Privacy law: breaches, non-compliance and out-of-date – OPC

Privacy law may sound drab.

But if you look beyond the (sometimes boring) statutory language, you will see that it aims to protect one of the most important rights a person has: their right to privacy

This includes the protection of their ‘personal information’ – for example, information about an identifiable individual such as their name, contact details, correspondence about them, CCTV images and medical information. Unfortunately, this right is constantly under assault, whether deliberately or ignorantly.

In December 2023, the Office of the Privacy Commissioner (OPC)[1] wrote to the incoming Minister of Justice outlining concerns regarding the current state of New Zealand’s privacy law[2], with the letter being publicly released in March 2024.

The OPC’s key concerns::

  • Small- to medium-sized businesses are not complying
    A growing number of small- to medium-sized organisations do not understand or meet even the basic requirements of the Privacy Act 2020. This includes failing to appoint a privacy officer or establish policies and practices to effectively manage the privacy impacts of their activities. Please contact us if you require assistance with this.
  • Significant breaches are occurring
    There has been a 79% increase in privacy complaints to the OPC and a 59% increase in serious privacy breaches that occurred between 2021/22 and 2022/23. This includes breaches that can result in identity theft and loss of finances.
  • Breaches are costly
    The Human Rights Review Tribunal findings that have awarded damages for breach of privacy average $21,000, with the highest award being over $168,000. Of the 800 privacy complaints investigated by the OPC each year 5 to10% of these result in a cash settlement averaging $10,000. IDCare estimates that the average cyber security incident costs a small business around $40,000. Latitude Financial (noted below) has said their March 2023 privacy breach has so far cost them AU$76million.
  • Privacy breaches can affect thousands (if not millions) of people
    High-profile privacy breaches include:

    • The 2021 ransomware attack on Waikato DHB which severely disrupted service delivery and led to sensitive health information of thousands of people being sold on the dark web.
    • Australian company Latitude Financial’s data breach in March 2023 which saw the records of over a million New Zealanders exposed, including driver licences, passports and sensitive financial data.
  • The Privacy Act urgently needs updating
    It is based on policies agreed in 2013. But there are significant new technologies that require addressing, particularly biometrics (facial recognition technology), and risks to children’s privacy, particularly via social media and AI. It also requires stronger penalties for breaches, to align with liked-minded countries.

Good privacy practices reduce the harm caused by privacy breaches, including the emotional, reputational, financial or physical harms.

We have advised several businesses on their obligations under the Privacy Act 2020, and helped with establishing policies and practices that aim to protect privacy. Please contact us if you would like assistance in this area.

[1] The OPC is an independent Crown entity that has a wide range of functions set out in the Privacy Act. This includes investigating breaches of privacy, monitoring the impact of technology on privacy and developing codes of practice for specific industries or sectors.

[2] Briefing to the Incoming Minister of Justice Office of the Privacy Commissioner dated 4 December 2023

Meet the team that makes
things simple.

Elisabeth Giles
Maria Green

Let's Talk

"*" indicates required fields

Lane Neave is not able to provide legal opinion or advice without specific instructions from you and the completion of all formal engagement processes.