Which agency reports a privacy breach?

Any agency - a business or organisation - that holds personal information is responsible for reporting serious privacy breaches.

An organisation remains responsible for reporting any privacy breaches when it uses another organisation to handle a task on their behalf - such as storing data or files, or processing a mail-out run. The contract between the two agencies should include a clause requiring the processing organisation to notify the privacy breach to the responsible organisation.

When an organisation passes information to another for that other organisation to use - for example providing health services, then the organisation which is providing the service is responsible for reporting the breach to the Privacy Commissioner. The contract it operates under might also require it to report the incident to the source agency.

Section 11 of the Privacy Act 2020(external link) that sets out when one agency is treated as holding personal information or whether both agencies “hold” the personal information.

Our guidance on working with third-party providers contains information on reporting privacy breaches.

We also have more information on notification in our Breach Management guidance.

You can contact the team at compliance@privacy.org.nz if you have any further questions. 

Updated November 2025