Plain language law

New Zealand law explained for everyone

 Plain Language Law homepage
Back to
116: Exceptions to or delay in complying with requirement to notify affected individuals or give public notice of notifiable privacy breach
or “When organisations don't have to tell you about a privacy breach right away”
You could also call this:

“How to notify the Privacy Commissioner about a privacy breach”

When you need to tell the Privacy Commissioner about a privacy breach, you must include specific details. You need to describe what happened, including how many people were affected if you know, and who might have the personal information if you know that too. You also need to explain what you’ve done or plan to do about the breach, and whether you’ve contacted or will contact the people affected.

If you’re telling the public instead of individuals, you need to explain why. If you’re not telling people right away or at all, you need to explain why and how long you’re waiting. You should also mention any other agencies you’ve told about the breach and why. Finally, you need to provide contact details for someone in your organisation who can answer questions.

When you’re telling a person affected by the breach, you need to describe what happened, explain what you’re doing about it, and suggest what they can do to protect themselves. You should tell them that you’ve informed the Privacy Commissioner and that they can complain to the Commissioner if they want to. You also need to give them contact details for someone in your organisation.

You can name the person or organisation that has the personal information if you think it’s necessary to prevent a serious threat to someone’s life or health. However, you shouldn’t include any information about other people affected by the breach.

If you don’t have all the information right away, you can provide it in parts. But you need to give whatever information you do have as soon as you can.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

Next up: 118: Offence to fail to notify Commissioner

or “You can be fined for not reporting a serious privacy breach to the Commissioner”
Next

Part 6 Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

117Requirements for notification

  1. A notification to the Commissioner under section 114 must—

  2. describe the notifiable privacy breach, including—
    1. the number of affected individuals (if known); and
      1. the identity of any person or body that the agency suspects may be in possession of personal information as a result of the privacy breach (if known); and
      2. explain the steps that the agency has taken or intends to take in response to the privacy breach, including whether any affected individual has been or will be contacted; and
        1. if the agency is relying on section 115(2) to give public notice of the breach, set out the reasons for relying on that section; and
          1. if the agency is relying on an exception, or is delaying notifying an affected individual or giving public notice, under section 116, state the exception relied on and set out the reasons for relying on it or state the reasons why a delay is needed and the expected period of delay; and
            1. state the names or give a general description of any other agencies that the agency has contacted about the privacy breach and the reasons for having done so; and
              1. give details of a contact person within the agency for inquiries.

                1. A notification to an affected individual under section 115 or a representative under section 116(3) must—

                2. describe the notifiable privacy breach and state whether the agency has or has not identified any person or body that the agency suspects may be in possession of the affected individual’s personal information (but, except as provided in subsection (3), must not include any particulars that could identify that person or body); and
                  1. explain the steps taken or intended to be taken by the agency in response to the privacy breach; and
                    1. where practicable, set out the steps the affected individual may wish to take to mitigate or avoid potential loss or harm (if any); and
                      1. confirm that the Commissioner has been notified under section 114; and
                        1. state that the individual has the right to make a complaint to the Commissioner; and
                          1. give details of a contact person within the agency for inquiries.

                            1. A notification to an affected individual or their representative may identify a person or body that has obtained or may obtain that affected individual’s personal information (where the identity is known) if the agency believes on reasonable grounds that identification is necessary to prevent or lessen a serious threat to the life or health of the affected individual or another individual.

                            2. A notification to an affected individual must not include any particulars about any other affected individuals.

                            3. In order to comply with the requirement under sections 114 and 115 that notification must be made as soon as practicable, an agency may provide the information required by this section incrementally. However, any information that is available at any point in time must be provided as soon as practicable after that point in time.