Privacy Act Breach In New Zealand: What It Means For Your Business

If you run a small business, chances are you collect personal information every day - customer names, emails, delivery addresses, staff payroll details, supplier contact lists, and (depending on your industry) sometimes even more sensitive data.

That’s why a Privacy Act breach (or a privacy breach generally) can be a serious issue. It’s not just an “IT problem” or an admin mistake - it can quickly become a legal, operational, and reputational problem for your business.

The good news is that most privacy issues are manageable if you respond quickly and put the right systems in place. Below, we’ll break down what a privacy breach under the Privacy Act 2020 can look like in practice, what the risks are for businesses, and what to do next if it happens to you.

Note: This article provides general information only and doesn’t constitute legal advice. For advice about your specific situation, you should speak to a lawyer or the Office of the Privacy Commissioner (OPC).

What Is A Breach Of The Privacy Act (And When Does It Apply To Your Business)?

In New Zealand, the main privacy law businesses need to understand is the Privacy Act 2020. This applies to most organisations (including most small businesses) that collect, hold, use, or share “personal information”.

Personal information generally means information about an identifiable individual. This could include:

• a person’s name, phone number, email address, and home address
• customer order history and payment-related information (including where payments are processed via a third-party platform)
• employee files, rosters, performance notes, and payroll information
• health information (for some industries)
• CCTV footage where a person can be identified

So, what does a “breach” mean in this context?

A “breach of the Privacy Act” is often used as shorthand for a privacy breach - meaning personal information has been accessed, disclosed, lost, or used in a way that isn’t authorised or isn’t consistent with the Privacy Act’s requirements (including the Information Privacy Principles, often called “IPPs”).

In practical terms, a privacy breach often involves one (or more) of the following:

• Unauthorised access (for example, someone hacks an account, or a staff member accesses records they shouldn’t)
• Unauthorised disclosure (for example, you email personal data to the wrong recipient)
• Loss (for example, a laptop or USB is lost and it contains customer data)
• Improper use (for example, using customer information for a purpose they didn’t agree to)

Sometimes businesses think “we’re too small to be a target” or “we don’t have much data”. But if you collect personal information as part of doing business (even a simple email list), the Privacy Act is relevant - and so is the risk of a breach.

It’s also worth noting: you don’t need to have a cyberattack for it to be a privacy breach. Many privacy problems are caused by everyday admin errors and unclear internal processes.

Common Ways Small Businesses Accidentally Breach The Privacy Act

Most privacy issues we see aren’t caused by “bad intentions”. They’re usually caused by fast-moving operations, limited resourcing, and systems that grew organically (which is very normal for small businesses).

Here are some common scenarios that can lead to a privacy breach or non-compliance with Privacy Act obligations.

1. Emailing Or Messaging The Wrong Person

This is one of the most common. It might involve:

• sending an invoice containing someone’s address to another customer with a similar name
• accidentally CC’ing a whole mailing list instead of BCC
• sending staff information to the wrong team member

It sounds minor, but depending on what was disclosed, it can still be notifiable - and it can still damage trust.

2. Poor Access Controls Internally

If “everyone can see everything”, you’re creating unnecessary risk. For example:

• all staff have access to HR folders, payroll, or customer databases
• ex-staff still have access to shared drives or software accounts
• shared logins for key platforms (so you can’t track who did what)

Putting clear boundaries around access is often one of the easiest ways to reduce privacy risk. Many businesses support this with an internal Acceptable Use Policy so staff understand what they can (and can’t) do with systems and data.

3. Collecting More Information Than You Need

A lot of businesses collect extra fields “just in case”. Under the Privacy Act, you should generally only collect personal information that’s necessary for your lawful business purpose.

Collecting unnecessary information increases your compliance burden and increases the impact if something goes wrong.

4. Weak Cybersecurity Or Poor Data Handling Practices

Even if you outsource IT, you still need to take reasonable steps to protect the information you hold.

Practical examples that can cause problems include:

• no multi-factor authentication on email or admin accounts
• unpatched software
• customer information stored in spreadsheets with no access controls
• devices not encrypted
• storing passwords in plain text

Many small businesses formalise their baseline controls through an Information Security Policy, which also helps show you’re taking privacy compliance seriously.

