Category: Privacy Commissioner

Source: Privacy Commissioner

Print | Email this page

Office of the Privacy Commissioner | Privacy News – April 2025

30 Apr 2025, 17:00

Read about our Privacy Week 2025 lineup and resources, IPP3A guidance and how to have your say, and new tips for using AI to contact OPC.

Read the April 2025 issue.

Source: Privacy Commissioner

Our website uses cookies so we can analyse our site usage and give you the best experience. Click “Accept” if you’re happy with this, or click “More” for information about cookies on our site, how to opt out, and how to disable cookies altogether.

Source: Privacy Commissioner

10 May 2023, 09:00

The New Zealand Office of the Privacy Commissioner (OPC) and the Office of the Australian Information Commissioner (OAIC) have commenced a joint privacy investigation into the 12 March Latitude Financial data breach.

This decision follows preliminary inquiries into the matter by both offices.

This is the first joint privacy investigation by Australia and New Zealand and reflects the impact of the data breach on individuals in both nations.

The breach, New Zealand’s largest, has seen millions of New Zealanders’ and Australians’ records exposed, including drivers’ licenses, passports and sensitive financial data including personal income and expense information.

The joint investigation will allow the use of both agencies’ resources. The structure of the investigation does not preclude the OAIC and OPC reaching separate regulatory outcomes or decisions regarding the most appropriate regulatory response to a breach.

The OAIC and OPC’s investigation will focus on whether Latitude took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.

The investigation will also consider whether Latitude took appropriate steps to destroy or de-identify personal information that was no longer required.

Deputy Privacy Commissioner Liz MacPherson says the investigation will focus on

• how the hackers gained entry to Latitude Financial’s systems
• how long they were inside before they were noticed
• what Latitude’s staff did when they discovered the attack
• the retention of information held by Latitude, and
• the security and storage of that information within its IT systems.

“This is a significant attack with an appalling result. I want to thank the affected customers who have been in contact with us so far. Thank you for your patience and for sharing your experiences with us, says Liz MacPherson.

“There is a human cost to a breach. We have former customers of Latitude who took a loan to buy a fridge about 15 years ago and now part of their identity is being held for ransom.  We will be asking the same questions these customers are.  Could Latitude have done anything to prevent the hackers getting in and stealing information? What reasons does Latitude have for holding onto the personal information of past customers for such long periods?”

“I also expect this breach has caused emotional stress for staff and the Board at Latitude Financial and I thank them for their constructive engagement with us to date,” says Liz.

A compliance investigation enables the Office of the Privacy Commissioner to use its full information gathering powers including obliging people to provide information and summoning witnesses.

“This information will help us to establish whether Latitude’s actions or inaction enabled the cyber-criminals and contributed to the scope and impact of the breach.  Establishing these facts will be critical to our ability to make decisions about the individual complaints that are made to us by impacted Latitude customers,” says Liz.

“We are still encouraging affected customers to contact Latitude Financial and ID Care for support first. They have made commitments to assist impacted customers.  If you complain to Latitude and you haven’t heard back from them within 30 working days, then we encourage affected customers to make a complaint to us.

Liz says, “we won’t start assessing individual complaints until we have completed our compliance investigation, but we want to get a sense of the number of people affected and the issues people are facing.

“We are expecting this investigation to be wide-ranging and we need to be able to assign investigators accordingly and plan how to meet the needs of affected customers. We also want to know the types of impact and harm people have suffered because of this breach (e.g. examples of harm like identity theft, credit difficulties, undue stress etc).

“We have set up an email for affected customers to contact our team easily. Can you please contact us at latitude.breach@privacy.org.nz ”

The Office of the Privacy Commissioner has been working with the Office of the Australian Information Commissioner (OAIC) throughout the early stages and will continue to do so during the compliance investigation.

“As this investigation is now active no further comments will be made on it until it is concluded. When the OPC finishes its investigation, we will give an update, so please keep in contact with us.”

