The highly anticipated Privacy Bill (the Bill) was introduced to Parliament in March 2018 and is due to come into effect in July 2019.  It will replace the Privacy Act 1993 and aims to bring New Zealand's privacy law framework up-to-date with the digital society we live in.  The reform also brings New Zealand in line with international laws, including the European General Data Protection Regulation (the GDPR).

Mandatory reporting of privacy breaches

A key change introduced by the Bill is the mandatory requirement to notify a privacy breach to the New Zealand Privacy Commissioner (the Commissioner) and the individual affected, reflecting the reporting process under the GDPR.

Clause 118 of the Bill provides that an agency must notify the Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred.  An agency must notify any affected individuals or give public notification where a privacy breach has, or is at risk of causing real harm.1  "Harm" can include loss, detriment or damage to an individual; an adverse affect on the rights, benefits, privileges, obligations or interests of the individual; or humiliation, loss of dignity or injury to feelings.

Under the Bill, a "privacy breach" means:2

  • Any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
  • An action that prevents the agency from accessing the information on either a temporary or permanent basis.

Some examples might include:

  • Inadvertently seeing information;
  • Inadvertently sending information to the wrong person (often caused by autocompletion);
  • A device containing customers' personal information is lost or stolen;
  • A database containing personal information is hacked;
  • Disposal of confidential papers incorrectly;
  • Sharing of passwords; and
  • Sharing data via USB.

Notification requirements

Where notification is required, the agency must inform the Commissioner of the following (inter alia):3

  1. The number of affected individuals (if known);
  2. The identity of any person or body the agency suspects may be in possession of personal information as a result of the privacy breach (if known);
  3. The steps taken or intended to be taken in response to the breach, including whether any affected individual has been or will be contacted;
  4. The names of any other agencies that the agency has contacted about the breach and the reasons; and
  5. Details of a contact person within the agency for inquires (usually the Data Protection Officer).

An agency is required to notify the affected individual of the same matters but must also confirm that the Commissioner has been notified and inform the individual of his or her right to make a complaint to the Commissioner.4Failure to comply with these requirements could result in a fine of up to $10,000.5  Individuals may also have recourse to the Human Rights Tribunal for damages, on the basis of an interference with their privacy.

What does this mean for you?

To ensure compliance, we recommend that all agencies:

  1. Keep records of where information is stored, who has access to it, when it is shared and to who;
  2. Implement a Data Protection Officer who has the responsibility to deal with privacy breaches when they arise and to carry out the notification process;
  3. Provide internal training for staff to ensure they are aware of their privacy obligations;
  4. Maintain watertight security systems; and
  5. Implement internal and external privacy policies.

Download article in PDF format

Related articles
Privacy law shake-up! What does the EU General Data Protection Regulation mean for your company?


1 Privacy Bill 2018, clause 119.

2 Clause 117.

3 Clause 121.

4 Clause 121.

5 Clause 122. Note this penalty is low compared to that under the GDPR (up to €20 million).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.