5. Not Being Clear With Customers About What You’re Doing With Their Data

If you collect personal information, you generally need to be transparent about what you collect, why you collect it, how you store it, and who you might share it with.

That’s why having a properly drafted Privacy Policy matters - not as a “website checkbox”, but as a practical way to set expectations and reduce disputes when something goes wrong.

What Happens If You Breach The Privacy Act In New Zealand?

If your business has a privacy breach (or otherwise doesn’t meet its Privacy Act obligations), the consequences depend on what happened, what information was involved, and whether the breach is considered “notifiable”.

Notifiable Privacy Breaches (And Why The “Harm” Test Matters)

Under the Privacy Act 2020, some privacy breaches must be reported to the Office of the Privacy Commissioner (OPC) - and, in many cases, to the affected individuals too.

Generally, a breach is notifiable if it has caused (or is likely to cause) serious harm to an affected individual.

Serious harm isn’t limited to financial loss. It can include things like:

• identity theft risk
• safety concerns (for example, where an address is exposed)
• reputational damage
• emotional distress
• discrimination risk (for example, where sensitive personal information is involved)

Even if a breach turns out not to be notifiable, you should still take it seriously and document your response. A well-documented assessment can make a big difference if questions come up later.

Regulatory And Legal Risks For Businesses

Depending on the situation, outcomes for a business can include:

• Customer complaints to the OPC (or directly to you)
• OPC engagement, including requests for information or guidance on next steps
• Reputation damage and loss of customer trust (often the biggest commercial risk)
• Operational disruption while you investigate and contain the breach
• Disputes with suppliers or software providers if their systems were involved

In more serious cases, privacy issues can also escalate into claims being made to the Human Rights Review Tribunal (HRRT), which can result in damages being awarded. The Privacy Act also includes offences in certain scenarios (for example, misleading an agency to obtain personal information).

The key point for business owners: privacy compliance is part of your overall risk management. Just like you’d manage health and safety or consumer law compliance, you want a workable plan for privacy too.

What To Do Next: Your Step-By-Step Response Plan

If you think your business has had a privacy breach (or even just a potential privacy issue), don’t panic - but do move quickly. Early action can reduce harm, reduce legal risk, and help preserve customer trust.

Here’s a practical step-by-step approach.

Step 1: Contain The Breach Immediately

Your first job is to stop the breach from getting worse.

• Recall the email (if possible) and follow up with the unintended recipient
• Disable compromised accounts and reset passwords
• Lock down access permissions or revoke access for ex-staff
• Secure lost devices (remote wipe, if enabled)
• Preserve logs and evidence (don’t destroy information you may need for investigation)

This is also where you should bring in the right people early - your IT provider, your operations lead, and your legal advisor (especially if you’re unsure whether it’s notifiable).

Step 2: Assess What Happened And What Information Is Involved

Next, you need a clear view of the facts. Try to work out:

• what happened (human error, phishing, system vulnerability, malicious access)
• what personal information was involved
• how many individuals are affected
• whether the information has been accessed, copied, or shared
• what protections were in place (encryption, password protection, access controls)
• the likelihood of harm to individuals

This is the point where many businesses realise they don’t have a written process to follow. Putting a plan in place ahead of time (and then following it) is far easier than trying to build the plane mid-flight. A tailored Data Breach Response Plan helps you do exactly that.

Step 3: Decide Whether It’s A Notifiable Privacy Breach

You’ll need to consider whether the breach is likely to cause serious harm.

Factors that often influence this include:

• the sensitivity of the information (financial, health, identity documents, etc.)
• whether the information is protected or encrypted
• who received the information (trusted party vs unknown person)
• whether the information could be used for identity fraud or harassment
• any steps already taken to reduce harm (for example, confirmation that the unintended recipient deleted the info)

If it’s borderline, it’s usually safer to get advice early. A fast check-in can save you weeks of stress later. Many businesses seek Privacy Advice at this stage to make sure their notification approach and messaging are appropriate.

Step 4: Notify The OPC And Affected People (If Required)

If it’s notifiable, you generally need to notify:

• the Office of the Privacy Commissioner, and
• affected individuals (unless a limited exception applies under the Act)

The notification should be practical and focused - people want to know what happened, what information was involved, what you’re doing about it, and what they should do next to protect themselves.

