What is serious harm?

Some types of information, such as biometric, health, or credit information, are inherently more sensitive than others, and therefore more likely to cause serious harm if that information were to be involved in a privacy breach. The assessment of whether serious harm has occurred, or is likely to occur, considers factors such as measures to contain the information, the nature of the harm that may be caused, and whether any unintended recipient of that information may cause harm to the person that the information is about. You should also consider what you know about the people who have been impacted by the breach, as some people are particularly vulnerable or at a greater risk of harm. For example, victims of family violence. 

Types of serious harm include:

• Physical harm or intimidation.
• Financial fraud, including unauthorised credit card transactions or credit fraud.
• Identity theft.
• Psychological or emotional harm.
• Employment harm such as the loss of a job opportunity or work assignment.
• Blackmail e.g. threat of publishing sensitive information.
• Threats to national security.
• Kidnapping.
• Theft of significant amounts of money.
• A risk that an individual’s life could be in danger.
  
  

If an affected individual complains about how they have suffered a breach of privacy by an organisation, this may help to identify the types of harm experienced. Organisations should work with affected individuals to identify the type of serious harm suffered as a result of a privacy breach.

If you suspect a privacy breach may result in imminent harm to an individual, you should notify the NZ Police immediately before reporting the breach to OPC through Notify Us. We have more guidance on breach management in our Poupou Matatapu guidance.