Accidental Data Breaches In NZ: Privacy Act Breaches And Penalties

This article is general information only and doesn’t take into account your business’s specific circumstances. It isn’t legal advice.

If you’re running a small business, it’s easy to assume that privacy act breaches are something that mainly happens to big corporates with huge databases.

In reality, many Privacy Act 2020 issues in New Zealand start with everyday, accidental mistakes - a misdirected email, a stolen laptop, a staff member clicking a phishing link, or a contractor getting access to more customer data than they should.

Even when the breach is unintentional, it can still lead to complaints, an investigation by the Office of the Privacy Commissioner (OPC), and serious consequences for your business (including reputational damage, operational disruption, and potential legal liability).

Below, we’ll break down what counts as a privacy breach, how “accidental” breaches can escalate, what to do if it happens to you, and how to reduce the risk from day one.

What Counts As A Privacy Act Breach For Small Businesses?

Under New Zealand’s Privacy Act 2020, a “privacy breach” is essentially when personal information is:

• accessed by someone who shouldn’t have access to it,
• disclosed to someone who shouldn’t receive it,
• lost in a way that creates risk (even if you don’t know it’s been accessed), or
• damaged or destroyed in a way that affects people’s privacy rights.

Personal information is information about an identifiable individual. In a small business context, that could include:

• customer names, addresses, phone numbers, email addresses
• order history and payment details (even partial payment info can be sensitive)
• staff records (payroll details, performance notes, leave records)
• photos or videos where someone can be identified
• health information (e.g. allergies, medical notes, injury records)
• identity documents (driver licences, passports)

Some personal information is also high-risk or “sensitive”, meaning a breach is more likely to cause harm. That typically includes health data, financial details, and identity documents - and sometimes employee data depending on context. If your business collects or stores Sensitive Personal Information, you should assume a higher standard of care is expected.

Common Examples Of Privacy Act Breaches (Even When You Didn’t Mean To)

Here are some common “how did this happen?” scenarios we see in small businesses:

• Misdirected emails: you email an invoice, spreadsheet, or customer list to the wrong recipient.
• Incorrect “CC” use: you accidentally put multiple customers in CC instead of BCC.
• Lost devices: a staff laptop/phone is lost or stolen, and it has saved passwords or unencrypted files.
• Phishing and hacked accounts: someone gets access to your inbox or cloud storage using compromised credentials.
• Over-sharing with suppliers/contractors: a contractor gets access to your CRM or shared drive and can see more data than needed.
• Insecure storage: customer forms are kept in an unlocked cabinet or exposed folder in your office/vehicle.
• Workplace monitoring done poorly: cameras, tracking tools, or call recordings are used without proper notice/limits.

If your business records calls, for example, you’ll want a clear process and customer-facing notice, because the privacy risks aren’t theoretical. It’s worth pressure-testing your approach against the rules in Call Recording Laws.

Why Accidental Privacy Act Breaches Can Still Trigger OPC Investigations

A common misconception is: “If it was an honest mistake, we won’t get in trouble.”

The Privacy Act 2020 doesn’t only focus on intent. It focuses heavily on whether your business took reasonable steps to protect personal information and respond appropriately if something goes wrong.

In practice, an accidental breach can still trigger an investigation when:

• an affected individual complains to the OPC (or to you, and then escalates it),
• you notify the OPC because it’s a notifiable privacy breach,
• the incident becomes public (for example, a customer posts about it online), or
• there’s a pattern of poor privacy practices and repeated incidents.

What The Privacy Commissioner Actually Looks At

If the OPC gets involved, the focus is usually practical and evidence-based. They may look at:

• How the breach happened: was it a one-off mistake, or was the system set up to fail?
• Security safeguards: did you have reasonable security in place (passwords, MFA, access controls, encryption, staff training)?
• Policies and processes: did you have a privacy policy, internal procedures, and a plan for incidents?
• Your response: how fast did you contain the breach, and did you notify the right people?
• Harm assessment: what’s the likelihood of serious harm to individuals?
• Accountability: can you show what decisions were made, when, and why?

One of the biggest “pain points” for small businesses is not the breach itself - it’s being unable to demonstrate that you had reasonable privacy governance in place before the incident.

