SecurityPolicy.com.au
Home/ New Zealand/ Regulatory/ New Zealand Notifiable Privacy Breaches: A Practical 2026 Guide
New Zealand Regulatory Law Reviewed 2026-07-13

New Zealand Notifiable Privacy Breaches: A Practical 2026 Guide

Serious harm
Threshold for mandatory Privacy Act notification
6
Section 113 factors for assessing serious harm
As soon as practicable
Statutory timing for notifying OPC and affected individuals
NZ$10,000
Maximum fine for unjustified failure to notify the Commissioner
Why this guide exists

High-demand incident-response guide: New Zealand businesses regularly need to decide whether an email error, lost device, compromised account, ransomware event or supplier incident crosses the serious-harm threshold and what must happen next.

What is a notifiable privacy breach under the Privacy Act 2020?

A privacy breach occurs when personal information is accessed, disclosed, altered, lost or destroyed without authorisation or by accident, or when an action prevents an agency from accessing the information temporarily or permanently. This can include misdirected email, inappropriate staff access, lost records, compromised accounts, ransomware and incidents at service providers. It becomes a notifiable privacy breach when the agency has reasonable grounds to believe the breach has caused serious harm to an affected individual or is likely to do so. Not every security incident is a privacy breach, and not every privacy breach is notifiable. The business should nevertheless record and assess each suspected breach promptly because the threshold can change as facts emerge. A related cyber incident may also be reported to NCSC for technical support or national cyber reporting, but that is separate from Privacy Act notification to OPC.

How this differs by situation
  • Privacy breach — An unauthorised or accidental event involving personal information, including loss of availability.
  • Notifiable privacy breach — A privacy breach reasonably believed to have caused serious harm or to be likely to cause serious harm.
  • Cyber incident response — NCSC reporting may run alongside OPC notification but does not replace it.
PUT THIS IN YOUR POLICY, EXACTLY

All suspected losses, disclosures, unauthorised access, alterations, destruction or unavailability of personal information must be reported immediately to our Privacy Officer. We will promptly determine whether the event is a privacy breach and whether it has caused, or is likely to cause, serious harm. We will not assume that a cyber incident is automatically notifiable, or that a non-cyber incident is harmless.

The "serious harm" test — how is it assessed (the section 113 factors)?

Serious harm is a contextual assessment, not a checklist where one factor decides the answer. Section 113 requires the agency to consider: actions taken to reduce the risk of harm; the sensitivity of the information; the nature of the harm that may be caused; the person or body that obtained or may obtain the information, if known; whether the information was protected by a security measure such as effective encryption; and any other relevant matter. Relevant harm can include identity theft, financial loss, physical danger, humiliation, discrimination, blackmail, employment harm or significant emotional distress. The likely effect on the particular people matters, including vulnerability and cultural context. Effective containment may lower the risk, but an unknown recipient, missing device or lack of confirmed misuse does not automatically make a breach non-notifiable. Record the evidence and reasoning for every factor and reassess when new information arrives.

How this differs by situation
  • Information and safeguards — Consider sensitivity, volume, identifiability, encryption, access controls and whether protection remains effective.
  • Recipient and affected people — Consider who obtained or may obtain the information and the circumstances or vulnerabilities of affected individuals.
  • Likely harm and mitigation — Consider plausible consequences, containment already achieved and any remaining pathway to serious harm.
PUT THIS IN YOUR POLICY, EXACTLY

Our serious-harm assessment will address every factor in section 113 of the Privacy Act 2020: mitigation already taken; sensitivity of the information; nature of possible harm; who obtained or may obtain the information; whether effective security measures protected it; and any other relevant circumstances. The assessment must state the evidence, uncertainties, decision-maker, decision time and reasons, and must be revisited when material facts change.

