SecurityPolicy.com.au
Home/ New Zealand/ Policy Library/ Data breach response policy for New Zealand businesses
New Zealand Policy Library Policy template Reviewed 2026-07-13

Data breach response policy for New Zealand businesses

6
factors that section 113 requires in a serious-harm assessment
72 hours
OPC's ideal notification window after awareness of a notifiable breach
NZD 10,000
maximum fine for failing without reasonable excuse to notify OPC
13
numbered core Information Privacy Principles in the Privacy Act framework
Why this guide exists

Questions are ordered from the purpose and scope of a breach-response policy through breach identification, containment, serious-harm assessment and notification, then the records, roles, review processes and common errors that determine whether a New Zealand SME responds lawfully and effectively.

What is a data breach response policy, and why does a New Zealand business need one?

A data breach response policy sets the authority, roles and minimum actions for identifying, containing, assessing, notifying, recording and learning from a privacy breach. It should connect the organisation's cyber incident response process with its Privacy Act duties, because not every cyber incident involves personal information and not every privacy breach is caused by hacking. Under the Privacy Act 2020, a privacy breach includes unauthorised or accidental access, disclosure, alteration, loss or destruction of personal information, and an incident that prevents the organisation from accessing it temporarily or permanently. New Zealand law does not prescribe one universal document title or template for every private business, but the Act imposes mandatory notification duties when a breach reaches the serious-harm threshold. OPC recommends a breach management plan that is tested through scenarios, and Own Your Online recommends a short, accessible incident response plan identifying who will do what. A proportionate SME policy should therefore define escalation, containment, serious-harm assessment, parallel cyber and sector reporting, affected-person communications, evidence preservation and post-incident improvement.

How this differs by situation
  • all businesses holding personal information — Maintain a documented process that can identify privacy breaches and assess whether the serious-harm notification threshold is met.
  • small business — Use a short operational plan, current contacts, clear decision authority and an accessible offline copy.
  • regulated or contracted organisation — Add sector, insurer, customer and supplier reporting duties without treating them as substitutes for Privacy Act notification.
  • privacy and cyber response — Coordinate the two processes while making separate decisions for OPC, affected people, NCSC and other recipients.
PUT THIS IN YOUR POLICY, EXACTLY

We maintain a data breach response policy and an operational breach plan covering detection, immediate escalation, containment, evidence preservation, serious-harm assessment, notification, communication, recovery and review. The plan applies to accidental and deliberate breaches involving personal information in electronic, physical or verbal form, including loss of access caused by ransomware. It identifies decision authority, current contacts and alternate personnel and is available when normal systems are unavailable.

What counts as a privacy breach, and when does the serious-harm threshold apply?

A privacy breach is broader than stolen data. It can arise from an email or document sent to the wrong person, employee browsing, lost paper records, misconfigured cloud storage, unauthorised alteration, deletion, hacking, phishing, ransomware or any action that makes personal information unavailable. The incident can be accidental or deliberate, internal or external, ongoing or already contained. A breach becomes a notifiable privacy breach when it is reasonable to believe that it has caused serious harm to an affected individual or is likely to do so. The New Zealand threshold is therefore the Privacy Act's serious-harm test; it is not Australia's eligible-data-breach scheme and does not use Australia's 30-day assessment framework. A business should assess the threshold promptly but should still contain, investigate and record a breach that is not notifiable. The decision should focus on harm to individuals, not only cost or reputational harm to the organisation.

How this differs by situation
  • privacy breach — Any covered loss of confidentiality, integrity or availability of personal information, whether accidental, malicious, internal or external.
  • notifiable privacy breach — A breach reasonably believed to have caused serious harm to an affected individual or to be likely to do so.
  • non-notifiable breach — Contain, investigate, record and remediate even when the serious-harm threshold is not met.
  • affected individual — Assess actual and potential effects on the person, including vulnerability and cultural perspectives of harm.
PUT THIS IN YOUR POLICY, EXACTLY

A suspected privacy breach must be escalated whenever personal information may have been accessed, disclosed, altered, lost, destroyed or made unavailable without authority or by accident. The privacy officer will determine whether it is reasonable to believe that the breach has caused serious harm to an affected individual or is likely to do so. The absence of confirmed misuse, financial loss or malicious intent does not by itself establish that the breach is non-notifiable.

How should the business detect and contain a data breach?

