Reading time: 6 minutes

Personal information refers to details that you can use to identify a person, ranging from their full name to photos. If your business deals with this kind of information, you have obligations under privacy law. One fundamental rule is that if there have been any privacy breaches at your business that is reasonably likely to cause serious harm, you must report that breach to the Privacy Commissioner

However, what happens to your business if there is a security breach, and how do you deal with it? This article will explain:

  • what privacy breaches look like;
  • the role of the Privacy Commission; and
  • how to deal with a privacy breach.

What Does a Privacy Breach Look Like?

Your business is an agency that deals with customers’ personal information under privacy law. So, you have particular requirements around how you handle this information, namely in how you collect, store, use and share it.

One of those obligations is to collect and store customers’ data securely, and only let those with authorisation access it.

For example, if you hold sensitive customer information online, you would password protect and encrypt it to store it securely.

There are two kinds of privacy breaches. These are a:

  • confidentiality or integrity breach: where an unauthorised person has accessed, altered, lost, shared, or destroyed personal information; and
  • availability breach: where something is temporarily or permanently preventing you from accessing the personal information you hold, such as a denial-of-service or ransomware attack.

If the privacy breach has caused severe harm to someone, or you have a reasonable basis to believe that it would, you must notify the Privacy Commissioner and the individual involved. This could mean contacting affected customers or contracted suppliers. 

In determining whether a breach is sufficiently harmful and that you should reasonably notify, consider:

  • what you have done to reduce the risk of harm after the breach;
  • whether the personal information is sensitive in nature;
  • what the nature of the harm is that affects the individual;
  • who will obtain (or has already obtained) the personal information due to the breach;
  • whether the personal information has any security measures protecting it; and
  • any other relevant matters.

What Does the Privacy Commission Do?

The Privacy Commission protects privacy and personal information in NZ and launches investigations into privacy breaches and complaints. If the violation of privacy is serious enough, they can recommend cases to the Human Rights Commission.

You contact the Privacy Commission through their NotifyUs tool if you believe there has been a seriously harmful privacy breach at your business. If you fail to do so, you could be fined $10,000. You could also be breaching other commitments, such as directors duties and your contractual obligations.

Dealing With a Privacy Breach

The Privacy Commission recommends four steps for dealing with a privacy breach at your business:

1. Contain

The first thing you should do is take steps to contain the breach as much as possible. You should notify your Privacy Officer. They can guide this process, engaging the help of IT specialists or risk advisers as appropriate. You can contain the breach by:

  • trying to retrieve the lost information;
  • shutting down the breached system;
  • changing or cancelling any access codes or passwords; or
  • fixing any vulnerabilities in your physical or online security systems.

2. Assess

Assess the risks and consequences of the breach, gauging its cause and the extent of the harm. Consider the damage from the point of view of the people affected. What adverse effects could occur? This might include:

  • identity theft; or
  • financial loss.

You should also figure out who has the personal information and what they are likely to do with it.

3. Notify

You may not necessarily need to inform the individual affected of a breach if:

  • it was minor, or 
  • telling them would cause more harm than the violation itself.

If it is a serious privacy breach, you need to notify both the individual and the Privacy Commissioner. Determine severity on a case by case basis. Consider the extent of the risk, and whether there is a risk of:

  • identity theft;
  • fraud;
  • physical harm;
  • humiliation or damage to reputation or relationships.

Also, think about how difficult it is to fix the breach.

For example, if your clients can solve the issue if they just change their password, this may not be a serious enough breach to warrant notifying the Privacy Commissioner.

4. Prevent

If you take appropriate preventative measures, you can reduce the likelihood of a breach and mitigate the fallout. Develop a comprehensive response plan for what to do should a breach occur, and make sure you adequately protect your information collection and storage processes.

Key Takeaways

A privacy breach can be a serious matter, especially if harm is likely to occur to your customers. If you take proper preventive steps and develop a plan for dealing with privacy breaches, you can mitigate some consequences. If you would like more information or help with your business’s privacy, contact LegalVision’s New Zealand IT lawyers on 0800 005 570 or fill out the form on this page.


What is a privacy breach?

A privacy breach is when personal information that you are responsible for keeping private is breached. This could be through an unauthorised person gaining access to it, or something prevent you from accessing this information, like a ransomware attack.

Who do I need to notify if there has been a privacy breach at my business?

This depends on the severity of the breach. If you think that this privacy breach is reasonably likely to cause serious harm to the affected individual, then you must notify the Privacy Commissioner and said individual.

What is a Privacy Officer?

A Privacy Officer is a role that you assign to someone at your business. They are responsible for making sure your business complies with its privacy obligations, and will handle any privacy issues that may arise.

What is a denial-of-service attack? 

A denial-of-service attach (DoS attack) is a cyberattack that shuts down access to the targeted system or network. This means that you cannot use this system, and if there is any private information on there then this may raise privacy issues.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards