Plain language law

New Zealand law explained for everyone

 Plain Language Law homepage
Back to
117: Requirements for notification
or “How to notify the Privacy Commissioner about a privacy breach”
You could also call this:

“You can be fined for not reporting a serious privacy breach to the Commissioner”

If you don’t tell the Privacy Commissioner about a serious privacy breach, you can get in trouble. This is called an offence. If you are found guilty, you might have to pay up to $10,000.

Even if you try to fix the privacy breach, you can still be charged with this offence. This means that just trying to solve the problem isn’t enough to avoid getting in trouble.

However, you have a way to defend yourself if you’re charged. If you honestly thought the privacy breach wasn’t serious enough to report, and it was reasonable for you to think that, you won’t be found guilty. But remember, your reason for not reporting must make sense to others.

The rules for telling the Privacy Commissioner about serious privacy breaches are explained in section 114 of this law. It’s important to follow these rules to avoid getting into trouble.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

Next up: 119: Section 211 does not apply to processes and proceedings relating to failure to notify notifiable privacy breach

or “Organisations, not individuals, are responsible for failing to report privacy breaches”
Next

Part 6 Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

118Offence to fail to notify Commissioner

  1. An agency that, without reasonable excuse, fails to notify the Commissioner of a notifiable privacy breach under section 114 commits an offence and is liable on conviction to a fine not exceeding $10,000.

  2. It is not a defence to a charge under this section that the agency has taken steps to address the privacy breach.

  3. It is a defence to a charge under this section that the agency did not consider the privacy breach to be a notifiable privacy breach, but only if it was reasonable to do so in the circumstances.