Staff, contractors and service providers need a simple route for immediately reporting misdirected information, lost devices or files, unexpected access, suspicious account activity, phishing, ransomware, unusual exports and customer reports. Monitoring should alert on activity relevant to the organisation's actual risks, but detection is also a people and process responsibility. Once reported, the response lead should confirm whether personal information may be involved, open an incident record and take proportionate steps to stop further access, disclosure, alteration or loss. Containment may include recalling an email, asking a trusted unintended recipient to securely delete information, disabling an account, revoking tokens, isolating a device, restricting a cloud share, blocking downloads, preserving logs or protecting backups. Containment and serious-harm assessment should proceed in parallel. Do not destroy evidence by wiping, rebuilding or powering down systems without technical advice. If imminent physical harm is possible, OPC says to call Police on 111 before reporting through NotifyUs.

How this differs by situation
  • detection — Provide staff and external reporting channels and monitor for unusual access, disclosure, export, alteration and service unavailability.
  • immediate containment — Stop further exposure while preserving information needed to determine cause, scope and harm.
  • evidence preservation — Protect logs, messages, devices, access records and decision records from avoidable alteration or deletion.
  • imminent-harm case — Call Police on 111 immediately where the breach may place an individual in imminent danger, then continue privacy notification.
PUT THIS IN YOUR POLICY, EXACTLY

All personnel and service providers must immediately report a suspected loss, unauthorised access, disclosure, alteration, destruction or unavailability of personal information. The response lead will open an incident record, identify the information and people potentially affected, and direct proportionate containment. Systems, devices, logs and communications that may be evidence must not be deleted, wiped, rebuilt or powered off without technical approval. Containment and notification assessment will occur concurrently and will be updated as facts change.

How do we assess serious harm using the section 113 factors?

Section 113 requires the organisation to consider six categories: action already taken to reduce the risk of harm; whether the information is sensitive; the nature of the harm that may occur; the person or body that has obtained or may obtain the information, if known; whether the information was protected by a security measure; and any other relevant matters. Apply those factors to each affected group rather than producing one undifferentiated score. Consider the type, amount and combination of information; whether credentials, identity documents, health, financial, family-violence, location or children's information is involved; whether encryption or deletion can still be trusted; the recipient's intentions and ability to misuse it; how widely it spread; and the vulnerability and circumstances of affected people. OPC says cultural perspectives may also be relevant. Document facts, assumptions, uncertainties, mitigation and the decision. Reassess when new information emerges: a breach initially judged non-notifiable can later become notifiable.

How this differs by situation
  • risk-reduction actions — Consider how quickly and effectively the organisation recalled, deleted, isolated, blocked or otherwise contained the information.
  • information and potential harm — Assess sensitivity, combinations of data and plausible physical, financial, identity, emotional, employment, cultural or safety effects.
  • recipient and protection — Consider who obtained or may obtain the information and whether encryption or another measure remains effective.
  • other relevant matters — Include affected-person vulnerability, scale, duration, ongoing access, public availability and any new facts.
PUT THIS IN YOUR POLICY, EXACTLY

The privacy officer must complete and retain a serious-harm assessment for every material privacy breach. The assessment must address each section 113 factor: mitigation already taken, information sensitivity, the nature of possible harm, the known or possible recipient, effective security protections and any other relevant matter. The assessment must identify affected groups, facts, assumptions, uncertainties and reasons for the notification decision and must be repeated whenever material information changes.

When and how must we notify OPC and affected individuals?

Once the organisation becomes aware that a notifiable privacy breach has occurred, section 114 requires notification to the Privacy Commissioner as soon as practicable. Section 115 separately requires affected individuals to be notified as soon as practicable, unless public notice is required because individual notification is not reasonably practicable or a statutory exception or permitted delay applies. OPC's operational guidance says the Commissioner should ideally be notified within 72 hours after awareness of a notifiable breach, even if investigation is continuing. The 72 hours is guidance for prompt notification; the statutory wording is 'as soon as practicable'. Use OPC's NotifyUs tool and provide available information incrementally rather than waiting for every fact. NotifyUs includes a self-assessment tool, but OPC says the organisation remains responsible for the legal decision. A cyber report to NCSC does not satisfy the separate OPC and affected-person duties.