In many cases, you’ll want a clear process and written template ready to go, so your team isn’t drafting sensitive communications under pressure. That’s where a Data Breach Notification workflow can be very helpful.

Step 5: Fix The Root Cause And Prevent A Repeat

Once things are stabilised, you should treat the incident as a trigger to improve systems.

This might involve:

• updating access controls and password practices
• training staff on phishing and safe handling of personal information
• turning on multi-factor authentication
• reviewing vendor arrangements (for example, software providers and cloud platforms)
• updating internal policies and onboarding processes

If the breach involved employee records or workplace systems, it’s often a good time to tighten your internal privacy approach with an Employee Privacy Handbook so your team understands what monitoring exists (if any), what data is collected at work, and what the rules are around access and disclosure.

Step 6: Document Everything

Even when a breach isn’t notifiable, documenting your response is a smart move. If a customer complains later, you want to be able to show:

• when you became aware of the incident
• what immediate steps you took
• how you assessed seriousness and harm
• whether notifications were made (and what was said)
• what prevention steps you implemented

Good documentation is also useful internally - it helps you learn from what happened and build better systems over time.

How To Reduce Your Privacy Risk Going Forward (Without Overcomplicating It)

Privacy compliance can feel like “one more thing” on a long list. But the goal isn’t perfection - it’s having sensible, repeatable processes that fit the size and nature of your business.

Here are practical, high-impact steps most small businesses can take.

Do A Quick Personal Information Stocktake

If you don’t know what you collect and where it lives, it’s hard to protect it.

Map out:

• what personal information you collect (customers, staff, suppliers)
• where you store it (email, CRM, spreadsheets, cloud drives, paper files)
• who has access to it
• who you share it with (couriers, payment providers, marketing tools)
• how long you keep it

This exercise often highlights quick fixes (like removing access for staff who don’t need it, or stopping unnecessary collection fields).

Get Your External Messaging Right (So Customers Aren’t Surprised)

A lot of privacy disputes are really “expectation gaps” - the customer didn’t realise how their information would be used or shared.

Clear external messaging usually includes:

• a properly drafted privacy policy
• clear collection statements at checkout or enquiry forms
• consent language for marketing communications

This is especially important if you do email marketing, run targeted advertising, or use third-party platforms that process customer data.

Build Privacy Into Your Hiring And Offboarding

New team members need to understand privacy from day one, and offboarding needs to remove access cleanly.

Simple improvements include:

• privacy training during onboarding
• role-based access controls (so staff only see what they need)
• a checklist for deactivating accounts when someone leaves

Check Your Supplier And Contractor Set-Up

Even if a third-party service provider caused the incident, customers may still associate the breach with your brand - because you’re the business they trusted.

If you use contractors or service providers who can access customer or staff data (for example, IT support, virtual assistants, marketing contractors), it’s worth making sure your agreements clearly cover confidentiality, access limits, and what happens if there’s a breach.

Have A Plan Before You Need One

When a breach happens, time matters. If your team is scrambling to decide who does what, what gets reported, and what gets said to customers, the risk increases fast.

A good plan usually sets out:

• who is responsible internally (and who is a backup)
• how to escalate an incident
• how to assess “serious harm”
• how and when to notify
• how to document and review after the event

This is one of those areas where getting advice early can save you serious time (and stress) later.

Key Takeaways

• A Privacy Act breach (often referred to as a privacy breach) can happen through cyberattacks, admin errors, poor internal access controls, or unclear data practices - not just “big hacks”.
• The Privacy Act 2020 applies to most NZ businesses that collect or hold personal information, even if it’s just customer contact details.
• Some privacy breaches are notifiable if they’ve caused (or are likely to cause) serious harm - and may need to be reported to the OPC and affected individuals.
• If you suspect a privacy breach, act fast: contain the breach, assess what happened, decide if notification is required, notify if needed, and fix the root cause.
• Strong privacy foundations - like clear policies, restricted access, staff training, and a breach response plan - help protect your business and build trust with customers.
• If you’re unsure whether an incident is notifiable, or how to communicate with customers, getting tailored advice early can significantly reduce risk.

If you’d like help responding to a Privacy Act breach or privacy breach, updating your privacy documents, or putting a clear incident response plan in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.