cases, the OPC did not prosecute, but made recommendations and advised the organisations that further action including prosecution might be taken if similar complaints were received in the future.  It is likely that the OPC will take an increasingly strong approach to failures to notify privacy breaches, as organisations have had time to get to grips with the new legislation. 

If you think your organisation has experienced, or is experiencing, a privacy breach, you should seek urgent advice from a privacy professional. 

If you are unsure of your business or organisation’s obligations under the new Privacy Act 2020, an experienced privacy professional will be able to provide you with tailored advice to ensure that your policies and processes are robust, to best avoid privacy breaches.