Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Privacy breaches are a reality for organisations that hold people's personal information. Businesses and organisations can lose personal information through complacency, inadequate security, poor procedures, or by accident. Privacy breaches can range from the low end when a single person’s information is affected through to the high end when hundreds of thousands of people are affected.
It’s vital for your organisation's reputation and its relationship with the people whose information you hold that you do everything you can to prevent a privacy breach from happening. If a privacy breach occurs, it’s important you work to minimise the harm to both the people affected and your agency.
Below are some tips to help your organisation identify risks and prevent privacy breaches. Included in each section are links to breach notes, which are anonymised case studies based on past privacy breach notifications and investigations to give you an idea of how you can respond to a breach. We look at each breach and complaint on a case-by-case basis, and their outcomes depend on their own facts and circumstances.
Physical security is an important part of protecting personal information, whether it’s in a paper file or a on device such as a laptop, smartphone, tablet, USB stick or portable hard drive.
Lock sensitive files and devices in secure cabinets at the end of each day, and make sure the last person to leave locks the workspace. If staff need to take files or devices out of the office, make sure they don’t leave them unattended in public places or visible in homes or parked cars.
You can also put measures in place to minimise the damage if a device goes missing. If you can access personal information through a device, it should have a strong password or encryption. Delete personal information from a device if you no longer need it – if it’s not on the device, it’s not at risk.
If somebody steals a file or device, report it to Police and let them know whether the stolen item contains sensitive information. If you have a serious privacy breach you need to notify the Privacy Commissioner and consider whether to notify affected individuals. Our online tool NotifyUs can help you check whether your privacy breach is serious and needs to be notified to OPC.
Sending electronic information to the wrong recipient is the most common type of privacy breach reported to us. If your agency is sending personal information by email, staff should double-check that it will go to the right recipients before they send it.
You can take easy measures to make emailing more secure, such as delays on emails sent to recipients outside the agency, or pop-ups that remind staff to check that they’ve entered the correct recipient address. These steps reduce the risk of human error. For mass emails, double‐check that all email addresses are contained in the ‘BCC’ section.
Email attachments can also lead to privacy breaches. Staff should always check they’re sending the right attachment, and that doesn’t include any personal information the recipient shouldn’t see.
Spreadsheets can pose a risk because of all the information they can contain. If you must send information in a spreadsheet, check that there isn’t any sensitive information hidden behind document tabs and in pivot tables, and protect the document with a password. Also consider whether you can extract the relevant information for the recipient without sending the whole spreadsheet.
If you accidentally disclose personal information, act quickly and don’t delay. Send a follow-up email to the person or organisation that has been mistakenly sent your email asking them not to open it and delete it as soon as possible.
Second, alert your manager or your workplace privacy officer. Both can help assess the seriousness of the breach and decide what to do next. For example, if it is a work-related email, your workplace might decide to contact the person whose information was included in the breach to let them know and to apologise for the error. This might be an appropriate thing to do if the information contained is sensitive information, such as health or financial information.
Treat an email breach as a privacy breach and respond accordingly. If it is serious you must notify the Privacy Commissioner and you will need to consider notifying affected individuals. See NotifyUs.
Under the Privacy Act, organisations cannot disclose personal information unless a specific exception applies. Disclosing information when an exception doesn’t apply can lead to a privacy breach, even if it was unintentional.
Organisations have an obligation to prevent their employees from inappropriately accessing customer information – a practice called employee browsing. Have clear policies about employee browsing in your agency’s code of conduct, including consequences for being caught inappropriately accessing personal information about customers and clients.
Take steps to make sure your staff follow your policies, such as:
Whatever systems you have in place, make sure your staff know about them; they won’t access information inappropriately if they know you’ll catch them.
Note that the Privacy Commissioner can investigate whether the storage and care of personal information complies with the Privacy Act. This could include systemic issues, such as inadequate security measures or a lack of effective workplace policies to protect personal information.
Organisations have an obligation to store personal information securely. System errors, scams, and employee browsing can all lead to a security failure.
A secure IT network will help protect the personal information your agency works with from hacks, viruses and malware. The Computer Emergency Response Team New Zealand (CERT NZ) is the best agency to go to information about cybersecurity. It has produced cybersecurity guidance that will help you keep personal information safe in your network:
Internet NZ is also concerned with cybersecurity, among other issues. You can find out more about its firewall solution on its website.
Agencies must not keep personal information for longer than they need it. If your agency is finished with personal information, you must dispose of it securely, whether it is in physical or digital form. Note, however, that you cannot destroy information that has been requested by the individual concerned and to which they are entitled (and it is an offence to do so).
Note also that public sector agencies have obligations to preserve records under the Public Records Act. For more information, contact Archives NZ.
Your agency is responsible for working out a practical solution for disposing of physical documents containing personal information. For example, shredding can be an effective way to dispose of paper records and photographs. Ask yourself what steps you would expect to be taken if the personal information was about you.
You should also securely delete personal information before you reuse or dispose of any electronic equipment such as computers and laptops, smartphones, tablets, hard drives, USB sticks, photocopiers, and cameras.
Read our Privacy breach guidelines - How to Prevent and Respond to Privacy Breaches
