Tick tock: 72 hours to report notifiable breaches – Privacy Commissioner



Half a year after the Privacy Act 2020 came into force, the Office of the Privacy Commissioner (OPC) has published a warning to organisations about their responsibilities under the new notifiable breach regime.

We’ve published several articles on how the Act changes New Zealand privacy law, including guidance on how businesses can work towards complying with the new regime. One of the key changes introduced by the Act is that an organisation must now notify the OPC of a notifiable privacy breach as soon as practicable after becoming aware that such a breach has occurred.

In May, the OPC published its first stocktake of privacy breach reporting which found that 33% of serious breaches were reported to the OPC within two days, and 54% were reported within five days. The OPC announced on 16 June in a blog post that, unless there are extenuating circumstances, the OPC’s view is that organisations must notify the OPC within 72 hours of the organisation becoming aware of the breach. The OPC also noted that it had issued warnings to organisations that had carried out internal investigations, or had tried to rectify the breach, before notifying the OPC.

This announcement highlights the importance of identifying and assessing privacy breaches early and having a plan in place to respond swiftly. To achieve this, organisations should have in place a response plan for:

  • Determining whether a privacy breach meets the threshold of ‘notifiable’ under the Act
  • Notifying the breach in a format that complies with the Act
  • Responding to and implementing the OPC’s directions on rectifying the breach and preventing similar breaches in the future
  • Engaging the right people (both internally and externally) as soon as possible so that both legal compliance obligations and reputational risk can be managed effectively.

Failure to notify breaches when required to do so under the Act can lead to prosecution, which if successful can lead to a fine of up to NZ$10,000.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.