Our lawyers keep up with the latest trends and issues in New Zealand law and business, and regularly publish articles and reports on current topics.

Email me when new articles are published

Privacy Breach Reporting

Written by David Alizade PARTNER on August 30th, 2021.    

Legal UpdatePNG

 Serious Breach Notifications under the Privacy Act 2020

August 2021

The Privacy Act 2020 (Act) is now more than six months old. Under the Act, organisations must report serious privacy breaches to the Office of the Privacy Commissioner (OPC) – predictably, this has resulted in a large increase in the number of privacy breaches being reported. 

This update runs through the types of breaches that have been reported so far, and new guidance issued by the OPC in relation to breach reporting.


In May, the OPC published this breach notification infographic, analysing the serious privacy breaches notified to the OPC during the first four months of the Act. The key patterns identified are:

  • Reported breaches have almost doubled following the introduction of the Act, with 76 serious privacy breaches notified in the first four months of the Act.
  • Email error was the most common type of privacy breach reported, making up 25 percent of all reported breaches.  It was closely followed by unauthorised sharing of personal information (21%).
  • Notification of individuals – only 65% of serious breaches reported to the OPC had also been notified to individuals at the time of reporting. The OPC has commented that as the grounds for not notifying individuals are narrow, they will be looking into this further.

The OPC recently published an article on privacy breaches, in which they said they were now taking a “more proactive approach” to remind and warn organisations about their responsibilities.

The OPC criticised the time it was taking some organisations to notify breaches, and said that, unless there were “extenuating circumstances”, a serious privacy breach should be reported within 72 hours of the organisation becoming aware of it.


There are simple practical steps you can take to minimise your risk of a serious privacy breach and ensure that you report any notifiable breaches promptly:

  • Email: Double check the recipient and attachments before sending, to ensure they are correct.  Use the “BCC” function where appropriate.
  • Security: Restrict access to personal information to only those people who need to see it.
  • Educate: Educate your staff on privacy. This will help prevent breaches occurring, and increase your likelihood of identifying and responding to a privacy breach quickly.
  • Response Plan: Have a privacy breach response plan in place – so you are ready to respond if a breach occurs.
  • Audit: Audit your privacy practices using our “Privacy Warrant of Fitness”, available here

If you have any questions about privacy, or would like our help to comply with the Act, please get in touch.

Disclaimer: The information contained in this publication is of a general nature and is not intended as legal advice.  It is important that you seek legal advice that is specific to your circumstances.

All rights reserved © Jackson Russell 2021


David Alizade Publications
David Alizade,
Topics: Commercial , Privacy

Level 13, 41 Shortland Street, Auckland 1010, New Zealand

PO Box 3451, Auckland 1140, New Zealand

+64 9 303 3849

Linkedin Circle-26