Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

NotifyUs of a serious privacy breach

If your agency (business or organisation) has a privacy breach that has (or might) cause serious harm  then you need to notify us. This is a legal obligation under the Privacy Act. Ideally you’ll do that within 72 hours after you’re aware that you have a notifiable breach, even if you’re still investigating it.

  • Please use the tools on this page to notify us so we can manage our workflow and help you faster.
  • You can tell us what happened without sending us personal information  

You also need to tell the people who’ve been affected by your breach as soon as you can (unless an exception applies).

Check whether your breach needs to be notified

Our notification self-assessment tool will help your agency decide  whether you need to notify us or not. It’s intended as a guide, not a final ruling. Agencies are still responsible for making their own assessment (sections 112–117 of the Privacy Act). 

At the end of the self-assessment you have the option to go on to complete the NotifyUs report form.

Notify your privacy breach

Notify us of your privacy breach

Update us about your breach

A man in an apron stands in a storeroom holding a pen and journal NotifyUs will step agencies through the report form with guidance at every stage. There are answer choices for most questions. Download a copy of this information as a handy checklist (opens to PDF, 366KB).

Here is what you will be asked:

Contact details for your agency (business or organisation) 

  • Name of the organisation
  • NZBN number (optional)
  • Sector
  • Industry classification 

Your contact details  so we know who we’re working with

  • Full name
  • Job title
  • Email
  • Phone number

Timeline about when the breach occurred

  • Is the problem that caused this breach ongoing?
  • The date of the breach
  • The date the breach was identified by your organisation

About the breach

  • How many people were affected (if known)
  • The type of personal information involved in the breach
  • The type of breach (i.e. what caused it)
  • If you know where the information has gone, and if so, where?

Likely harm - you will be asked to indicate how serious  the privacy breach is. Cultural perspectives of harm may also be relevant.

  • How sensitive is the information that is involved in the breach?
  • Who has obtained or may obtain the information?
  • Do you have control of the information now?
  • What type of harm  may be caused by the breach?

Read about ‘What is serious harm?’

Read about ‘What is an adverse consequence or harm?’

For each type of harm you identify, what do you think the impact  of the harm will be? Consider cultural perspectives here too.

  • How likely is it that someone will be harmed because of this breach?
  • What steps have been taken to reduce the risk of harm from this breach?
  • Are there security measures in place that protect the information from being accessed?

Depending on the answers to the above questions, you might also be asked:

  • Is someone's physical safety in immediate danger?
  • Is someone’s psychological safety at immediate risk?
  • Is someone at immediate risk of serious financial harm?
  • Are there cultural considerations of danger and risk we need to make?

Notifying affected people

  • Have you notified the people affected by the breach?
  • If you have, you will need to tell us what you have done to notify the people affected.
  • If you haven’t, you will need to tell us why you haven’t notified the people affected.
  • If you’re relying on permitted exceptions to not notify the people affected, you will need to tell us which exceptions and why (the tool will list these exceptions for you).
  • If you are delaying notifying people affected, you will need to tell us why, and for how long.
  • If you are relying on giving public notice to notify the people affected, you will need to tell us why.

Other organisations or authorities

  • Were any other organisations affected by the breach?
  • If yes, tell us who, and explain how they were affected.
  • Has the breach been reported to other authorities?
  • If yes, what authorities has the breach been reported to?

Have you contacted any organisations (such as CERT, ID Care, Netsafe, or any other) that might be able to provide support to your organisation or people affected by the breach?

Final step and adding documents

As a last step you will be asked to provide any further information you think may be relevant to the breach. There is a free text field and an option to upload supporting documents. Please don’t send us personal information of your customers or clients in these attachments.

Working under secrecy

To make sure you can work with us in a free and frank manner, we are bound by a secrecy obligation. Read more about what that means for your agency.   

Read more about, ‘What can and can’t you (OPC) share with me?

Has someone breached your privacy?

This page is for businesses and organisations to use. Individuals with privacy complaints should complain to the Privacy Commissioner.

Back to top