Plain language law

New Zealand law explained for everyone

Privacy Act 2020

Notifiable privacy breaches and compliance notices - Notifiable privacy breaches

112: Interpretation

You could also call this:

“Explaining key terms for privacy breaches and affected individuals”

In this part of the law, you’ll learn about some important words and what they mean. These definitions help explain what happens when there’s a problem with your personal information.

An ‘affected individual’ is someone whose personal information is involved in a privacy breach. This can be anyone, whether they live in New Zealand or not. In some cases, it can even include people who have died, if special rules say so.

A ‘notifiable privacy breach’ is a serious problem with personal information. It’s when someone thinks the problem has caused or might cause serious harm to the affected individuals. There are special rules to help decide if the harm is serious. However, if the information is just held by a person for their own personal use, it’s not counted as a notifiable privacy breach.

A ‘privacy breach’ is when something goes wrong with personal information that an agency is looking after. This could mean someone got to the information when they shouldn’t have, or the information was shared, changed, lost, or destroyed by accident. It can also mean the agency can’t get to the information for a while or forever. A privacy breach can happen because of someone inside or outside the agency, or even if the agency didn’t do anything wrong. It doesn’t matter if the problem is still happening or has stopped.

When talking about privacy breaches, the words ‘access’, ‘disclosure’, and ‘loss’ might mean something a bit different from what they mean in other parts of this law.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS23502.

Topics:
Rights and equality > Privacy
Previous

111: Certain provisions of Human Rights Act 1993 to apply, or

“Rules from the Human Rights Act apply to some Privacy Act proceedings”

Next

113: Assessment of likelihood of serious harm being caused by privacy breach, or

“Deciding if a privacy breach is serious enough to report”

Part 6 Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

112Interpretation

  1. In this subpart,—

    affected individual, in relation to personal information that is the subject of a privacy breach,—

    1. means the individual to whom the information relates; and
      1. includes an individual inside or outside New Zealand; and
        1. despite the definition of individual in section 7(1), includes a deceased person—
          1. if a sector-specific code of practice issued under section 32 specifies that the code applies to information about deceased persons; and
            1. to the extent that the code of practice applies 1 or more IPPs to that information

            notifiable privacy breach

            1. means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so (see section 113 for factors that must be considered by an agency when assessing whether a privacy breach is likely to cause serious harm); but
              1. does not include a privacy breach if the personal information that is the subject of the breach is held by an agency who is an individual and the information is held solely for the purposes of, or in connection with, the individual’s personal or domestic affairs

                privacy breach, in relation to personal information held by an agency,—

                1. means—
                  1. unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
                    1. an action that prevents the agency from accessing the information on either a temporary or permanent basis; and
                    2. includes any of the things listed in paragraph (a)(i) or an action under paragraph (a)(ii), whether or not it—
                      1. was caused by a person inside or outside the agency; or
                        1. is attributable in whole or in part to any action by the agency; or
                          1. is ongoing.

                          2. For the purposes of this subpart, the meanings of access, disclosure, and loss are not limited by the use of those words or the meanings ascribed to them elsewhere in this Act.