Plain language law

New Zealand law explained for everyone

 Plain Language Law homepage
Back to
114: Agency to notify Commissioner of notifiable privacy breach
or “You must tell the Privacy Commissioner quickly about serious privacy problems”
You could also call this:

“Organisations must inform people or publicly announce serious privacy breaches”

If an agency finds out that a notifiable privacy breach has happened, they need to tell the affected person as soon as they can. This is unless they can’t do it for a good reason, or if there’s an exception that says they don’t have to.

If it’s too hard to tell each person affected, the agency needs to make a public announcement about the privacy breach instead. But they don’t have to do this if there’s an exception that says they don’t have to.

When making a public announcement, the agency can’t name any of the affected people. They also need to follow any rules about how to make the announcement.

If the agency couldn’t tell people at first because it was too hard, or because of an exception, they might need to tell them later. This could happen if things change and it becomes possible to tell people, or if the exception no longer applies. They need to do this if there’s still a risk that the privacy breach could seriously harm the affected people.

If an agency doesn’t tell the affected people or make a public announcement when they should, this could be seen as interfering with privacy under the law.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

Next up: 116: Exceptions to or delay in complying with requirement to notify affected individuals or give public notice of notifiable privacy breach

or “When organisations don't have to tell you about a privacy breach right away”
Next

Part 6 Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

115Agency to notify affected individual or give public notice of notifiable privacy breach

  1. An agency must notify an affected individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless subsection (2) or an exception in section 116 applies or a delay is permitted under section 116(4).

  2. If it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, the agency must instead give public notice of the privacy breach, unless an exception in section 116 applies or a delay is permitted under section 116(4).

  3. Public notice must be given—

  4. in a form in which no affected individual is identified; and
    1. in accordance with any regulations made under section 215(1)(a).

      1. If subsection (2) or an exception in section 116 is relied on, the agency must notify the affected individual or individuals at a later time if—

      2. circumstances change so that subsection (2) or the exception no longer applies; and
        1. at that later time, there is or remains a risk that the privacy breach will cause serious harm to the affected individual or individuals.

          1. A failure to notify an affected individual or give public notice under this section may be an interference with privacy under this Act (see section 69(2)(a)(iv)).