How this differs by situation
  • Commissioner notification — Use NotifyUs as soon as practicable; OPC says ideally within 72 hours after awareness of a notifiable breach.
  • affected-person notification — Notify affected individuals as soon as practicable unless public notice, an exception or a permitted delay applies.
  • incremental reporting — Submit available information promptly and update OPC as the investigation establishes more facts.
  • parallel reporting — Assess NCSC, Police, bank, insurer, customer and sector duties separately; one report does not replace another.
PUT THIS IN YOUR POLICY, EXACTLY

When it is reasonable to believe that a breach has caused serious harm to an affected individual or is likely to do so, we will notify the Privacy Commissioner through NotifyUs and notify affected people as soon as practicable. We aim to notify OPC within 72 hours after becoming aware that the breach is notifiable, without delaying for a completed investigation. Available information will be provided immediately and updated incrementally. Reporting to NCSC, Police, an insurer, a customer or another regulator does not replace Privacy Act notification.

What must the notification contain, and when can individual notification be withheld, replaced or delayed?

A notification to OPC must describe the breach, including the number of affected people if known and the identity of any suspected holder of the information if known; explain the actions taken or planned; state whether affected people have been or will be contacted; explain reliance on public notice, an exception or a delay; identify other agencies contacted and why; and provide an organisational contact. Affected-person notification must describe the breach, explain the response, provide practical harm-reduction steps where possible, confirm that OPC has been notified, explain the right to complain and give a contact person. It must not disclose details about other affected individuals. If direct notification is not reasonably practicable, public notice is required. Section 116 contains limited exceptions relating to national security or international relations, law enforcement and fair trial, safety, trade secrets, specified interests of a person under 16 and likely prejudice to an individual's health. Notification to individuals may also be delayed where notification itself creates greater information-security risks, but that delay does not permit delaying notification to OPC.

How this differs by situation
  • OPC notification — Describe scope, suspected recipient, response, affected-person communication, exceptions or delay, other agencies and a contact person.
  • affected-person notification — Explain the breach, organisational response, protective steps, OPC notification, complaint rights and a contact point.
  • public notice — Use where notifying each affected individual is not reasonably practicable and do not identify affected individuals.
  • exception or delay — Use only on reasonable statutory grounds, document the basis and notify later if circumstances change and serious-harm risk remains.
PUT THIS IN YOUR POLICY, EXACTLY

Notifications must be accurate, useful and limited to the information authorised by the Privacy Act. OPC notifications will include the known scope, suspected recipient, response actions, affected-person notification status, reliance on public notice or section 116, other agencies contacted and an organisational contact. Affected-person notices will describe the breach and response, provide practical protection steps, confirm OPC notification, explain complaint rights and provide a contact. Any public notice, exception or delay requires documented reasonable grounds and ongoing review. Notification to OPC must not be delayed under section 116.

What records, roles and response-team arrangements should the policy require?

Every New Zealand business or organisation should have a privacy officer, and that person should lead or oversee the serious-harm assessment and Privacy Act notifications. The response team should also identify an incident lead, technical lead, information or system owner, legal adviser where needed, communications lead and business-continuity representative. Small businesses may combine roles, but decision authority and alternates should remain clear. Start a contemporaneous incident record at first report. It should capture discovery time, the people and information potentially affected, systems and suppliers involved, containment, evidence, section 113 analysis, decisions, approvals, notifications, communications, recovery and corrective actions. OPC's breach management guidance expects an incident log covering actual breaches and near misses. Preserve records even where a breach is assessed as non-notifiable, because the organisation may need to explain its reasoning, identify recurring weaknesses or update the decision if facts change.

How this differs by situation
  • privacy officer — Oversees serious-harm assessment, Privacy Act notification and liaison with OPC.
  • incident and technical leads — Coordinate decisions, containment, evidence, investigation, recovery and status reporting.
  • legal, communications and business leads — Support lawful messaging, affected-person assistance, contractual duties and continuity.
  • incident record — Maintain a dated chronology, evidence index, assessment, decisions, notifications, near misses and corrective actions.
PUT THIS IN YOUR POLICY, EXACTLY

The privacy officer owns the Privacy Act assessment and notification process. The incident lead coordinates the response; the technical lead directs containment, evidence preservation and recovery; and designated legal, communications, information-owner and continuity roles support the response. A contemporaneous breach record must begin at first report and document the timeline, affected information and people, evidence, containment, section 113 assessment, decisions, approvals, notifications, communications, recovery and corrective actions. Actual breaches and near misses must be recorded, including non-notification reasons.