Anyone coming across the Latitude Financial data should take care.

“Do not access it. Do not spread it. Do not share it. Report it to the New Zealand Police. Report it to us or you can report it to CERT. No one should contribute to its dissemination and increase the anxiety and distress of the affected individuals.”

Individuals should be on the lookout for anything out of the ordinary.

“Be hyper vigilant. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source.”

If people would like to know more about some steps, they could take to protect themselves from privacy breaches they could follow this link: https://privacy.org.nz/resources-2/protecting-yourself-from-a-privacy-breach/

Timeline:

• Latitude Financial informs the OPC it was breached on March 16.
• The Office of the Privacy Commissioner starts its preliminary enquiries into the breach including working with the OAIC.
• The NZ Office of the Privacy Commissioner and the Australian Office of the Information Commissioner commence a joint compliance investigation into Latitude on 9 May.

Facts:

• Latitude Financial Services Limited NZ provides a wide range of financial and (limited) insurance services to customers across New Zealand via Gem Finance and Gem Visa and several subsidiary groups.
• Latitude Financial Services Limited NZ is a subsidiary of Latitude Holdings based in Australia. As such we will continue to work closely with the OAIC as our investigation progresses.
• Latitude Financial have estimated that 14 million NZ and Australian customer records have been exposed because of the 12 March attack of which around 1.08 million are NZ customer records.
• The 1.08 million NZ customer records includes around 1.037 million driver license records, around 40,000 passport records and sensitive income and expense information. The income and expenditure information was submitted as part of a personal loan application process.
• The Privacy Act 2020 places responsibility on Latitude for keeping personal information data secure.
• The OPC regulatory role is to understand whether reasonable steps to keep personal data secure have been followed, including appropriate data retention practices and to monitor the Latitude response to the cyber-attack breach.

The difference between preliminary inquiries, a compliance investigation and a complaint investigation

• Preliminary inquiries allow us to ask questions and assess the situation. Agencies provide information voluntarily.
• A compliance investigation is undertaken under Part 6 of the Privacy Act 2020. It is designed to allow the Privacy Commissioner to hear or obtain information from any person he considers may have relevant information to enable him to decide whether to issue a compliance notice to an agency for breaching the Privacy Act.  A compliance notice requires an organisation to do something or to stop doing something, in order to comply with the Privacy Act. A compliance investigation can be used to inform the investigation of individual complaints where there are multiple complaints of the same nature.
• A complaint investigation is undertaken under Part 5 of the Privacy Act 2020. These investigations are focussed on the harm caused to the individual by a privacy breach and seek to resolve the complaint including through compensation or redress. 

 For media please call: 021 959 050

Source: Privacy Commissioner

Privacy Week 2025 is a series of free webinars promoting privacy awareness. Our 2025 theme is Privacy on Purpose, which invites speakers to present on the need for businesses, organisations, and individuals to be purposeful with their privacy. Doing privacy well is a business advantage, not just a tick-box exercise.

Register now and be reminded
You can register for any webinars you’re interested in using the link in the webinar description. There are limited spaces so we recommend registering early to ensure your place.

All webinars will be hosted through Zoom. After the webinar, all attendees will receive an email, which can be used as proof of attendance for CPD.

Source: Privacy Commissioner

1 Apr 2024, 14:20

We try to facilitate a resolution to individual privacy complaints wherever that is possible and appropriate in the circumstances of the case. There are a number of mechanisms in the Privacy Act that allow us to do this:

