Plain language law

New Zealand law explained for everyone

Privacy Act 2020

Notifiable privacy breaches and compliance notices - Compliance notices

124: Issuing compliance notice

You could also call this:

“Commissioner's process for issuing a compliance notice to agencies”

Before the Commissioner issues a compliance notice, they need to think about some important things. They need to check if there are other ways to deal with the problem under this law or other laws. They also need to think about how serious the problem is and if it might happen again. The Commissioner will consider how many people the problem affects and if the agency has been helpful when talking to the Commissioner. They will also think about how much it might cost the agency to fix the problem.

The Commissioner only needs to think about these things if they think they matter and if they can easily get information about them.

Before giving a compliance notice, the Commissioner must give the agency a chance to comment on a written notice. This notice will explain what the agency did wrong and which laws it broke. It will also say what the Commissioner thinks about the important things they considered. The notice will describe what steps the agency needs to take to fix the problem and when they need to do it by.

The Commissioner will decide how long to give the agency to comment on the notice. They will think about what’s fair based on the situation.

In this part of the law, when we talk about a ‘breach’, we mean the things described in section 123(1)(a) to (c). When we say ‘remedy the breach’, we mean the agency needs to follow the rules they didn’t follow before.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS23517.

Topics:

Rights and equality > Privacy

123: Compliance notices, or

“The Privacy Commissioner can issue notices if they believe you've breached privacy rules”

125: Form of compliance notice, or

“What a compliance notice must include and how it is given to you”

Part 6 Notifiable privacy breaches and compliance notices
Compliance notices

124Issuing compliance notice

The Commissioner must consider the following factors before issuing a compliance notice:
whether there is another means under this Act or another Act for dealing with the breach:
the seriousness of the breach:
the likelihood of a repeat of the breach:
the number of people who may be or are affected by the breach:
whether the agency has been co-operative in all dealings with the Commissioner:
the likely costs to the agency of complying with the notice.

However, each of those factors need be considered only to the extent that—
it is relevant in the Commissioner’s view:
information about the factor is readily available to the Commissioner.

Before issuing a compliance notice, the Commissioner must provide the agency concerned with a reasonable opportunity to comment on a written notice that—
describes the breach, citing the relevant statutory provision or provisions; and
summarises the conclusions reached about the factors in subsection (1) that have been considered by the Commissioner; and
describes particular steps that the Commissioner considers need to be taken to remedy the breach (if any) and any conditions the Commissioner considers appropriate (if any); and
states the date or dates by which the Commissioner proposes that the agency must remedy the breach and report to the Commissioner (if any).

In each case, the Commissioner must determine the period of time that will give the agency a reasonable opportunity to comment, taking into account the circumstances of the case.
For the purpose of this subpart,—
breach means any of the things described in section 123(1)(a) to (c)
remedy the breach means to comply with the relevant statutory provision or provisions.