Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Prosecution Policy

A brown woman with tied back hair stands looking to the left holding a clipboard. She looks contemplative. She is wearing a green buttoned up cardigan and dark blue pants. Purpose 

This policy sets out the Privacy Commissioner’s objectives and guidelines for prosecutions under the Privacy Act 2020.

The purpose of the Privacy Act is to promote and protect individual privacy (Privacy Act 2020, s3).  It does this by regulating how others collect, hold, use, and disclose personal information.

As the regulator under the Privacy Act, the Privacy Commissioner is responsible for taking enforcement action where necessary against those who breach the Privacy Act.

This policy sets out the circumstances in which a prosecution may be considered.

Solicitor-General’s Prosecution Guidelines | Te Aratohu Aru a te Rōia Mātāmua o te Karauna

The Privacy Commissioner adopts the Solicitor-General’s Prosecution Guidelines (Prosecution Guidelines) in full.

This policy is subject to the Prosecution Guidelines. If there is any conflict between this policy and the Prosecution Guidelines, the Prosecution Guidelines should be preferred.

The Privacy Commissioner

The Privacy Commissioner is an independent Crown entity and New Zealand’s privacy and data-protection regulator under the Privacy Act. The role of Privacy Commissioner is set out in the Privacy Act.

The Privacy Commissioner has broad functions enabling them to respond to possible breaches of the Privacy Act, including by:

  • investigating complaints made by individuals about an agency interfering with their privacy, and who have not been able to resolve the issue with the agency (Privacy Act 2020, pt 5)
  • investigating breaches of the Privacy Act
  • receiving notice of notifiable privacy breaches (Privacy Act 2020, p 6)
  • inquiring into any matter if it appears to the Privacy Commissioner that the privacy of individuals is being, or may be, infringed upon (Privacy Act 2020, ss 17(1)(i) and 203). 

To carry out the functions under the Privacy Act, the Privacy Commissioner has a number of powers, including the power to:

  • summon people (Privacy Act 2020, s 86)
  • require someone to provide information that may be relevant to an investigation (Privacy Act 2020, s 87)
  • direct an agency to provide an individual access to the individual’s personal information (an access direction) (Privacy Act 2020, s 92)
  • issue and enforce compliance notices (Privacy Act 2020, pt 6 sub-prt 2). 

Offences under the Privacy Act 2020

Offences under the Privacy Act are punishable by fine only (This means they are “category 1 offences” under s 6(1) of the Criminal Procedure Act 2011). If someone (including a company) is prosecuted for an offence under the Privacy Act and convicted, the maximum fine the court can order them to pay is $10,000.

The following are offences under the Privacy Act:

  • The Privacy Commissioner may direct an agency to provide an individual access to the individual’s personal information (an access direction). If an agency has not complied with an access direction, or appealed it, the affected individual may apply to the Human Rights Review Tribunal for an access order. Failing to comply with an access order without reasonable excuse is an offence (Privacy Act 2020, s 104).
  • Typically, an agency must notify the Privacy Commissioner as soon as practical after becoming aware that a privacy breach has occurred, which has caused serious harm, or likely to do so (a notifiable privacy breach) (Privacy Act 2020, s 112(1)). Failing to notify the Privacy Commissioner of a notifiable privacy breach, without reasonable excuse, is an offence (Privacy Act 2020, s 118). 
  • The Human Rights Review Tribunal may make an order confirming, cancelling, or modifying a compliance notice issued by the Privacy Commissioner. It may also order an agency do certain things in relation to a compliance notice. Failing to comply, without reasonable excuse, with these orders is an offence (Privacy Act 2020, s 133(3)).
  • The Privacy Commissioner may prohibit a transfer of personal information from New Zealand to another country in certain circumstances (a transfer prohibition notice). Failing to comply with a transfer prohibition notice without reasonable excuse is an offence (Privacy Act 2020, s 197).
  • Without reasonable excuse, obstructing, hindering, or resisting the Privacy Commissioner while they are carrying out their functions under the Privacy Act is an offence (Privacy Act 2020, s 212(1)(a)).
  • Without reasonable excuse, refusing or failing to comply with any lawful requirement of the Privacy Commissioner is an offence (Privacy Act 2020, s 212(1)(b)).
  • Making a statement or giving information to the Privacy Commissioner, knowing that the statement or information is false or misleading, is an offence (Privacy Act 2020, s 212(2)(a)).
  • A person who represents directly or indirectly that they have the authority to do something under the Privacy Act when they do not (for example, by telling the Privacy Commissioner that they have authority to act on behalf of a person or agency) commits an offence (Privacy Act 2020, s 212(2)(b)).
  • Misleading an agency by falsely pretending to be an individual or falsely pretending to be acting under the authority of an individual is an offence if it is done to obtain that individual’s personal information or have that individual’s personal information used, altered, or destroyed (Privacy Act 2020, s 212(2)(c)).
  • Individuals may request access to their personal information or confirmation that it exists (Privacy Act 2020 s 22 IPP 6, pt 4 sub-pt 4). Destroying a document containing personal information, knowing that a request has been made in respect of that information, is an offence (Privacy Act 2020, s 212(2)(d)). 

