Privacy Breaches

It can be very upsetting to find a privacy breach and someone has shared your information. If this personal information was shared online, there are two main organisations that may be able to assist you under the law. Read on to find out more about the Acts and which organisation may better fit your situation if your privacy has been breached.   

Understanding the privacy breach laws

New Zealand is committed to protecting the privacy of individuals. It recognises both the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights that each protect a person’s right to privacy. As people increasingly submit more of their data – most likely without thinking – everyday there are two laws that may apply to you if your privacy has been breached. They are the Privacy Act and the Harmful Digital Communications Act.

The Privacy Act and the Office of the Privacy Commissioner

The Privacy Act governs how ‘agencies’ handle your personal information. There are 13 Privacy Principles that guide agencies on how to best handle information. In December 2020, the Act was updated to ensure organisations are protecting our privacy and better reflects the ways information is collected and stored. 

The Privacy Act does not cover personal information that is solely used for ‘personal or domestic affairs’ – except if the collection, use, or disclosure of the personal information would be highly offensive to a reasonable person. This meant that the privacy principles didn’t apply to people who were in a relationship, were members of the same family or shared a house.

The Office of the Privacy Commissioner (OPC) is an independent Crown Entity – it is funded by but separate from the Government – and has the responsibility to investigate complaints about privacy breaches. If an agency has breached one of the privacy principles, and they are unwilling to resolve the issue, you may want to contact the OPC for advice on what to do next.  

The Privacy Act 2020 introduces greater protections for individuals and some new obligations for businesses and organisations. The changes include the requirement to report serious privacy breaches to the Privacy Commissioner and to affected people. The Privacy Commissioner has new powers to help people access their own information and to require businesses and organisations to comply with the law. There are increased fines for organisations that don’t comply, and there are new rules when sending personal information overseas.

The Act often talks about an “agency” that collects information. While this can sound like a term that applies to companies or government department, an agency is in fact anyone.

“agency means any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector”

If you think that an agency isn’t playing fair with your information, you can ask the Privacy Commissioner to decide whether that agency has carried out “interference with privacy”.

If you make a complaint to the Privacy Commissioner and they decide that someone is interfering with your privacy they may take action on your behalf through the Human Rights Commission which has a number of options open to it in terms of settlement, including the award of damages of up to $200,000.

The Harmful Digital Communications Act and Netsafe 

The Harmful Digital Communications Act (HDCA) was passed in 2015 to help people dealing with serious or repeated harmful digital communications. It lays out 10 communication principles that guide how to communicate online. Two of the principles are related to privacy: 

• Communication Principle one states: A digital communication should not disclose sensitive personal facts about an individual; and 
• Communication Principle seven states: Contain a matter that is published in a breach of confidence

Netsafe has the responsibility to help resolve reports related to alleged breaches of the 10 communication principles. We are not an enforcement agency, but we do have a high resolution rate. 

What to do if you think your privacy has been breached?

If you think an agency has breached your privacy, you should contact them to discuss this. If that agency is a company or a government department, try contacting their Privacy Officer as a first step.  Be prepared to discuss which of the Privacy Principles you think has been breached, how you are aware of the breach, and what harm you have suffered as a result. If the agency is an individual you can try approaching them directly and ask them if they are prepared to do something to resolve the situation. Don’t threaten or abuse them.

Some of the other steps you can take include:

• Collect evidence of where you think there has been a privacy breach including screenshot and full URL and the dates when they were captured.
• If you are unable to resolve things yourself you can make a complaint to the Office of the Privacy Commissioner
• If the OPC does not think that your case warrants action, you can take a case to the Human Rights Review Tribunal yourself. However, you can only do this after the OPC investigates your complaint. Be sure to get a “Certificate of Investigation” from the Privacy Commissioner before contacting the Human Rights Review Tribunal.

Photos shared on social media

If a photo or video of yourself has been shared on social media, you can also report this directly to the platform – most major social media platforms have rules against sharing photos without permission. You can contact the main platforms using the details below: 

• Facebook 
• Instagram 
• Twitter   

FAQs

• Am I an “agency”? Any individual, company or department can be an agency
• Who will investigate if someone breaches my privacy? The Office of the Privacy Commisioner can carry out investigations to see whether an agency has interfered with privacy for any individual
• Is posting a picture of me a breach of my privacy? The quick answer is “perhaps but not necessarily.” If a picture is taken in a setting where someone could reasonably expect privacy then publishing it could be a breach of your privacy if they have not sought your permission to do so. However, if your picture is taken in a public place, like a park or on the street, then it is not likely to be seen as a breach of your privacy.

More advice and information

• Netsafe’s advice on what to do in a data breach
• If you are concerned that there has been a data breach from a computer system you should read the following advice from: 
  • The Office of the Privacy Commissioner 
  • CERT NZ – a taskforce that helps individuals and businesses affected by cybersecurity incidents  
• Universal Declaration of Human Rights

CONTACT NETSAFE

If you’re concerned about the immediate safety of you or someone else, please call 111. If you want help or expert incident advice, you can contact us. Our service is free, non-judgemental and available seven days a week.

• Email [email protected]
• Call toll free on 0508 NETSAFE (0508 638 723)
• Online report at netsafe.org.nz/report
• Text ‘Netsafe’ to 4282

KEEP UP TO DATE

Follow us on social media and sign up to our newsletter for alerts, news and tips.