Notifiable Privacy Breaches: When You Must Notify The OPC And Affected People

Some privacy act breaches are more than just an internal IT issue - they become a legal notification issue.

Under the Privacy Act 2020, you must notify the OPC and affected individuals if a breach is a notifiable privacy breach (in broad terms, where it’s reasonable to believe the breach has caused, or is likely to cause, serious harm to the affected individual(s)).

What “Serious Harm” Might Look Like In The Real World

“Serious harm” isn’t limited to financial loss. It can include:

• identity theft or fraud risk (e.g. leaked ID documents)
• risk to personal safety (e.g. address details disclosed in a sensitive situation)
• loss of employment opportunities or professional harm
• humiliation or reputational harm (especially with sensitive personal information)
• blackmail or intimidation risk

Whether a breach is “notifiable” depends on context, including:

• what information was involved (and how sensitive it is),
• who received it (trusted recipient vs unknown third party),
• whether it’s protected (encrypted/passworded), and
• what you did immediately to contain it (for example, recall access, reset credentials, ask the recipient to delete data).

There are limited situations where notifying affected individuals may not be required (for example, if notifying them would likely pose a risk to someone’s safety, or if another exception applies). If you’re unsure, it’s usually better to get advice early rather than guess - because failing to notify when you should can create bigger issues later.

What Should You Do Immediately After A Privacy Act Breach?

If you suspect a privacy breach, time matters. Your first few steps often determine how much damage occurs - and how defensible your response is if someone complains.

Step 1: Contain The Breach (Stop The Leak)

• Disable compromised accounts and reset passwords.
• Remove public links to files and lock down shared folders.
• Recover devices where possible, or remotely wipe them if appropriate.
• If data was sent to the wrong person, contact them immediately and request deletion (and confirmation in writing).

Step 2: Assess What Happened And What Data Is Involved

Write down what you know while it’s fresh:

• what happened, when, and how it was discovered
• what systems are involved (email, CRM, cloud storage, payroll system)
• what personal information may be affected
• how many individuals are affected
• who may have received or accessed the data

This is where having an established process really helps. A Data Breach Response Plan can save you a lot of guesswork, especially if you’re trying to manage the incident while still running your business.

Step 3: Decide If It’s A Notifiable Privacy Breach

Ask: is it reasonable to believe serious harm is likely?

If yes (or if it’s borderline and high-risk), you should seriously consider notifying:

• the Office of the Privacy Commissioner, and
• the affected individuals (unless a limited exception applies).

In many businesses, the stress point is “what exactly do we say, and how do we say it?” A properly handled Data Breach Notification should be accurate, clear, and not misleading - and it should focus on practical steps individuals can take (for example, password changes, credit monitoring, ID document re-issue).

Step 4: Document Your Response (This Is More Important Than You Think)

Even if you resolve the breach quickly, keep a record of:

• containment actions taken
• your assessment of risk/serious harm
• notification decisions (and what you told people)
• remedial steps to prevent a repeat incident

If the OPC investigates later, good documentation shows you took the incident seriously and responded responsibly.

Step 5: Fix The Root Cause (Not Just The Symptoms)

If a breach happened because of weak processes (for example, shared logins, no MFA, no staff training), it’s a sign your privacy compliance needs tightening. This is also the moment to update your contracts with IT providers, contractors, and anyone else who handles data on your behalf.

How Can You Reduce The Risk Of Privacy Act Breaches In Your Business?

The best way to avoid privacy act breaches isn’t to “be more careful” (although that helps) - it’s to build systems that make breaches less likely in the first place.

Here are practical steps that usually make the biggest difference for small businesses.

1. Get Clear On What Data You Collect (And Why)

A simple but powerful question: do you actually need all the personal information you’re collecting?

Reducing collection and storage reduces risk. For example, if you don’t need to store copies of identity documents after verifying someone, consider not keeping them (or keeping them only for a defined period with secure storage).

2. Put The Right External-Facing Documents In Place

If you collect personal information online (or even offline), you should be able to clearly explain:

• what you collect,
• why you collect it,
• who you share it with,
• how long you keep it, and
• how customers can access/correct it.

That’s where a properly drafted Privacy Policy is doing real work for your business - not just ticking a box.

