Home | Browse Topics | Individual rights & freedoms | Privacy and information | Requirements about storing information and keeping it secure

Individual rights & freedoms

Requirements about storing information and keeping it secure


Storage and security of information

Privacy Act 2020, s 22, principle 5

A government agency, business or other organisation that holds information about you must make sure that reasonable security safeguards are in place to protect the information against:

  • being lost
  • being accessed, used, changed or released without the organisation’s permission
  • being misused in any other way.

If the organisation needs to give the information to a contractor or someone else who provides a service to the organisation, the organisation must also make sure everything reasonable is done to prevent the information being used or disclosed without authorisation.

The steps that an organisation will need to take to keep your information secure will usually depend on the type of information. For example, an organisation will usually need to protect its databases with anti-virus software, and protect its physical premises from burglary or theft by having a monitored alarm.

What happens if there is a privacy breach?

Privacy Act 2020, ss 112-118

One of the biggest changes in the Privacy Act 2020 is that organisations now have obligations to let people know if there has been a “notifiable privacy breach”. This means that if breach has caused (or is likely to cause) serious harm to someone, the organisation must tell the individual whose privacy was breached, and the Privacy Commissioner.

An organisation has to consider the following before deciding if the privacy breach is likely to cause serious harm:

  • any action taken by the organisation to reduce the risk of harm following the breach
  • whether the personal information is sensitive in nature
  • the nature of the harm that may be caused to affected individuals
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known)
  • whether the personal information is protected by a security measure
  • any other relevant matters.

When deciding if a privacy breach is likely to cause serious harm, organisations should get independent legal advice. If an organisation fails to notify the Privacy Commissioner of a “notifiable privacy breach”, they can be fined up to $10,000.

Did this answer your question?

Privacy and information

Where to go for more support

Community Law


Your local Community Law Centre can provide initial free legal advice and information.

Office of the Privacy Commissioner

Website: www.privacy.org.nz
Phone: (04) 474 7590 or freephone 0800 803 909
Email: enquiries@privacy.org.nz

For complaints, You can submit a complaint online using the online self-assessment form, ring the 0800 number above or send an email.

Mental health and addiction pamphlet


“What happens to your mental health and addiction information” – available from the Ministry of Health website.

This pamphlet gives you details of how and why consumer information is collected by PRIMHD (Programme for the Integration of Mental Health Data). It also looks at who uses the information, and the privacy rights of consumers under the Health Information Privacy Act 1993.

Also available as a book

The Community Law Manual

The Manual contains over 1000 pages of easy-to-read legal info and comprehensive answers to common legal questions. From ACC to family law, health & disability, jobs, benefits & flats, Tāonga Māori, immigration and refugee law and much more, the Manual covers just about every area of community and personal life.

Buy The Community Law Manual

Help the manual

We’re a small team that relies on the generosity of all our supporters. You can make a one-off donation or become a supporter by sponsoring the Manual for a community organisation near you. Every contribution helps us to continue updating and improving our legal information, year after year.

Donate Become a Supporter

Find the Answer to your Legal Question

back to top