Privacy Act 2020: A Plain-English Guide to Breach Notification for NZ Businesses

The Privacy Act 2020 fundamentally changed how New Zealand organisations have to think about data breaches. Before December 2020, notification was largely a reputational decision. Today, it is a legal obligation backed by criminal offences for non-compliance and a regulator — the Office of the Privacy Commissioner — that has shown a willingness to act. This guide explains, in practical terms, what triggers a notification, what you must do, when, and how to be ready before the worst day in your IT calendar.

What counts as a 'notifiable privacy breach'?

Under section 112 of the Act, a privacy breach is notifiable if it has caused, or is likely to cause, serious harm to an affected individual. 'Serious harm' is deliberately broad and considers physical, emotional, financial, and reputational damage, the sensitivity of the information, who has it now, and whether the data is protected (for example, by strong encryption). A laptop containing fully encrypted client files, lost in a taxi but remotely wiped within minutes, is unlikely to be notifiable. A spreadsheet of beneficiaries' contact details and benefit amounts emailed to the wrong external party almost certainly is.

The 'as soon as practicable' timeline — and the 72-hour shadow

Unlike the GDPR, the Act does not state a fixed 72-hour deadline. It requires notification to the Commissioner and to affected individuals 'as soon as practicable' after the agency becomes aware that a notifiable breach has occurred. In practice the Commissioner's published guidance treats anything beyond 72 hours as requiring justification. We advise clients to plan for a 72-hour internal target: it forces the right urgency and it aligns with the global norm most cyber-insurance policies and overseas counterparts already expect.

What to tell the Commissioner

Notification is done through NotifyUs, the Commissioner's online portal. You will be asked for a description of the breach, the categories and approximate number of affected individuals, the likely consequences, and the steps taken or proposed to contain it and reduce harm. You do not need every answer on day one — the portal allows updates — but you do need a coherent first submission. Vague, defensive, or contradictory notifications attract follow-up scrutiny.

What to tell affected individuals

Affected individuals must be notified directly unless an exception applies (for example, it is not reasonably practicable, or notification would prejudice an active law-enforcement investigation). The notice must be in plain language and explain what happened, what information was involved, what the organisation is doing about it, and what the individual can do to protect themselves. This is where rehearsal matters: the difference between a calm, well-drafted notification letter and a panicked one written at 2 a.m. is the difference between a manageable PR moment and a front-page story.

Cross-border data transfers and IPP 12

Information Privacy Principle 12 restricts sending personal information offshore unless the receiving jurisdiction has comparable safeguards or specific contractual protections are in place. In a breach context this matters in two ways: first, the breach itself may have moved data offshore (for example, exfiltration to a ransomware actor's overseas storage); second, your incident-response vendors may be processing the data in Australia, the US, or Europe. Both should be considered when scoping the breach and choosing partners.

Common mistakes we see

Three patterns recur. First, organisations confuse 'we don't yet know the scope' with 'we don't have to notify yet' — the clock starts when you are aware a notifiable breach has occurred, not when forensics are complete. Second, internal legal teams sometimes over-narrow the definition of 'personal information' to exclude things like IP addresses, device identifiers, or behavioural data; the Commissioner takes a wider view. Third, customer-communication drafts are written by the legal team alone and read like denials. Bring communications, legal, and security to the same table early.

Get ready before you need it

A 90-minute tabletop exercise costs almost nothing and reveals more about your readiness than any policy review. Pick a realistic scenario — an exfiltration following a ransomware deployment, say, or a misconfigured S3 bucket — walk through who decides, who drafts, who notifies, and who answers the inevitable journalist call. If you would like Haumaru to facilitate one for your team, including a template NotifyUs submission and customer-notice pack tuned to your sector, get in touch.