Skip links

Notifications of privacy breaches increase significantly

Check systems are in place

Notifications for a privacy breach have increased nearly four-fold since the new Privacy Act 2019 came into force on 1 December 2020. In the period 1 December 2020 to 30 November 2021, 750 privacy breach notifications were received by the Office of the Privacy Commissioner (OPC). One-third of those cases met the threshold for serious harm.

The new legislation makes it mandatory to notify the OPC of privacy breaches that have caused, or have the potential to cause, serious harm to people.

Failure to report a serious breach can result in a Compliance Notice being issued, public notification of the breach and/or a fine of up to $10,000.

Privacy breaches can cause real harm to people. In the serious breach category in the above 12-month period, 36% of serious breaches involved emotional harm, 14% reputational harm and 13% identity theft. Other harms were classified as financial harm, threats of harm and so on.

Take great care with personal information

Human error causes the majority of reported serious breaches. Human error includes accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, postal and courier error.

Email error accounts for over a quarter of all reported serious privacy breaches. The OPC recommends any organisation should have good systems and processes for electronic communications. Emailers should:

  • Use the BCC option when sending to multiple recipients
  • Double-check attachments are correct, and
  • Have a send delay.

Senders should always check their email draft very carefully when including any sort of personal information. It is also useful to ask a colleague to do a fresh-pair-of-eyes review of any draft email that includes personal information.

Privacy breaches occur in the public and private sectors, as well as in not-for-profits; all three sectors store some form of personal information such as health care and social assistance data.

To read more about privacy breaches in the first 12 months of the new legislation, go to the OPC’s website,, and search for privacy breach reporting.


If you want to either report a serious privacy breach or are unsure if your potential breach meets the threshold for notifying the OPC, use the anonymous self-assessment tool to help you decide. Go to and click on the NotifyUs button. +

Fineprint is printed on Advance Laser Offset, a paper produced using farmed eucalyptus trees and pulp from Well Managed Forests – manufactured in an ISO14001 and ISO9001 accredited mill.
DISCLAIMER: All the information published in Fineprint is true and accurate to the best of the authors’ knowledge. It should not be a substitute for legal advice. No liability is assumed by the authors or publisher for losses suffered by any person or organisation relying directly or indirectly on this newsletter. Views expressed are the views of the authors individually and do not necessarily reflect the view of this firm. Articles appearing in Fineprint may be reproduced with prior approval from the editor and credit being given to the source. Copyright © NZ LAW Limited, 2022. Editor: Adrienne Olsen. E: M: 029 286 3650. ISSN 1174-2658 (Print) ISSN 2744-3973 (Online)