Plain language law

New Zealand law explained for everyone

Privacy Act 2020

Notifiable privacy breaches and compliance notices - Notifiable privacy breaches

120: Liability for actions of officers, employees, agents, and members of agencies

You could also call this:

"When staff make mistakes, their employer is responsible, not them."

Illustration for Privacy Act 2020

You are part of an agency or organisation. If you do something wrong, your employer is responsible. This is about notifiable privacy breaches under the Privacy Act 2020. You can read more about notifiable privacy breaches in section 114 and 115. You are not liable if you make a mistake. Your employer is liable instead. This is because anything you do is treated as being done by your employer. If someone is working for your agency, they are called an agent. What the agent does is treated as being done by both the agent and your agency. You can read more about what an agent is in section 112 and section 11. An agent is someone who holds information for or on behalf of your agency. This can be for safe custody or processing on behalf of your agency. The agent's actions are treated as being done by your agency.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS288541.

This page was last updated on View changes

Topics:
Crime and justice > Courts and legal helpGovernment and voting > Government departments
Previous

119: Section 211 does not apply to processes and proceedings relating to failure to notify notifiable privacy breach, or

"Organisations, not individuals, are responsible for failing to report privacy breaches"

Next

121: Knowledge of officers, employees, agents, and members of agencies to be treated as knowledge of employers, principal agencies, and agencies, or

""

Part 6Notifiable privacy breaches and compliance notices
Notifiable privacy breaches

120Liability for actions of officers, employees, agents, and members of agencies

  1. This section applies to processes and proceedings under this Act relating to the obligations under section 114 or 115.

  2. An officer, an employee, or a member of an agency is not liable in those processes or proceedings if anything done or omitted by them results in the employer or agency failing to notify the Commissioner or an affected person (or their representative) or give public notice of a notifiable privacy breach.

  3. For the purpose of those processes and proceedings, anything done or omitted by an officer, an employee, or a member of an agency is to be treated as being done or omitted by the employer or agency.

  4. For the purpose of those processes and proceedings, anything done or omitted by an agent of another agency is to be treated as being done or omitted by both the agent and the principal agency.

  5. However, the extent of liability of an agent is affected by whether they hold personal information that is the subject of a notifiable privacy breach. See the definition of privacy breach in section 112 and see section 11, which applies and which provides that information held by an agent is to be treated as being held by the principal agency unless section 11(3) applies.

  6. For the purposes of subsections (4) and (5), a person (A) is an agent of an agency (B) if A holds information for or on behalf of B (for example, as a representative or an agent of B, or for safe custody or processing on behalf of B).

Notes
  • Section 120 heading: amended, on , by section 97(1) of the Statutes Amendment Act 2022 (2022 No 75).
  • Section 120(2): amended, on , by section 97(2) of the Statutes Amendment Act 2022 (2022 No 75).
  • Section 120(3): amended, on , by section 97(3) of the Statutes Amendment Act 2022 (2022 No 75).
  • Section 120(6): inserted, on , by section 126 of the Statutes Amendment Act 2025 (2025 No 74).