When and how must I notify the Privacy Commissioner and affected individuals? (NotifyUs; "as soon as practicable")

Once an agency becomes aware that a notifiable privacy breach has occurred, it must notify the Privacy Commissioner as soon as practicable and must also notify each affected individual as soon as practicable, unless a statutory exception or permitted delay applies. Notify OPC through the online NotifyUs tool. OPC says notification should ideally occur within 72 hours of becoming aware that the breach is notifiable, even where the investigation is incomplete, but 72 hours is guidance rather than a fixed statutory deadline. The agency can submit the information available and update OPC as the facts develop. Do not wait for a final forensic report if the serious-harm threshold is already reasonably met. If direct contact with every affected person is not reasonably practicable, public notice may be used in accordance with the Act and regulations. For a cyber incident, the organisation may also report to NCSC through its current business and individual reporting pathway; that report is additional to, not a substitute for, NotifyUs.

How this differs by situation
  • Office of the Privacy Commissioner — Submit through NotifyUs as soon as practicable and provide updates as the investigation develops.
  • Affected individuals — Notify directly as soon as practicable unless a specific statutory exception or delay applies.
  • National Cyber Security Centre — Use NCSC's current cyber-reporting channel where relevant, alongside the Privacy Act process.
PUT THIS IN YOUR POLICY, EXACTLY

When we reasonably determine that a privacy breach has caused, or is likely to cause, serious harm, we will notify the Privacy Commissioner through NotifyUs and notify affected individuals as soon as practicable. We will aim to notify OPC within 72 hours of becoming aware that the breach is notifiable, recognising that this is OPC guidance rather than a fixed statutory deadline. We will not delay notification solely to complete forensic work and will update notifications as material facts develop.

What must the notification contain, and how do I notify individuals?

The notification to OPC should describe the breach; state the number of affected people if known; identify any person or body suspected of possessing the information if known; explain steps taken or planned in response; say whether affected people have been or will be contacted; explain any public-notice approach, exception or delay; identify other agencies notified; and provide a contact person. The notice to an affected individual should describe the breach, explain what the agency has done, give practical steps the person can take to reduce harm, confirm that OPC has been notified, explain the right to complain to OPC and provide a contact person. It should not reveal personal information about other affected people and ordinarily should not name a suspected recipient. Notification can be by phone, email, letter or in person, using a channel reasonably likely to reach the person. If direct contact is not reasonably practicable, public notice must be free, publicly accessible and delivered in a way likely to reach affected people. Information may be provided incrementally, but available information must be given as soon as practicable.

How this differs by situation
  • Commissioner notification — Provide scope, cause, likely possession, response, communication status, exceptions, other agencies and a contact person.
  • Individual notification — Explain what happened, likely impact, protective steps, complaint rights and how to contact the agency.
  • Delivery method — Use direct, accessible channels where practicable; public notice is a fallback, not the default.
PUT THIS IN YOUR POLICY, EXACTLY

Our affected-person notice will state what happened, the personal information involved, what we have done, what the person can do to reduce harm, that we have notified the Privacy Commissioner, how to complain to OPC, and how to contact us. We will not disclose another affected person's information or ordinarily identify a suspected unauthorised recipient. We will use a direct and accessible channel wherever reasonably practicable and will provide further updates when material information becomes available.

Exceptions and delay grounds for notifying individuals (e.g., security risk, would prejudice an investigation, multiple agencies)

The exceptions are limited and should be interpreted narrowly. Notification to an affected individual or public notice is not required to the extent that it would be likely to prejudice New Zealand's security, defence or international relations; prejudice the maintenance of the law, including prevention, investigation and fair-trial interests; endanger a person's safety; or reveal a trade secret. There are additional individual circumstances involving a person under 16 where notification would be contrary to their interests, and health situations where disclosure would be likely to prejudice the person's health after practicable consultation with a health practitioner; notification to a representative should then be considered. Notification to individuals may be delayed where immediate notice would create a security risk for personal information held by the agency and that risk outweighs the benefits of informing people. The delay lasts only while those grounds continue and does not postpone the duty to notify OPC. Where several agencies are involved, they may coordinate and agree that one will communicate on behalf of all, but each remains responsible for ensuring the legal duties are met. An internal investigation, reputational concern or incomplete facts are not standalone exceptions.

How this differs by situation
  • Statutory exceptions — Use only the grounds in section 116 and record why the particular harm is likely.
  • Temporary security delay — Delay affected-person notice only while the security risk outweighs the benefit of notice; OPC notification remains due.
  • Multiple agencies and providers — Coordinate a clear notification owner without assuming that contractual delegation removes legal responsibility.
PUT THIS IN YOUR POLICY, EXACTLY

We will withhold or delay notification to affected individuals only where a specific ground in section 116 of the Privacy Act 2020 applies. The decision must identify the statutory ground, evidence, affected people, approving officer, review date and expected duration. A delay applying to individuals will not delay notification to the Privacy Commissioner. Where several agencies are involved, we will document who will notify, on whose behalf, and how each agency will confirm that its obligations were met.

Penalties and enforcement for failing to notify

An agency that, without reasonable excuse, fails to notify the Privacy Commissioner of a notifiable privacy breach commits an offence and can be fined up to NZ$10,000. Fixing the breach afterwards is not a defence to that offence. The Act provides a defence where the agency reasonably considered that the breach was not notifiable, which makes a contemporaneous, evidence-based assessment important. Failure to notify affected individuals is treated differently: it is not the specific section 118 offence, but it may amount to an interference with privacy and lead to an OPC complaint, investigation, settlement, compliance action or Human Rights Review Tribunal proceedings and remedies. Deliberate concealment, misleading information or failure to cooperate can also create additional legal and reputational exposure. The statutory offence fine is comparatively modest, but response costs, customer harm, contractual claims, remediation and loss of trust can be much larger.

How this differs by situation
  • Failure to notify OPC — A criminal offence without reasonable excuse, carrying a maximum NZ$10,000 fine.
  • Failure to notify individuals — May constitute an interference with privacy and support complaints, investigation and Tribunal remedies.
  • Decision-makers — A documented reasonable assessment is central to demonstrating why a breach was treated as not notifiable.
PUT THIS IN YOUR POLICY, EXACTLY

No employee, contractor or manager may conceal, minimise or delay escalation of a suspected privacy breach. Decisions not to notify must be approved by the Privacy Officer or authorised delegate and supported by a written section 113 assessment. Remediation does not remove a notification duty. We will preserve evidence, cooperate with OPC and correct any notification promptly if later facts show that the original assessment was incomplete or wrong.

The practical assessment process and the evidence to keep

Start by containing the incident without destroying evidence. Confirm what happened, when it began, when the agency became aware, whether it is ongoing, what personal information and people are affected, who accessed or may access it, and what protective measures were actually effective. Apply all section 113 factors, record uncertainties and seek technical, privacy or legal input proportionate to the incident. Keep a decision log covering the timeline, systems, information types, affected-person estimates, containment, likely harms, recipient, encryption or other controls, section 113 analysis, notification decision, exceptions, approvals, communications, NCSC or other agency reports and subsequent updates. Record non-notifiable breaches and near misses as well as notified events. Reassess if forensic work changes the scope or if containment fails. After resolution, conduct a root-cause review, assign corrective actions and test that changes were implemented. The incident register is itself sensitive and should have restricted access.

How this differs by situation
  • Contain and establish facts — Stop further exposure, preserve evidence and establish a reliable incident timeline.
  • Assess and decide — Apply section 113, document uncertainty, record approvals and make notification decisions without waiting for perfect certainty.
  • Learn and improve — Keep the breach register, complete root-cause analysis and verify corrective actions.
PUT THIS IN YOUR POLICY, EXACTLY

For every suspected privacy breach, we will keep a restricted incident record showing: discovery and occurrence dates; systems and information involved; affected-person estimate; cause and recipient; containment and mitigation; every section 113 factor; uncertainties; advice obtained; decision-maker and decision time; OPC, individual and NCSC notifications; any exception or delay; updates; root cause; and corrective actions. We will record non-notifiable breaches and near misses and reassess decisions when material facts change.

