Plain language law

New Zealand law explained for everyone

Privacy Act 2020

Notifiable privacy breaches and compliance notices - Notifiable privacy breaches

116: Exceptions to or delay in complying with requirement to notify affected individuals or give public notice of notifiable privacy breach

You could also call this:

"When you don't have to be told about a privacy breach"

Illustration for Privacy Act 2020

If you are affected by a privacy breach, the agency responsible must usually tell you about it. They must also make a public notice if the breach is serious. However, there are some exceptions to this rule.

You might not be told about a privacy breach if it would put New Zealand's security or defence at risk. It could also happen if telling you would stop the police from solving a crime or would put someone's life in danger. Another reason is if it would reveal a trade secret.

If you are under 16, the agency might not tell you about the breach if they think it would be bad for you. They might also not tell you if they think it would hurt your health, after talking to your doctor. In these cases, the agency might tell a parent, guardian, or someone else who can make decisions for you instead.

The agency can delay telling you about a breach, but only if they think it would put your personal information at risk. They can only delay it for as long as the risk is there. The agency must have a good reason to delay or not tell you about the breach.

A health practitioner is someone who looks after your health, as defined in section 49(2). A representative is someone who can make decisions for you, like a parent or guardian if you are under 16. If you are 16 or over, a representative is someone who is acting on your behalf.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS23506.

Topics:
Rights and equality > Privacy
Previous

115: Agency to notify affected individual or give public notice of notifiable privacy breach, or

"Organisations must inform people or publicly announce serious privacy breaches"

Next

117: Requirements for notification, or

"How to notify the Privacy Commissioner about a privacy breach"

Part 6Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

116Exceptions to or delay in complying with requirement to notify affected individuals or give public notice of notifiable privacy breach

  1. An agency is not required to notify an affected individual or give public notice of a notifiable privacy breach if the agency believes that the notification or notice would be likely to—

  2. prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand; or
    1. prejudice the maintenance of the law by any public sector agency, including the prevention, investigation, and detection of offences, and the right to a fair trial; or
      1. endanger the safety of any person; or
        1. reveal a trade secret.

          1. An agency is not required to notify an affected individual or give public notice (relating to a particular individual) of a notifiable privacy breach—

          2. if the individual is under the age of 16 and the agency believes that the notification or notice would be contrary to that individual’s interests; or
            1. if, after consultation is undertaken by the agency with the individual’s health practitioner (where practicable), the agency believes that the notification or notice would be likely to prejudice the health of the individual.

              1. If subsection (2) applies, the agency must—

              2. consider whether it would be appropriate to notify a representative instead of the individual (if a representative is known or can be readily identified); and
                1. before deciding whether to notify a representative, take into account the circumstances of both the individual and the privacy breach; and
                  1. if the agency decides it is appropriate to notify a representative and has identified a representative, notify that person.

                    1. An agency may delay notifying an affected individual (or a representative) or giving public notice of a notifiable privacy breach (but not delay notifying the Commissioner) only—

                    2. if the agency believes that a delay is necessary because notification or public notice may have risks for the security of personal information held by the agency and those risks outweigh the benefits of informing affected individuals; and
                      1. for a period during which those risks continue to outweigh those benefits.

                        1. An agency may rely on an exception, or delay in notifying affected individuals or giving public notice, under this section and, in relation to a delay, do so for the period referred to in subsection (4)(b), only if the agency believes on reasonable grounds that the exception applies, the ground for delay exists, or the circumstances referred to in subsection (4)(b) (relating to the period of delay) continue to exist.

                        2. In this section,—

                          health practitioner has the meaning given to it in section 49(2)

                            representative,—

                            1. of an affected individual under the age of 16, means that individual’s parent or guardian:
                              1. of an affected individual aged 16 or over, means an individual appearing to be lawfully acting on that individual’s behalf or in that individual’s interests.

                              Compare