Privacy Breaches In New Zealand: Employer Compliance Guide

Alex Solo
byAlex Solo10 min read
Data & Privacy
Contents

Running a small business usually means you’re wearing a few hats at once - owner, manager, HR, finance, and (whether you like it or not) “the person responsible for data”.

That’s why privacy breaches can feel especially stressful. One wrong email, a stolen laptop, an over-shared spreadsheet, or an unauthorised CCTV clip, and suddenly you’re dealing with legal obligations, staff questions, customer complaints, and reputational damage.

The good news is that most privacy breaches are manageable if you act quickly and have the right compliance foundations in place. This guide breaks down what a privacy breach is, what the Privacy Act 2020 expects from employers, and the practical steps you can take to prevent and respond to breaches in a way that protects your business.

What Counts As A Privacy Breach (And Why Employers Often Get Caught Out)

A privacy breach is essentially when personal information is accessed, used, disclosed, altered, lost, or destroyed in a way that isn’t authorised and/or puts people at risk.

As an employer, you may hold personal information about:

  • employees (pay, bank details, performance notes, medical certificates, emergency contacts)
  • job applicants (CVs, referee reports, interview notes)
  • contractors and suppliers (contact details, IDs for onboarding or site access)
  • customers (if you’re customer-facing, especially if you also provide services)

Common Privacy Breaches We See In Small Businesses

Privacy breaches don’t always look like “hacking”. Many are simple day-to-day mistakes, like:

  • Sending an email to the wrong person (for example, attaching a payslip, medical certificate, or warning letter to the wrong recipient)
  • Over-sharing internally (for example, a manager forwarding sensitive HR information to people who don’t need it)
  • Accidental disclosure (for example, using CC instead of BCC for a customer mailing list)
  • Lost or stolen devices (phones, laptops, USBs with employee/customer data)
  • Insecure storage (open shared drives, unlocked filing cabinets, spreadsheets saved to personal accounts)
  • Collecting more information than necessary (for example, asking for personal information you don’t reasonably need for the purpose)
  • Unauthorised surveillance access (for example, workplace camera footage being accessed or shared improperly)

Even if the breach was unintentional, it can still be a breach - and it can still create real consequences for your business.

When you’re busy, it’s tempting to treat privacy compliance as a “tick-the-box” issue. But privacy breaches can create broader risks that hit small businesses harder than large organisations.

Here’s what’s usually at stake:

  • Loss of trust from your staff (and customers, if customer data is involved)
  • Business disruption while you investigate and contain the incident
  • Complaints to the Office of the Privacy Commissioner (OPC)
  • Employment disputes if an employee’s information is mishandled (for example, medical details being shared inappropriately)
  • Reputational harm in a market where word travels fast

It’s also worth remembering that privacy breaches can overlap with other compliance areas. For example, if you use CCTV or other monitoring tools at work, you’ll want to make sure your approach is lawful and clearly communicated through your policies (a solid Workplace Policy can make a big difference here).

What Does The Privacy Act 2020 Require From Employers?

In New Zealand, the Privacy Act 2020 sets the rules for how you collect, store, use, and disclose personal information. The principles are designed to be practical - but they still require you to take privacy seriously as part of running your business.

Key Duties That Matter Most For Employers

While the Act includes a range of information privacy principles, employers usually need to focus on these areas:

  • Collect only what you need: If you don’t need it for a lawful purpose connected to your business, don’t collect it “just in case”.
  • Be clear about why you’re collecting information: People should understand the purpose (for example, payroll processing, health and safety compliance, performance management).
  • Keep information secure: You’re expected to take reasonable steps to protect personal information from loss, unauthorised access, or misuse.
  • Limit access internally: Not every staff member should have access to HR files or sensitive customer lists.
  • Don’t disclose unnecessarily: Sharing personal information (even internally) should be on a “need to know” basis.
  • Allow access and correction: Employees and others generally have the right to request access to their personal information and ask for corrections.

If you’re collecting personal information through your website, onboarding forms, or client portals, having a clear Privacy Policy is one of the simplest ways to set expectations and show you’re treating privacy seriously.

When Does A Privacy Breach Become “Notifiable”?

One of the biggest compliance questions employers ask is whether they need to report a privacy breach to the Privacy Commissioner and/or notify affected people.

Under the Privacy Act 2020, you must notify the Privacy Commissioner (and usually the affected individuals) if the breach is a notifiable privacy breach - meaning it has caused, or is likely to cause, serious harm to the affected individuals.

