Plain language law

New Zealand law explained for everyone

Privacy Act 2020

Notifiable privacy breaches and compliance notices - Notifiable privacy breaches

113: Assessment of likelihood of serious harm being caused by privacy breach

You could also call this:

“Deciding if a privacy breach is serious enough to report”

When you’re trying to figure out if a privacy breach might cause serious harm, you need to think about a few things. First, you should look at what you’ve done to try and make the problem less serious. You also need to think about how sensitive the information is that was in the breach. It’s important to consider what kind of harm might happen to the people whose information was affected. If you know who got the information or who might get it, that’s something to think about too. You should also check if the information was protected by any security measures. Finally, there might be other things that are important to consider as well. All of these factors help you decide if the breach is serious enough that you need to tell people about it.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS139444.

Topics:
Rights and equality > Privacy
Money and consumer rights > Consumer protection
Previous

112: Interpretation, or

“Explaining key terms for privacy breaches and affected individuals”

Next

114: Agency to notify Commissioner of notifiable privacy breach, or

“You must tell the Privacy Commissioner quickly about serious privacy problems”

Part 6 Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

113Assessment of likelihood of serious harm being caused by privacy breach

  1. When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:

  2. any action taken by the agency to reduce the risk of harm following the breach:
    1. whether the personal information is sensitive in nature:
      1. the nature of the harm that may be caused to affected individuals:
        1. the person or body that has obtained or may obtain personal information as a result of the breach (if known):
          1. whether the personal information is protected by a security measure:
            1. any other relevant matters.