How this differs from the Australian NDB scheme (no fixed 30-day assessment period; "as soon as practicable"; much lower penalties; serious-harm threshold)

New Zealand and Australia both use a serious-harm concept and generally require notification to the privacy regulator and affected people, but the processes are not interchangeable. In New Zealand, the Privacy Act 2020 requires notification as soon as practicable after the agency becomes aware that a breach is notifiable. New Zealand has no fixed statutory 30-day assessment period and OPC's preferred 72-hour reporting expectation is guidance, not a legal deadline. Australia's Notifiable Data Breaches scheme requires a reasonable and expeditious assessment where an entity suspects an eligible data breach, with all reasonable steps generally completed within 30 days. New Zealand's specific offence for unjustified failure to notify OPC carries a maximum NZ$10,000 fine. Australia's broader Privacy Act civil-penalty regime for serious interferences with privacy can expose bodies corporate to penalties far higher than New Zealand's notification offence, although the Australian maximum is not automatically imposed for every NDB failure. A business operating in both countries should run a jurisdiction-specific assessment rather than importing Australia's 30-day process or penalty language into a New Zealand policy.

How this differs by situation
  • New Zealand — Assess using sections 112 and 113 and notify as soon as practicable; 72 hours is OPC guidance.
  • Australia — The NDB scheme generally expects reasonable and expeditious assessment within 30 days where an eligible breach is suspected.
  • Trans-Tasman organisations — Apply each country's statute, regulator pathway, timing and notice content separately.
PUT THIS IN YOUR POLICY, EXACTLY

For incidents involving New Zealand personal information, we will apply the Privacy Act 2020 serious-harm test and notify as soon as practicable. We will not use Australia's 30-day assessment period as a New Zealand deadline or waiting period. Where an incident affects more than one jurisdiction, we will maintain a jurisdiction matrix covering threshold, regulator, affected-person duties, timing, content and responsible decision-maker for each country.

Common mistakes NZ businesses make

Common mistakes include treating 72 hours as a guaranteed grace period; importing Australia's 30-day assessment window; waiting for complete forensic certainty after the serious-harm threshold is already met; notifying OPC but not affected people; using public notice when direct contact is reasonably practicable; assuming that a provider will notify everyone without confirming legal responsibility; failing to record the section 113 factors; treating encryption as decisive without checking whether it was effective or the key was exposed; minimising a lost device because no misuse has been detected; and keeping no incident log or root-cause actions. Other errors are sending vague notices that omit protective steps and complaint rights, delaying because of embarrassment or reputational concern, and assuming an NCSC report replaces NotifyUs. A constructive response focuses on quick internal escalation, evidence-based decisions, clear human communication and corrective action rather than blame.

How this differs by situation
  • Timing mistakes — Do not treat 72 hours or Australia's 30 days as permission to wait.
  • Assessment mistakes — Apply every section 113 factor, test safeguards and document uncertainty rather than relying on assumptions.
  • Communication and supplier mistakes — Confirm who must notify, contact affected people directly where practicable and provide useful protective guidance.
PUT THIS IN YOUR POLICY, EXACTLY

We will test our privacy-breach procedure at least annually and after material system or supplier changes. The exercise will verify immediate staff escalation, section 113 assessment, NotifyUs access, affected-person contact data, provider responsibilities, NCSC reporting, exception approvals, evidence preservation and post-incident actions. Lessons and assigned improvements will be recorded and tracked to completion.

What's my next step?