What should happen after the incident to prevent another breach?

Once immediate harm is controlled, conduct a structured review of both the breach and the response. Reconstruct the timeline and identify the technical, human, process, supplier and governance causes. Assess whether collection, access, retention, disclosure, security, training, monitoring, contracts, backups and escalation contributed. Review whether containment was timely, the serious-harm assessment was supported, notification was prompt and useful, and affected people received practical help. OPC says breach management should include reflection and should inform the privacy work programme; its own response plan calls for a post-breach review identifying weaknesses and recommendations for revisions or training. Convert findings into assigned corrective actions with priorities, owners, due dates and evidence. Update the risk register, information inventory, supplier requirements, policy, playbooks and training, and test the revised response through a realistic exercise.

How this differs by situation
  • incident review — Assess cause, chronology, control performance, decision quality, communication and impact on affected people.
  • corrective action — Assign every improvement an owner, priority, due date and closure evidence.
  • policy and control update — Update safeguards, supplier terms, escalation, notification templates, training and records.
  • retest — Exercise the revised plan and confirm that both privacy and technical improvements work.
PUT THIS IN YOUR POLICY, EXACTLY

After every material breach and significant near miss, the response lead will conduct a documented review covering cause, timeline, containment, serious-harm assessment, notification, communications, recovery and effects on affected people. Corrective actions must have an owner, priority, due date and closure evidence. The organisation will update relevant policies, systems, supplier controls, training and response materials and will test the revised process through a scenario exercise.

What are the common gaps in New Zealand SME data breach response?

Common gaps include treating only hacking as a privacy breach; failing to recognise ransomware-related unavailability, employee browsing or accidental email disclosure; waiting for complete forensic certainty before assessing notification; treating OPC's 72-hour guidance as either an absolute statutory deadline or something that can be ignored; notifying OPC but not affected people; relying on a supplier to make the customer's legal decision; failing to record non-notifiable breaches and near misses; assessing organisational embarrassment rather than harm to individuals; overlooking cultural perspectives and vulnerable people; using generic messages without practical protection steps; assuming an NCSC report satisfies OPC, Police, bank, insurer or sector reporting; and importing Australia's OAIC, 30-day assessment or eligible-data-breach terminology into a New Zealand policy. Sector obligations also require care: RBNZ's 72-hour material-cyber requirement applies to registered banks, non-bank deposit takers and insurers, while FMA duties apply to specified licence holders and material operational events. TICSA is specific to telecommunications network operators and is not a universal SME privacy-breach regime.

How this differs by situation
  • identification gaps — The organisation overlooks accidental, internal, physical, integrity or availability breaches.
  • assessment gaps — The serious-harm decision is undocumented, delayed, organisation-centred or not revisited.
  • notification gaps — OPC, affected people, NCSC and sector or contractual recipients are incorrectly treated as one pathway.
  • jurisdiction gaps — Australian breach terms, clocks and regulators are copied into a New Zealand policy.
PUT THIS IN YOUR POLICY, EXACTLY

We will apply the New Zealand Privacy Act serious-harm test and will not use Australian eligible-data-breach terminology, OAIC processes or a 30-day assessment period as New Zealand law. We will assess accidental, internal, physical, cyber and availability incidents; document all material decisions; notify OPC and affected people separately where required; and assess NCSC, Police, bank, insurer, customer and sector obligations in parallel. Supplier involvement does not transfer our responsibility for the notification decision.

What's my next step?