• Section 77 of the Privacy Act says that at any time after receiving a complaint, and before investigating, the Commissioner may decide to use best endeavours to try to resolve a complaint and seek a reassurance from the agency concerned that the issue that led to the complaint has now been sorted.
• Section 83 of the Privacy Act says that at any time during an investigation of a complaint (about any of the principles/rules), the Commissioner may decide to use best endeavours to secure a settlement of the complaint, and (if appropriate) a satisfactory assurance from the agency that there will not be a repetition of the action that gave rise to the complaint, or of any similar action.
• Section 94(2) says that if the Commissioner determines a complaint (about anything other than access or charging) has substance, then the Commissioner must use best endeavours to secure a settlement of the complaint and an assurance from the agency that there will not be a repetition of the action that gave rise to the complaint, or of any similar action.
• Section 91(3) says the same, about an access complaint. Where it is a complaint about charging, we will usually try to settle that under section 83 (if we can), but if we cannot, section 93(2) gives the Commissioner power to make a determination about the charge.

How do we use our ‘best endeavours’?

Usually, we do this by way of a conciliation meeting between the parties, facilitated by an OPC staff member. Conciliation is a dispute resolution process similar to mediation – the difference is that a conciliator is a subject matter expert. Where conciliation isn’t appropriate, in some cases we will act as the ‘go between’ in shuttle negotiations.

‘Best endeavours’ won’t look the same in every case. We have to take into account all the circumstances of the case, including the conduct and wishes of the parties and the resources of our Office, when determining what is appropriate in each case.

We take a pragmatic approach to resolving complaints, and where a complaint is about access to personal information we would not usually conciliate, or try to resolve the matter using shuttle negotiations. This is because a complaint about access is either resolved by the granting (by the agency concerned) of access to the information requested, or by us reviewing the withheld information, and forming a view on whether the agency has a proper basis for its decision to withhold that information. Due to the secrecy obligations we have under the Privacy Act we cannot discuss withheld information and it wouldn’t usually be appropriate for the agency concerned to meet with the complainant in these circumstances, because they can’t discuss the information withheld either. However, we have conciliated complaints about access to information in some cases – for example where it appears to us the parties are at cross purposes about the scope of a request and facilitating a conversation will allow them to understand each other and the agency to respond to a request.

If one party makes an offer to settle a complaint, we are obliged to put that offer to the other party. This does not mean that we approve or endorse the offer.

What’s a conciliation?

Conciliation is a form of alternative dispute resolution. It is similar to mediation, except the neutral third party has expertise in the issue in dispute. We have specially trained staff who can run this process.

We guide the conversation and help provide some structure, but the parties decide their own outcome. We are impartial, and we can’t compel an outcome, but we can give guidance on the Privacy Act if needed. We are also able to provide information on what might happen if the matter isn’t settled in the meeting.

What’s in it for me?

There are many benefits of resolving your complaint though conciliation – if we are able to achieve a settlement through this process it can help the parties to be able to move forward and get some closure. It’s also an opportunity to ask the other party questions, human to human, to understand what went wrong, and what impact that has had. It is particularly useful where there is an ongoing relationship between the parties.

How does this work in practice?

We have information about what the process looks like, and a conciliation preparation toolkit (opens to PDF, 187KB).

If both parties are willing to meet, we will work out who should attend and the work out the logistics. These meetings usually take place by Zoom or in person, and take two-four hours, depending on the issues to be discussed. We tailor the process to the parties and we will make reasonable adjustments if any of the parties have communication, cultural, disability or other needs. You can also have a support person or lawyer attend to support you, but you do not need one.

To get the most out of your conciliation, you should be prepared to be open to hearing and trying to understand the other party’s perspective, speak openly about your own experience and be willing to be flexible about the outcome.

The content of the conversation will be confidential, but our Office may take what is discussed into account when we are considering the appropriate next steps for the file.

What does a ‘settlement’ look like?

There’s no formula for determining what a good resolution looks like: ultimately that’s up to the parties. An explanation and a heartfelt apology can go a long way to resolving a complaint.

Often complainants are seeking compensation, and in some cases that may be appropriate. We see all kinds of creative solutions though – that’s the beauty of getting people in the room and brainstorming to solve the problem together.

If we are able to reach a resolution of the complaint that will be documented in a settlement agreement, and both parties will have the opportunity to seek legal advice and contribute to the wording of the agreement.