The Privacy Commissioner has authority to prosecute people for the above offences under the Privacy Act.

The Privacy Commissioner does not have authority to prosecute people under any other legislation, where an offence relates to personal information, unless that legislation specifically provides that authority.

Prosecution objectives

The Privacy Commissioner’s primary objectives for prosecution are to:

  • uphold the integrity and effectiveness of the Privacy Commissioner’s functions under the Privacy Act
  • deter non-compliance with the Privacy Act
  • hold to account those who do not comply with their Privacy Act obligations.

Decision-making framework

Alternatives to prosecution

Before deciding if prosecution is an option for a case, a decision first needs to be made as to whether prosecution would be appropriate.

The Privacy Commissioner has enforcement options other than prosecution, and sometimes no action may be appropriate. The Privacy Commissioner will only consider prosecution if action needs to be taken and there are no available appropriate enforcement alternatives. Prosecution will not be considered if an alternative method of responding to the offending is available that can:

  • effectively respond to the offending
  • meet the needs of any victims, their whānau, and the broader community.

Test for Prosecution

If the Privacy Commissioner has decided to consider prosecution under the Privacy Act, the Test for Prosecution set out in the Prosecution Guidelines will be applied. The Test for Prosecution can be read in the section in the Prosecution Guidelines called Decisions to prosecute. The test is summarised in this policy. The Privacy Commissioner will apply the test to the specific facts of each case.

There are two components of the Test for Prosecution: the Evidential Test and the Public Interest Test. Both should be met before the Privacy Commissioner may lay charges.

Typically, the Evidential Test should be applied before the Public Interest Test. However, in some cases it may be clear to the Privacy Commissioner from the outset that a prosecution is not in the public interest. In these cases, a decision may be made to not prosecute without a detailed evidential assessment.

Evidential Test

For the Evidential Test to be met, the Privacy Commissioner should be satisfied there is enough evidence to prove the charge beyond reasonable doubt. “Beyond reasonable doubt” is a legal term used to describe the standard that something must meet before it can be proven.

When considering whether there is enough evidence for prosecution, the Privacy Commissioner will examine the evidence against the following principles:

  • availability – only evidence that can be made available in court should be considered
  • admissibility – only evidence that can reasonably be expected to be admissible in court should be considered
  • credibility – only evidence that is capable of belief should be considered
  • reliability – only reliable evidence should be considered.

The Privacy Commissioner will also consider whether the would-be defendant has an obvious defence that could succeed.

Public Interest Test

The Privacy Commissioner is not required to prosecute all offences for which there is sufficient evidence and will exercise discretion to decide whether the Public Interest Test is met in each case.

For the Public Interest Test to be met, the Privacy Commissioner should be sure the public interest requires prosecution as a response to the offending. The term “public interest” relates to ideas of justice and fairness. Factors specific to the case as well as broader factors will be relevant to what is in the public interest. An example used in the Prosecution Guidelines of a relevant broader factor is court availability following a large natural disaster.

The Privacy Commissioner will consider the facts of each case when deciding if prosecution is in the public interest. Among other things, the Privacy Commissioner will consider:

  • the nature of the offending
  • the personal characteristics and circumstances of the would-be defendant
  • the interests of the victim
  • alternative methods for resolving the matter.

The cost of a prosecution (including the use of the Privacy Commissioner’s resources) is a relevant factor the Privacy Commissioner will consider when deciding if prosecution is in the public interest. All prosecutions must be cost-effective.