Common misconceptions

  • Only malicious hacking counts as a privacy breach. The Privacy Act also covers accidental access or disclosure, alteration, loss, destruction and temporary or permanent loss of access. VERIFIED
  • Every privacy breach must be notified. Notification is mandatory when the breach meets the serious-harm threshold, although other breaches should still be contained, recorded and remediated. VERIFIED
  • The New Zealand test is the Australian eligible-data-breach test. New Zealand uses the Privacy Act 2020 notifiable-privacy-breach definition and section 113 serious-harm factors. INFERRED
  • New Zealand law gives organisations a general 30-day period to decide whether to notify. No equivalent Australian-style 30-day assessment period appears in the New Zealand Privacy Act notification provisions. INFERRED
  • The Privacy Act states an absolute 72-hour statutory deadline. The Act says as soon as practicable; OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach. VERIFIED
  • An organisation should wait for a completed investigation before notifying OPC. The Act allows information to be supplied incrementally, and OPC says to notify even while investigation continues. VERIFIED
  • Notifying OPC automatically satisfies the duty to tell affected people. Commissioner and affected-person notifications are separate statutory duties. VERIFIED
  • A report to NCSC replaces Privacy Act notification. NCSC cyber reporting and Privacy Act notifications serve different purposes and must be assessed separately. INFERRED
  • A service provider is solely responsible for a breach involving the organisation's information. The organisation must still assess its Privacy Act responsibilities and contractual allocation. INFERRED
  • If direct notification is difficult, the organisation can simply omit it. Section 115 generally requires public notice where individual notification is not reasonably practicable. VERIFIED
  • Section 116 allows an organisation to delay notifying OPC. Its delay provision applies to affected-person or public notification, not notification to the Commissioner. VERIFIED
  • RBNZ, FMA and TICSA reporting rules apply to every New Zealand SME. They are sector-specific overlays and do not replace the Privacy Act duties of an organisation within scope. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Privacy Act 2020 IPP 5 reasonable security safeguards Office of the Privacy Commissioner The organisation holds personal information. Ongoing while information is held and whenever systems, suppliers, uses, access or risks change.
Notify the Privacy Commissioner of a notifiable privacy breach Office of the Privacy Commissioner It is reasonable to believe that a privacy breach has caused serious harm to an affected individual or is likely to do so. As soon as practicable after becoming aware that a notifiable privacy breach has occurred; OPC says ideally within 72 hours. Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine not exceeding NZD 10,000.
Notify affected individuals or give public notice Office of the Privacy Commissioner A notifiable privacy breach has occurred, subject to section 115 public-notice rules and section 116 exceptions or permitted delay. Notify affected individuals as soon as practicable; if individual notification is not reasonably practicable, give public notice unless an exception or permitted delay applies. Failure to notify an affected individual or give required public notice may be an interference with privacy.
Provide required notification information Office of the Privacy Commissioner The organisation notifies OPC, an affected individual, a representative or the public about a notifiable privacy breach. Provide available required information as soon as practicable and supply additional information incrementally as it becomes available.
Appoint a privacy officer Office of the Privacy Commissioner The entity is a New Zealand business or organisation that is an agency under the Privacy Act. Maintain at least one person performing the privacy-officer role on an ongoing basis.
Report a cyber incident to NCSC National Cyber Security Centre A cyber incident such as unauthorised access, malware, ransomware or a data breach requires assistance, referral, recovery guidance or voluntary reporting; no universal statutory trigger applies to every private SME. Report as early as practical through https://www.ncsc.govt.nz/report/; assistance is available on 0800 114 115.
RBNZ material cyber incident reporting Reserve Bank of New Zealand A material cyber incident affects a registered bank, non-bank deposit taker or insurer covered by the RBNZ requirement. As soon as practicable and within 72 hours.
FMA material operational or critical-technology incident reporting Financial Markets Authority A covered market-services licence holder determines that an event materially affects service supply or the operational resilience of critical technology systems. As soon as possible and no later than 72 hours after determining that the event is material.
TICSA network-operator obligations National Cyber Security Centre and New Zealand Police The organisation is a network operator or telecommunications provider within TICSA and the relevant registration or proposed-network-change requirements apply. Register within three months after becoming a network operator and notify qualifying proposed network changes in accordance with TICSA processes; these are not general privacy-breach notification clocks.

Sources

  1. Privacy Act 2020 primary
  2. Privacy Act information privacy principles primary
  3. Privacy Act Principle 5 — Storage and security of information primary
  4. Sorting out privacy breaches primary
  5. NotifyUs of a serious privacy breach primary
  6. NotifyUs privacy-breach self-assessment primary
  7. Poupou Matatapu — Breach Management primary
  8. Office of the Privacy Commissioner privacy breach response plan primary
  9. Information for privacy officers primary
  10. Report a cyber security issue primary
  11. NCSC incident response services primary
  12. NCSC and CERT NZ integration now complete primary
  13. Create an incident response plan primary
  14. If you have had an online security incident primary
  15. Own Your Online — Get help now primary
  16. RBNZ cyber resilience for regulated entities primary
  17. FMA operational and critical-technology incident reporting primary
  18. About TICSA network security primary
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.