If an agreement is reached, it will be in full and final settlement of the privacy complaint, and the matter can’t be pursued further in the Human Rights Review Tribunal.

What happens if we don’t settle?

If the conciliation meeting has not led to a resolution or a reasonable settlement offer, we will consider the appropriate next steps.

If we have notified under section 77, we may decide to formally investigate the complaint and form a view on whether there has been an interference with the complainant’s privacy. Alternatively, we may decide not to further consider the complaint if we consider this is unnecessary or inappropriate, or where, in the Commissioner’s opinion, one of the grounds for decline set out in section 74 applies.

If we are already investigating, we may make a finding about the substance of the complaint.

In appropriate circumstances the Commissioner may also consider taking additional steps available to him under the Privacy Act. This may include taking action under our Compliance and Regulatory Action Framework, referring the matter to the Director of Human Rights Proceedings or issuing an Access Direction.

If the agency has made a reasonable settlement offer, we will usually consider that the Commissioner’s involvement is no longer necessary. This is so even if the complainant doesn’t want to accept the offer. Our Office has limited resources, so where we consider there is a fair offer of resolution open for acceptance by the complainant, we will usually consider our further involvement is not necessary. Read an example of where this happened.

Whatever we decide, we will let the parties know as soon as practicable. If we decide to take no further action, we will close our file, and the complainant will have the right to take their complaint to the Human Rights Review Tribunal.

Source: Privacy Commissioner

This issue includes a note that the Biometric Code consultation has now closed, and that the final version of the Code will likely be published mid-2025. It also includes policy advice for government agencies, Kordia research and what OPC said about that, the Global Privacy Assembly’s new comparison tables, and the delay of the UK’s adequacy review. We also announce a special guest for Privacy Week 2025. Read the March 2025 issue.

Source: Privacy Commissioner

Our brochure covers New Zealanders privacy rights, what to do if your personal information is taken, and how to make a complaint to us. It also includes our contact details. We can send you free professionally-printed doubled-sided brochures in English and Te Reo if you email us at commsteam@privacy. org. nz

If youd like a translation that you dont see here, please get in touch at commsteam@privacy. org. nz.

Source: Privacy Commissioner

Foodstuffs North Island have engaged constructively with the Office of the Privacy Commissioner on their trial of in-store facial recognition technology, including sharing with us their privacy impact assessment for comment. We prompted Foodstuffs North Island to carefully consider whether the use of facial recognition technology was a necessary, proportionate, and effective response to harmful behaviour in Foodstuffs stores. We also provided a range of other comments, including the importance of being transparent with shoppers about the use of facial recognition technology, and to proactively engage with stakeholders, including Mori. We recognise Foodstuffs has a responsibility to take steps to keep customers and staff safe. However, it is not clear to our office how facial recognition technology is going to achieve this. As a result, we have been counselling caution given the privacy intrusive nature of facial recognition technology and the inaccuracy and profiling risks involved.

Source: Privacy Commissioner

16 May 2019, 06:00

An Office of the Privacy Commissioner (OPC) inquiry has found the Ministry of Social Development (MSD) systematically misused its investigatory powers while pursuing benefit fraud, unjustifiably intruding on the privacy of many beneficiaries.

The inquiry found MSD’s exercise of its information gathering powers to be inconsistent with legal requirements under the Social Security Act 1964 and the Privacy Act 1993. This failure has resulted in infringements of individual privacy, particularly in relation to the collection of information from third parties.

In the course of its inquiry, OPC interviewed beneficiaries and reviewed fraud investigation files provided by MSD. As a result, it saw cases where individual privacy was infringed. Examples included:

• Failing to ask beneficiary clients for information before seeking it from a third party leading to inaccurate assessments of the information;
• Overly broad requests leading to the provision of unnecessary and sensitive information (in one case a woman’s birthing records);
• Disproportionate and inappropriate requests for information (in some cases, every text message sent and received by an individual over lengthy periods);

Mr Edwards says the inquiry reviewed MSD files that contained text messages between parties in a relationship, sometimes of a sexual, familial or otherwise intimate nature.

