Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Two PAK’nSAVE stores found in breach of Privacy Act

Two PAK’nSAVE stores have been named by the Privacy Commissioner for breaching the Privacy Act. Both failed to have adequate oversight of their third-party providers who were providing security services to the stores. Read the Decision Note about this.

Breaches of the Privacy Act by C Park Traders Limited (formerly trading as PAK’nSAVE Clendon) and Hutchinson Bros Limited (trading as PAK’nSAVE Royal Oak), were notified to OPC in early 2025. They involved third-party security guards, engaged to work in the stores, with one incident also involving a store employee. The security guards shared images of customers, accompanied by allegations of theft or criminal activity. As a result, both individuals whose images were shared faced a heightened risk of harassment and reputational harm.

Privacy Commissioner Michael Webster said, “We found similar issues of concern where both stores did not meet expectations set out in the Privacy Act relating to the Storage and security of information.

“The decision to name the two individual stores is a significant step and was made because of the seriousness of the issues and their public interest. 

“Both stores lacked important safeguards that retailers should have in place when allowing third party providers access to sensitive information such as surveillance information,” said Mr Webster.

“Agencies engaging third-party agents who access or operate surveillance or loss-prevention technologies (such as CCTV) should ensure that privacy obligations are explicit, enforceable, and routinely monitored to prevent harm. That keeps information safe and maintains public confidence in how personal information is handled.

“It is rare for me to name agencies, but this serves as a reminder to businesses that outsourcing functions does not outsource accountability. When contractors handle personal information, the agency who has hired them must ensure that their privacy expectations are clear, enforceable, and actively managed.”

While the stores remain individually accountable for ensuring compliance with the Privacy Act, OPC was also working with Foodstuffs North Island Limited (as the Co-op lead for the two stores) to adopt remedial actions. These included carrying out training with store personnel (including security contractors) on privacy obligations and requiring stores to have written agreements in place with all contractors who process personal information on behalf of stores (including security).

Back to top