Due to the regulatory nature of any Privacy Commissioner’s prosecution, the following are also relevant considerations:

  • the purposes of the Privacy Act (Privacy Act 2020, s 3)
  • the Privacy Commissioner’s duty to act independently (Privacy Act 2020, s 20)
  • the Privacy Commissioner’s functions as set out in the Privacy Act (Privacy Act 2020, s 17-18)
  • the matters set out in the Privacy Act that the Privacy Commissioner must consider when making decisions (Privacy Act 2020, s 21)
  • the Privacy Commissioner’s regulatory compliance objectives as set out in the Compliance and Regulatory Action Framework
  • whether the offence has damaged the effectiveness or integrity of the Privacy Commissioner’s functions
  • whether another prosecuting agency has brought or may bring proceedings in respect of the same conduct.

Review of charges

  • After deciding to prosecute, the Privacy Commissioner will continue to review the decision to prosecute throughout the life of a case. This is to ensure that it is still appropriate to continue with the prosecution and that the charges are still correct.
  • If the Privacy Commissioner considers that the Test for Prosecution is no longer met, the prosecution will be stopped as soon as practical. If the Privacy Commissioner considers the charges should be changed, they will ask the court to amend the charges if it is fair to do so.
  • The Privacy Commissioner can revisit the Test for Prosecution at any time, but should do so if:
    • new information or evidence is discovered that either contradicts some of the evidence to be relied upon or otherwise weakens the prosecution case
    • new material information is received, or there is a material change in circumstances, relevant to what was considered as part of the Public Interest Test.

Prosecution decision and responsibilities

  • If, during the course of an investigation, OPC staff believe that prosecution should be considered, this will be brought to the attention of the Privacy Commissioner or Deputy Privacy Commissioner. It is the responsibility of the Privacy Commissioner or Deputy Privacy Commissioner to decide whether prosecution should be considered.
  • If prosecution is to be considered, the matter will be referred to the Privacy Commissioner’s legal team for advice.
  • It is the responsibility of the Privacy Commissioner’s General Counsel to provide a recommendation to the Privacy Commissioner for or against prosecution. If General Counsel recommends prosecution, the recommendation will include draft charges. Depending on resourcing, General Counsel may seek external legal advice before making the recommendation.
  • The Privacy Commissioner is responsible for the final decision to prosecute under the Privacy Act and what charges should be laid.
  • Following legal advice, the Privacy Commissioner is responsible for deciding whether to continue prosecution if circumstances change.
  • The Solicitor-General’s consent is required for most prosecution appeals. Following legal advice, the Privacy Commissioner is responsible for the decision to seek consent from the Solicitor-General for an appeal.
  • The Prosecution Guidelines state that some decisions should be made by senior managers. Other than the above responsibilities, decisions to be made by a senior manager may be made by the Privacy Commissioner or Deputy Privacy Commissioner, with advice from the General Counsel.
  • Any decision to prosecute, and the reasons for the decision, should be recorded in writing.

Other agencies

The Privacy Commissioner is not the exclusive prosecuting authority under the Privacy Act. The New Zealand Police may initiate a prosecution independently of the Privacy Commissioner.  

Counsel for the Privacy Commissioner

Prosecutions under the Privacy Act are conducted by in-house legal counsel within the Office of the Privacy Commissioner where counsel are qualified to undertake prosecution functions. Taking into account the Privacy Commissioner’s resourcing, including whether the Commissioner has available staff who are sufficiently qualified to undertake prosecution functions, prosecutions may be briefed in full or partly to the local Crown Solicitor.

Counsel for the Privacy Commissioner will act fairly, promptly, and in accordance with the law, including their responsibilities under the Lawyers and Conveyancers Act 2006.

Download a copy of this policy (opens to PDF, 422KB).

Policy owner

Legal Compliance Working Group

Policy administrator

Legal team

Date approved

31 March 2026

New review date

March 2029

Version

2.0

Related policies and legislation
  • Privacy Act 2020
  • Privacy Regulations 2020
  • Crown Entities Act 2004
  • Criminal Disclosure Act 2008
  • Criminal Procedure Act 2011
  • Customer and Product Data Act 2025
  • Evidence Act 2006
  • Compliance and Regulatory Action Framework
  • Compliance Notice Guidelines
  • Naming Policy
  • Access directions
Back to top