Common misconceptions

  • Every cyber incident is a notifiable privacy breach. False: the incident must involve personal information and meet the serious-harm threshold, although cyber reporting to NCSC may still be appropriate. VERIFIED
  • Only malicious hacking counts as a privacy breach. False: accidents, misdirected disclosures, lost records, unauthorised staff access and loss of availability can qualify. VERIFIED
  • New Zealand has a fixed statutory 72-hour notification deadline. False: the law says as soon as practicable; 72 hours is OPC guidance about ideal reporting speed. VERIFIED
  • A New Zealand business has 30 days to assess a suspected notifiable breach. False: that period comes from Australia's NDB scheme and is not a New Zealand statutory assessment window. VERIFIED
  • The agency should wait for the final forensic report before notifying. False: available information can be notified incrementally, and notification must not be delayed once the statutory threshold and timing requirement are met. VERIFIED
  • Submitting NotifyUs is enough; affected people never need to be contacted. False: the Act separately requires affected-person notification as soon as practicable unless an exception or permitted delay applies. VERIFIED
  • A website notice can always replace direct notification. False: public notice is the fallback where contacting each affected individual is not reasonably practicable. VERIFIED
  • Once the breach is fixed, failure to notify cannot be prosecuted. False: remediation after the event is expressly not a defence to the section 118 offence. VERIFIED
  • Reporting a cyber incident to NCSC replaces reporting the privacy breach to OPC. False: the two pathways serve different functions and the Privacy Act duty remains with the agency. INFERRED
  • New Zealand uses Australia's large tiered civil penalties for failure to notify. False: the specific New Zealand offence for unjustified failure to notify OPC has a maximum NZ$10,000 fine, although other remedies and consequences may also apply. VERIFIED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Identify and assess a suspected privacy breach Office of the Privacy Commissioner Any suspected unauthorised or accidental access, disclosure, alteration, loss, destruction or unavailability of personal information Promptly after awareness, with reassessment as material facts develop
Notify the Privacy Commissioner Office of the Privacy Commissioner The agency becomes aware that a privacy breach has caused, or is likely to cause, serious harm As soon as practicable; OPC guidance says ideally within 72 hours of awareness that it is notifiable Failure without reasonable excuse is an offence punishable by a fine up to NZ$10,000
Notify affected individuals Office of the Privacy Commissioner A notifiable privacy breach affects an identifiable individual and no section 116 exception or permitted delay applies As soon as practicable after awareness of the notifiable breach Failure may amount to an interference with privacy and lead to complaint, investigation or Human Rights Review Tribunal remedies
Give public notice where direct notification is not reasonably practicable Office of the Privacy Commissioner It is not reasonably practicable to notify each affected individual directly As soon as practicable, subject to any lawful exception or delay Failure may amount to an interference with privacy
Include the required notification information Office of the Privacy Commissioner Notification to OPC, affected individuals or the public is required Provide available required information as soon as practicable and update incrementally where necessary Incomplete or delayed notification may contribute to non-compliance and regulatory action
Document and review any exception or delay Office of the Privacy Commissioner The agency relies on a section 116 ground to withhold or delay affected-person notification At the time of decision and continuously while the exception or delay is relied on Unjustified reliance may result in an interference-with-privacy finding or other enforcement action
Coordinate notification across agencies and service providers Office of the Privacy Commissioner More than one agency or a third-party provider is involved in the breach Immediately during containment and before statutory notifications are due Contractual delegation does not by itself remove an agency's responsibility to ensure notification obligations are met
Report a related cyber incident to NCSC where appropriate National Cyber Security Centre A cyber incident affects the organisation and technical assistance or cyber reporting is appropriate Promptly through NCSC's current reporting pathway; urgent threats should be escalated immediately

Sources

  1. Privacy Act 2020 — latest version primary
  2. Office of the Privacy Commissioner — Privacy breaches primary
  3. Office of the Privacy Commissioner — NotifyUs primary
  4. Office of the Privacy Commissioner — Breach management primary
  5. OPC decision note PBN3791 — Lost USB stick constitutes notifiable privacy breach primary
  6. NCSC and CERT NZ integration now complete primary
  7. NCSC — Report a cyber security issue for businesses and individuals primary
  8. Own Your Online — New Zealand cyber security guidance primary
  9. OAIC — What is a notifiable data breach? primary
  10. OAIC — About the Notifiable Data Breaches scheme primary
  11. OAIC — Guide to privacy regulatory action, civil penalties primary
  12. Reddit r/newzealand discussion — reporting a privacy breach forum
  13. Reddit r/newzealand discussion — sensitivity and serious harm forum
  14. Reddit r/newzealand discussion — timing of affected-user notification forum
  15. Geekzone discussion — notifiable breach offence forum
  16. Geekzone discussion — prompt disclosure after a cyber incident forum
  17. Reddit r/newzealand discussion — delayed workplace breach disclosure forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.