Do I get updates from you if I’m part of a privacy or data breach?

"An agency has told me I’ve been affected by a data breach, and they have notified the Office of the Privacy Commissioner. Will your Office contact me or inform me of the results?"

An agency (business or organisation) needs to notify the Office of the Privacy Commissioner if there has been a data breach that has caused or is likely to cause serious harm to people. Read about what serious harm means. They also need to tell the people affected unless an exception applies.

The information that the agency needs to tell us about the breach doesn’t include the name(s) of affected people. Because of this, and our secrecy obligations, we do not contact affected peopled directly about breach notifications.

If you want to know more information about an agency’s response to the breach, you should ask the agency. If you’re concerned that your privacy has been breached, you need to complain to the agency directly before you complain to us. You can find more information about making a complaint in the resolving privacy issues section of our website.

More information about our secrecy obligations when carrying out compliance functions are available in our privacy statement. This may also limit the information we are able to give about a breach when asked. 

Updated November 2025