Notifiable Privacy Breaches in NZ — Privacy Act (2026)
About this article
Sourced from New Zealand Acts of Parliament (legislation.govt.nz), regulations, and official government guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
What is this right?
Since the Privacy Act 2020, organisations have a legal duty to report serious data breaches. Under sections 112–117, if a privacy breach is likely to cause serious harm, the agency must notify both the Office of the Privacy Commissioner and the affected individuals as soon as practicable. The OPC's guidance is that this should typically happen within about 72 hours of the agency realising the breach is notifiable.
The notification should explain what happened, what information was involved, and what you can do to protect yourself. Failing to notify a notifiable breach is an offence punishable by a fine up to $10,000. If you've been affected, you can also complain to the OPC about how the breach was handled.
When does it apply?
- An organisation has lost, leaked, or exposed your personal information.
- You've been told (or suspect) your data was part of a breach.
- You're worried about identity theft or fraud following a breach.
What to do if your data was breached
- Read the breach notice and follow its protective steps (e.g. change passwords).
- Ask the agency what was exposed and what they're doing about it.
- Report concerns to the OPC via its NotifyUs/complaint channels.
- If you fear imminent harm, call 111; for identity theft, contact IDCARE.
What should you NOT do?
- Don't ignore a breach notice — act on its recommendations promptly.
- Don't assume the agency notified the OPC — you can report it yourself.
- Don't reuse the exposed password anywhere else.
About Data Privacy & Digital Rights in New Zealand
New Zealand's Privacy Act 2020 gives you real control over your personal information through 13 Information Privacy Principles (IPPs). You can access what an organisation holds about you (IPP 6) and ask it to correct mistakes (IPP 7), usually free and within 20 working days. Organisations that suffer a serious data breach must notify the Office of the Privacy Commissioner (OPC) and affected people. Complaints go to the OPC and, if needed, the Human Rights Review Tribunal, which can award damages. Government-held information is accessed under the Official Information Act 1982, and online harm is handled under the Harmful Digital Communications Act 2015.
OPC: 0800 803 909. Online harm (Netsafe): 0508 638 723.
Common Questions
What is the notifiable privacy breaches right in New Zealand?
Since the Privacy Act 2020, organisations have a legal duty to report serious data breaches. Under sections 112–117, if a privacy breach is likely to cause serious harm, the agency must notify both the Office of the Privacy Commissioner and the affected individuals as soon as practicable. The OPC's guidance is that this should typically happen within about 72 hours of the agency realising the breach is notifiable.The notification should explain what happened, what information was involved, and what you can do to protect yourself. Failing to notify a notifiable breach is an offence punishable b...
When does it apply — notifiable privacy breaches?
An organisation has lost, leaked, or exposed your personal information.You've been told (or suspect) your data was part of a breach.You're worried about identity theft or fraud following a breach.
Does a company have to tell me about a data breach in New Zealand?
Read the breach notice and follow its protective steps (e.g. change passwords).Ask the agency what was exposed and what they're doing about it.Report concerns to the OPC via its NotifyUs/complaint channels.If you fear imminent harm, call 111; for identity theft, contact IDCARE.
What should you NOT do — notifiable privacy breaches?
Don't ignore a breach notice — act on its recommendations promptly.Don't assume the agency notified the OPC — you can report it yourself.Don't reuse the exposed password anywhere else.