3. Tighten Access Controls And Security Basics

You don’t need enterprise-grade systems to take reasonable steps. A strong baseline often includes:

• unique user logins (no shared accounts)
• multi-factor authentication (MFA) on email and cloud tools
• role-based access (staff can only access what they need)
• regular updates/patching for devices and software
• encrypted devices (especially laptops and phones)
• secure backups (with restricted access)

4. Train Your Team (Because Most Breaches Start With Humans)

Most small business breaches involve a moment of human error. Training doesn’t need to be complicated, but it should be consistent.

At a minimum, staff should know:

• how to identify phishing emails and suspicious links
• how to handle customer identity verification safely
• what to do if they’ve sent information to the wrong person
• who to report a suspected breach to internally

If you have employees handling personal information regularly, it can also help to have a clear framework for monitoring and internal privacy expectations. An Employee Privacy Handbook can be a practical way to set those rules out clearly (and consistently).

5. Be Careful With Workplace Cameras, Tracking, And Monitoring

Many privacy complaints come from “we installed a camera for security” situations - especially if staff weren’t properly informed, cameras capture areas people expect privacy (like break rooms), or footage is accessed too widely.

If your business uses surveillance, your policies and signage should be aligned with New Zealand privacy expectations. The same applies to tracking tools and monitoring software. If you’re unsure what’s reasonable, it’s worth checking your approach against the common compliance issues in Workplace Cameras.

What Penalties And Consequences Can Follow Privacy Act Breaches?

When people search “privacy act breaches”, they’re often asking the real question: “what’s the worst that can happen?”

The consequences depend on the facts, but for small businesses, the biggest impacts are usually a mix of legal, commercial, and operational risk.

1. Privacy Commissioner Complaints And Investigations

The OPC can make enquiries and investigate complaints. Often, the aim is to resolve the issue and improve compliance (for example, by changing processes, providing undertakings/assurances, or helping the parties reach a settlement).

Even when the outcome is “manageable”, the process can consume serious time and attention - which is a big cost for a small business team.

2. Compliance Notices And Enforcement Steps

In some cases, the Privacy Commissioner can issue compliance notices requiring an agency to do (or stop doing) something to comply with the Privacy Act 2020.

The OPC does not issue “privacy breach fines” in the way some overseas regulators do. However, there are offences under the Act in specific situations (for example, failing to comply with certain compliance notices, obstructing an investigation, or misleading the Commissioner), and those offences can involve fines.

3. Claims Through The Human Rights Review Tribunal (HRRT)

Some privacy disputes can escalate beyond the OPC process. If a complaint can’t be resolved, it may be referred to the Director of Human Rights Proceedings, who may decide to bring proceedings in the Human Rights Review Tribunal (HRRT). In some circumstances, an individual may also apply to the HRRT after going through the required steps.

The HRRT can award remedies (which may include damages) depending on the facts and the legal basis of the claim.

This is one reason it’s so important to treat privacy compliance as part of your “legal foundations”, not just an IT issue.

4. Reputation And Customer Trust

For many small businesses, trust is everything. One breach can lead to:

• lost customers and negative reviews
• contractual disputes (especially if you provide services to other businesses)
• increased scrutiny from partners and suppliers
• higher costs to secure systems and respond to complaints

In other words, even if the “penalty” isn’t a headline fine, the commercial fallout can still hurt.

Key Takeaways

• Privacy act breaches can happen in any business - and many start with simple, accidental errors like misdirected emails, lost devices, or phishing.
• Under the Privacy Act 2020, intent isn’t the whole story; what matters is whether you took reasonable steps to protect personal information and responded appropriately.
• Some breaches are “notifiable”, meaning you may need to notify the Office of the Privacy Commissioner and affected individuals if serious harm is likely (subject to limited exceptions).
• Your first response should be to contain the breach, assess what information is involved, document what happened, and fix the root cause.
• Strong privacy practices are a business asset - they reduce complaints, protect your reputation, and help you grow with confidence.
• Having the right documents and processes in place (like a Privacy Policy and a data breach response plan) can make a major difference when something goes wrong.

If you’d like help setting up your privacy compliance, responding to a data breach, or reducing your risk of privacy act breaches, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.