“Serious harm” depends on the situation. It can include:

  • risk of identity theft or financial loss (for example, bank details disclosed)
  • risk to physical safety (for example, home address disclosed in a sensitive context)
  • serious emotional distress or humiliation (for example, health information or disciplinary information leaked)
  • reputational harm (depending on the information and the context)

If you determine a breach is notifiable, the Act expects notification to happen as soon as practicable after you become aware of the notifiable breach. There are also limited exceptions where you may not have to notify affected individuals (for example, where notification would create a serious threat to safety or would prejudice the maintenance of the law), but these exceptions are narrow and should be considered carefully.

Because this assessment is fact-specific, it’s worth getting advice quickly if you’re unsure. The decisions you make early on (and how well you document them) can matter later.

A Step-By-Step Privacy Breach Response Plan For Employers

When privacy breaches happen, the most important thing is to act quickly and methodically. You’re trying to contain the issue, reduce harm, and meet your legal obligations - without making the situation worse through rushed decisions.

Here’s a practical response framework that works well for most small businesses.

Step 1: Contain The Breach Immediately

Your first job is to stop the breach from continuing. Depending on the incident, this might mean:

  • recalling an email (if possible) and asking the recipient to delete it without opening/forwarding
  • resetting passwords and revoking access
  • recovering a device or remotely wiping it
  • taking a compromised system offline
  • securing physical files or restricting access to a shared drive

Tip: don’t “cover it up” or try to quietly fix it without recording what happened. Good documentation is part of good compliance.

Step 2: Work Out What Information Was Involved

Do a quick but careful fact-find:

  • What personal information was involved? (names, addresses, payroll data, health info, IDs)
  • Who is affected? (one employee vs an entire staff list)
  • Who received it or accessed it? (trusted supplier vs unknown third party)
  • Was the information encrypted or password-protected?
  • Has the information been copied, forwarded, or published?

This is also the point where it’s helpful to check your internal rules about data handling. If you have an Information Security Policy, follow it closely - consistency helps show you’re taking reasonable steps.

Step 3: Assess Whether It’s A Notifiable Privacy Breach

Now you’re asking: is this likely to cause serious harm?

Factors that commonly push an incident into “notifiable” territory include:

  • sensitive information (health, disciplinary, ID documents)
  • information that could be used for fraud (bank details, IRD numbers)
  • unknown recipients or public exposure
  • evidence of malicious intent (hacking, theft, disgruntled insider)

If you decide it’s not notifiable, you should still keep a record of how you assessed that and what steps you took to contain the risk.

Step 4: Notify The Right People (If Required)

If the breach is notifiable, you generally need to notify:

  • the Office of the Privacy Commissioner
  • affected individuals (unless a specific exception applies)

Even if it’s not strictly notifiable, you may still choose to notify affected individuals as a trust-and-risk-management step (for example, if employees need to watch for scam emails or reset passwords).

In practice, you’ll want notifications to be clear and calm, including:

  • what happened (in plain English)
  • what information was involved
  • what you’ve done to contain it
  • what the affected person should do next (practical steps)
  • who they can contact at your business

It also helps to have a simple internal template and process ready to go, so you can act quickly without scrambling for wording when you’re under pressure.

Step 5: Fix The Root Cause (So It Doesn’t Happen Again)

Once the urgent part is under control, move into “prevention mode”. Ask:

  • Was this human error or a system failure (or both)?
  • Was access too broad? Should permissions be tightened?
  • Do staff need training or clearer processes?
  • Are you relying on insecure tools (personal email accounts, unprotected spreadsheets)?

This is also the point where many businesses realise they need to tighten up employment processes. For example, if staff handle personal information as part of their role, you may want specific privacy and confidentiality obligations in your Employment Contract and consistent internal policies.

Step 6: Document Everything

Privacy compliance is not just about doing the right thing - it’s also about being able to show you did the right thing.

Keep a clear internal record of:

  • what happened and when
  • how you contained it
  • your notifiability assessment
  • who you notified and what you said
  • remediation steps you took

If a complaint comes later, good records can make the difference between a manageable process and a messy one.

How To Prevent Privacy Breaches In The First Place (Without Overcomplicating It)

Most small businesses don’t need enterprise-level systems to reduce privacy breaches. What you do need is a clear, practical set of habits and rules - and for your team to actually follow them.

1) Limit Access To “Need To Know”

A very common cause of privacy breaches is simply too many people having access to too much information.

Practical steps include:

  • restrict HR folders to HR/owners only
  • separate general staff files from sensitive files (like medical information)
  • use role-based permissions in your payroll and HR systems
  • avoid shared logins (individual logins make accountability easier)

2) Train Managers On Handling Employee Information

Managers are often handling the most sensitive information - performance issues, complaints, medical certificates, investigations - and they may not realise how quickly a privacy breach can happen through a casual comment or an email chain.