“In one instance, a beneficiary described to us how MSD obtained, from a telecommunications company, an intimate picture shared by that individual with a sexual partner. The photograph was then produced at an interview by MSD investigators seeking an explanation for it.”

MSD has powers under the section 11 of the Social Security Act (as regulated by a Code of Conduct) to collect “any information” about a person on a benefit in order to assess their entitlements – including retrospectively, as in the case with fraud investigations.

As well as the Privacy Act, MSD’s Code of Conduct required MSD to first seek information from a beneficiary client directly before seeking it from a third party, unless to so would prejudice the maintenance of the law.

A change in practice

But in 2012, MSD advised its fraud investigation staff they could bypass the requirement to seek information directly from a beneficiary and instead go direct to third parties. MSD believed that an amendment to the Code enabled this.

The 2012 practice change resulted in MSD using its powers to collect large amounts of highly sensitive information about beneficiaries from third parties without approaching beneficiaries first. The information collected included text messages, domestic violence and other Police records, banking information and billing records from a range of providers.

MSD investigates thousands of fraud allegations a year. Of these, a large proportion result in no formal finding of fraud.

Mr Edwards said since 2012, MSD’s failure to first ask beneficiaries for information before approaching third parties has likely affected thousands of beneficiaries.

“Due to poor record keeping practices and inconsistencies between fraud teams, we have been unable to establish whether the Ministry has been bypassing beneficiaries in all fraud investigations or only those categorised as ‘high risk’. It is disappointing that MSD does not keep accurate records of when and how many section 11 notices are issued by its staff.”

Mr Edwards also noted MSD is required to review the Code every three years but had not done so since 2012.

Recommendations

The report makes five recommendations including that MSD immediately cease its blanket application of the ‘prejudice to the maintenance of the law’ exception when issuing section 11/schedule 6 notices.

It also recommends MSD undertake a comprehensive review of the Code and to develop training material and guidance for all its fraud investigation teams.

View the Privacy Commissioner’s Inquiry into the Ministry of Social Development’s Exercise of Section 11 (Social Security Act 1964) and Compliance with the Code of Conduct report 

Source: Privacy Commissioner

• Home /
• News /
• News /
• New research shows business leaders fear being on the hook for others’ privacy breaches

13 Mar 2025, 11:00

New research just out from Kordia shows 35% of business leaders said cyber-attacks or data leaks coming through third-party suppliers were their biggest business concern.

Privacy Commissioner Michael Webster says, “The law is very clear that when an agency outsources services to a third-party provider, the agency remains responsible for ensuring the data remains secure and used in a way that is compliant with the Privacy Act.

“At the end of the day, if your third-party provider has a privacy breach, it’s your problem as well,” he said.

Mr Webster says OPC isn’t alone in emphasising that privacy and security considerations need to be at the fore when using third-party providers.

“Kordia’s research backs up what we’ve long said; that businesses need to factor third parties into business continuity and cyber-response plans.

“It’s clear that more consideration needs to be given to these privacy issues and it’s not a case of out of sight out of mind and thinking a third-party provider has everything covered.

“You can’t outsource the responsibility of taking care of personal information.”

Mr Webster, says it’s not just an issue for the private sector, with the recent PSC Inquiry and the Stats NZ report raising privacy issues linked to the use of third parties.

This research is yet more evidence that agencies need to pay more attention to privacy and cyber security risks when using third party providers and to make sure there’s a plan in place should that provider suffer a privacy or cyber breach.

The Office of the Privacy Commissioner has recently issued guidance to help agencies working with third-party providers understand their responsibilities in this area. It takes businesses through all the considerations they should make before engaging a third-party provider.