Plain language law

New Zealand law explained for everyone

Privacy Act 2020

Notifiable privacy breaches and compliance notices - Notifiable privacy breaches

116: Exceptions to or delay in complying with requirement to notify affected individuals or give public notice of notifiable privacy breach

You could also call this:

“When organisations don't have to tell you about a privacy breach right away”

If an organisation has a privacy breach that needs to be reported, there are some situations where they don’t have to tell you or make a public announcement right away.

They don’t have to tell you if it might:

  • Harm New Zealand’s security, defence, or international relationships
  • Interfere with law enforcement, like preventing or investigating crimes
  • Put someone in danger
  • Reveal a trade secret

If you’re under 16, they might not tell you if they think it’s not good for you. They also might not tell you if a doctor thinks it could harm your health.

In these cases, they might tell someone who represents you instead, like a parent or guardian if you’re under 16, or someone acting for you if you’re 16 or older.

The organisation can delay telling you or making a public announcement if they think the risks of sharing the information are bigger than the benefits of telling you. But they can only delay for as long as this is true.

The organisation must have good reasons to use these exceptions or delays. They still have to tell the Privacy Commissioner about the breach, even if they delay telling you.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS23506.

Topics:
Rights and equality > Privacy
Previous

115: Agency to notify affected individual or give public notice of notifiable privacy breach, or

“Organisations must inform people or publicly announce serious privacy breaches”

Next

117: Requirements for notification, or

“How to notify the Privacy Commissioner about a privacy breach”

Part 6 Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

116Exceptions to or delay in complying with requirement to notify affected individuals or give public notice of notifiable privacy breach

  1. An agency is not required to notify an affected individual or give public notice of a notifiable privacy breach if the agency believes that the notification or notice would be likely to—

  2. prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand; or
    1. prejudice the maintenance of the law by any public sector agency, including the prevention, investigation, and detection of offences, and the right to a fair trial; or
      1. endanger the safety of any person; or
        1. reveal a trade secret.

          1. An agency is not required to notify an affected individual or give public notice (relating to a particular individual) of a notifiable privacy breach—

          2. if the individual is under the age of 16 and the agency believes that the notification or notice would be contrary to that individual’s interests; or
            1. if, after consultation is undertaken by the agency with the individual’s health practitioner (where practicable), the agency believes that the notification or notice would be likely to prejudice the health of the individual.

              1. If subsection (2) applies, the agency must—

              2. consider whether it would be appropriate to notify a representative instead of the individual (if a representative is known or can be readily identified); and
                1. before deciding whether to notify a representative, take into account the circumstances of both the individual and the privacy breach; and
                  1. if the agency decides it is appropriate to notify a representative and has identified a representative, notify that person.

                    1. An agency may delay notifying an affected individual (or a representative) or giving public notice of a notifiable privacy breach (but not delay notifying the Commissioner) only—

                    2. if the agency believes that a delay is necessary because notification or public notice may have risks for the security of personal information held by the agency and those risks outweigh the benefits of informing affected individuals; and
                      1. for a period during which those risks continue to outweigh those benefits.

                        1. An agency may rely on an exception, or delay in notifying affected individuals or giving public notice, under this section and, in relation to a delay, do so for the period referred to in subsection (4)(b), only if the agency believes on reasonable grounds that the exception applies, the ground for delay exists, or the circumstances referred to in subsection (4)(b) (relating to the period of delay) continue to exist.

                        2. In this section,—

                          health practitioner has the meaning given to it in section 49(2)

                            representative,—

                            1. of an affected individual under the age of 16, means that individual’s parent or guardian:
                              1. of an affected individual aged 16 or over, means an individual appearing to be lawfully acting on that individual’s behalf or in that individual’s interests.

                              Compare