Clear internal guidance and regular refreshers can help set expectations around collection, access, and disclosure in a way that’s tailored to a workplace context.

3) Tighten Your Hiring And Onboarding Processes

Recruitment creates privacy risk too. You might be holding CVs, background checks, reference notes, and interview scoring - all of which can be personal information.

It’s worth having a consistent process for:

  • who can access applicant information
  • how long you keep unsuccessful candidate records
  • how you store and dispose of recruitment information

4) Have A Clear Plan For Access Requests

Employees can request access to their personal information (and sometimes former employees do too). If you don’t have a process, these requests can become messy fast - especially if records are scattered across email inboxes and informal notes.

Having a simple written procedure (and a consistent way to log and track requests) helps you manage requests in an organised way, including tracking what was requested, what you searched, and how you responded.

5) Watch Your Marketing Lists And External Communications

It’s easy to forget that mailing lists and customer databases often contain personal information. Mistakes like using CC instead of BCC, or exporting lists to insecure spreadsheets, can quickly become privacy breaches.

If you do email marketing, make sure your practices are consistent with the Unsolicited Electronic Messages Act 2007 (spam rules) as well as privacy expectations - especially around consent and opt-outs. If you’re unsure where the lines are, email marketing laws are a good compliance checkpoint to get right early.

6) Review Your Contractors And Service Providers

Many small businesses use third parties for payroll, IT, bookkeeping, recruitment, or cloud storage. If a provider mishandles personal information, you may still be dealing with the consequences in your workplace relationships and brand reputation.

At a minimum, check:

  • what access they have to personal information
  • what security measures they use
  • what happens if there’s a breach (who tells who, and how quickly)

This is where tailored contract terms and privacy clauses can be a smart investment - especially if the provider is handling sensitive staff information.

Key Takeaways

  • Privacy breaches are not just “cyber incidents” - common causes include misdirected emails, over-sharing internally, insecure file storage, and lost devices.
  • As an employer, you hold sensitive personal information about employees and applicants, so you should treat privacy compliance as part of your core risk management.
  • The Privacy Act 2020 requires you to take reasonable steps to protect personal information and (in serious cases) notify the Privacy Commissioner and affected individuals as soon as practicable after you become aware.
  • A practical privacy breach response plan should focus on containment, fact-finding, assessing serious harm, notification (if required), remediation, and good documentation.
  • Preventing privacy breaches usually comes down to clear workplace rules, limited access, manager training, and simple systems that your team can follow consistently.
  • Putting the right policies and documents in place early helps you stay protected from day one - and reduces the chance of a stressful breach later.

If you’d like help reviewing your privacy compliance, preparing for privacy breaches, or putting the right policies and employment documents in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

CCTV Privacy Policies in New Zealand: What Businesses Need to Cover

CCTV Privacy Policies in New Zealand: What Businesses Need to Cover

Using CCTV in your business is not just a security decision. This guide explains what New Zealand businesses should cover in a CCTV privacy policy

8 Jun 2026
Read more
Privacy Act 1993 In New Zealand: What It Means For Businesses

Privacy Act 1993 In New Zealand: What It Means For Businesses

If you’re running a small business in New Zealand, chances are you collect some kind of personal information - customer names, emails, delivery addresses, staff bank details, CVs, even CCTV footage. And...

6 Jun 2026
Read more
Privacy Breach Examples for New Zealand Businesses

Privacy Breach Examples for New Zealand Businesses

If you run a small business in New Zealand, you’re probably collecting more personal information than you realise. Customer enquiries, online orders, email newsletters, staff records, CCTV footage, delivery addresses, and even...

6 Jun 2026
Read more
Privacy Act Information Request Deadlines In NZ: Response Timeframes

Privacy Act Information Request Deadlines In NZ: Response Timeframes

If you run a small business, you’re probably collecting more personal information than you realise - customer enquiries, online orders, staff records, CCTV footage, email lists, and maybe even recorded phone calls....

6 Jun 2026
Read more
Privacy Act 2020: Responding To Personal Information Access Requests In NZ

Privacy Act 2020: Responding To Personal Information Access Requests In NZ

If you run a small business in New Zealand, you’re probably collecting personal information every day - customer contact details, delivery addresses, staff records, CCTV footage, enquiry forms, website analytics, and more....

6 Jun 2026
Read more
Privacy Act 2020 Information Requests: NZ Business Response Timeframes

Privacy Act 2020 Information Requests: NZ Business Response Timeframes

If you run a small business in New Zealand, you’re probably collecting personal information every day - customer details, enquiries, online orders, marketing sign-ups, CCTV footage, employee records, supplier contacts, and more....

5 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call