Purpose
To ensure the organisation responds to privacy breaches in a timely, lawful manner — including mandatory notification to the Privacy Commissioner and affected individuals where required.
Scope
All staff who become aware of a potential privacy breach. Privacy Officer leads the response.
Procedure steps
Identify & contain
Stop the breach if possible (recall email, revoke access, retrieve documents). Preserve evidence — do not delete anything.
Assess the breach
Determine: what information was affected, how many people, how serious is the harm, was it intentional. Complete your breach assessment form.
Notify Privacy Commissioner
If the breach has caused or is likely to cause serious harm, notify the Privacy Commissioner as soon as practicable using Form 15 on privacy.org.nz. Do not delay beyond 72 hours if serious.
Notify affected individuals
Notify individuals whose information was breached if it is reasonable and practicable to do so, and if notification could help them take protective action.
Document everything
Record: date breach discovered, nature of breach, information affected, people notified, actions taken. Retain records for 7 years minimum.
Review & remediate
Conduct a post-breach review within 30 days. Identify the cause and implement controls to prevent recurrence.
Legislation
| Privacy Act 2020 s112 | A notifiable privacy breach is one that has caused, or is likely to cause, serious harm to an affected individual |
| Privacy Act 2020 s113 | The agency must notify the Privacy Commissioner of a notifiable privacy breach as soon as practicable |
| Privacy Act 2020 s114 | The agency must notify affected individuals of a notifiable privacy breach |
📋 Customise before use — Add your Privacy Officer name, internal breach register location, and your organisation's data map reference.
Upload this SOP to your workspace
Staff get cited answers from your own document — on mobile or by email, instantly.
Start free → ← All SOPs