Nau mai, haere mai

Your privacy is precious; let us help you protect it.

Inquiry into Manage My Health breach
Updated statement on Manage My Health (MMH)
Information for people impacted by MMH data breach
Information for affected primary care providers (MMH)
New Zealand needs Privacy Act modernisation
Have your say on IPP3A in codes of practice
Use our response calculator
Send an enquiry
Lodge a privacy issue with another agency
Notify Us of a breach

Manage My Health privacy breach

Manage My Health(external link) provides patient portal services to health providers and their patients (registered users).

On 1 January 2026, Manage My Health notified us that it had been affected by a serious cyber incident involving the sensitive health information of thousands of users. Ransom hackers accessed and downloaded documents stored in the My Health Documents section of Manage My Health, including:

files uploaded by individual users such as correspondence, reports or results
hospital discharge summary documents for Northland Hospital patients (including clinical letters)
referral letters from GPs to specialists and other health providers between 2017 and 2019.

Information for people impacted by this breach - learn how to find out if you're impacted, how to secure your personal information, and how to make a privacy complaint.

Information for affected primary care providers - Manage My Health has notified us about their breach so primary care providers do not need to formally notify OPC about the breach.

Sharing information to protect the wellbeing and safety of children and young people

New guidance is now available. Read the guidance.

People working in the children’s sector will often need to work together to ensure children and young people are getting the services and supports they need to be safe, protected from harm and to thrive and succeed.

This means making sure relevant information about the child or young person is shared with the right people at the right time in the right way.

Learn how to share information for the wellbeing and safety of children and young people.

Our work is part of an integrated government response(external link) relating to the Dame Karen Poutasi review in 2022(external link). (external link)Read our 9 October 2025 media release.

Learn about IPP3A

Our guidance is published! Read it now, including guidance for archiving in the public interest.

On 1 May 2026 IPP3A will come into force and all organisations will need to have their systems in place to comply with the new requirements by then. Read our IPP3A 'focus area' page that will help you find your way through.

If an agency has collected personal information indirectly, IPP3A requires them to take reasonable steps to make sure that the person concerned is told:

that the information has been collected
the purpose of the collection
the intended recipients of the information
the name and address of the agency that is collecting the information and the agency that holds the information
whether the collection is authorised or required by law and which particular law
their right to access and correct their information.

Make a privacy complaint

We're keen to work with New Zealanders to get their privacy queries and complaints sorted quickly and fairly. Before you complain to us, you need to complain directly to the business or organisation that you feel has breached your privacy.

If you haven’t been able to work out your privacy issue with them, then you can complain to us. We aim to ensure that you're treated fairly, whatever your background or circumstances. We work in accordance with the Human Rights Act 1993.

Read our tips about using AI to contact us
Lodge a privacy issue with another agency(external link).
Use our Response Date Calculator for access and correction requests.
Answer your questions about privacy breaches.
Fill in our online enquiry form.
Make a privacy complaint to us(external link).

Being affected by a privacy breach can be distressing and emotionally harmful. Read about managing your mental distress.

We review all the complaints we receive. If we can resolve them quickly, we will. If your case requires a complicated or comprehensive investigation, then owing to high volumes, the wait time for an investigator is at least six months, and likely longer. Another agency may be able to help you quicker than that. See our list of other dispute resolution schemes.

Agencies: report a data breach

If you're an organisation and have a privacy breach that is likely to cause anyone serious harm, you are legally required to notify us and any affected persons as soon as you can.

As a guide, our expectation is that a breach notification should be made to our Office no later than 72 hours after agencies are aware of a notifiable privacy breach. Work out whether you need to notify us.

How long is 72 hours(external link)?

Do I need to notify my privacy breach(external link)?

Notify Us of a privacy breach

Use our free e-learning tools

We can help you and your workmates learn about privacy, or sharpen your skills with our free e-learning tools. There are 10 free courses to choose from, and they are all run as online learning modules. Learn at your own pace and receive a certificate of completion.

Topics range from Privacy 101 to specialist topics like health and education. You can learn more about reporting privacy breaches, approved information sharing agreements (AISA) and more.

Get learning with our e-learning modules.

Our news and views

Read our latest media releases and news.

Subscribe to Privacy News, our free monthly newsletter.

See case notes and court decisions.

Order free brochures for your customers or clients.

Come and work with us

When you work here you’re serving New Zealanders and their right to privacy. We’re a small but mighty Office full of well-read people who are interested in the world and what happens in it. Kindness matters here, which creates a great place to work. Find out more about working here, check for vacancies, and read about our recruitment process.