Plain language law

New Zealand law explained for everyone

 Plain Language Law homepage
Back to
119: Section 211 does not apply to processes and proceedings relating to failure to notify notifiable privacy breach
or “Organisations, not individuals, are responsible for failing to report privacy breaches”
You could also call this:

“Organisations are responsible for privacy breaches by their staff or agents”

This part of the law talks about who is responsible when there’s a problem with privacy. It applies to situations where someone needs to tell the Privacy Commissioner or other people about a privacy breach.

If you work for or are part of an organisation, you won’t get in trouble if you don’t tell the right people about a privacy breach. Instead, the organisation you work for is responsible.

When someone who works for an organisation does something or forgets to do something, it’s treated as if the organisation did it. This includes officers, employees, and members of the organisation.

If someone is working for another organisation (called an agent), both the agent and the organisation they’re working for are responsible for what the agent does or doesn’t do.

However, the amount an agent is responsible for depends on whether they have the private information that was part of the breach. You can find out more about this in section 112 and section 11 of the law.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

Next up: 121: Knowledge of officers, employees, agents, and members of agencies to be treated as knowledge of employers, principal agencies, and agencies

or “Organisations are responsible for privacy breaches known to their staff or agents”
Next

Part 6 Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

120Liability for actions of officers, employees, agents, and members of agencies

  1. This section applies to processes and proceedings under this Act relating to the obligations under section 114 or 115.

  2. An officer, an employee, or a member of an agency is not liable in those processes or proceedings if anything done or omitted by them results in the employer or agency failing to notify the Commissioner or an affected person (or their representative) or give public notice of a notifiable privacy breach.

  3. For the purpose of those processes and proceedings, anything done or omitted by an officer, an employee, or a member of an agency is to be treated as being done or omitted by the employer or agency.

  4. For the purpose of those processes and proceedings, anything done or omitted by an agent of another agency is to be treated as being done or omitted by both the agent and the principal agency.

  5. However, the extent of liability of an agent is affected by whether they hold personal information that is the subject of a notifiable privacy breach. See the definition of privacy breach in section 112 and see section 11, which applies and which provides that information held by an agent is to be treated as being held by the principal agency unless section 11(3) applies.

Notes
  • Section 120 heading: amended, on , by section 97(1) of the Statutes Amendment Act 2022 (2022 No 75).
  • Section 120(2): amended, on , by section 97(2) of the Statutes Amendment Act 2022 (2022 No 75).
  • Section 120(3): amended, on , by section 97(3) of the Statutes Amendment Act 2022 (2022 No 75).