Enforcement Activity Is Surging — And Most Businesses Are Not Ready
The short version: Privacy complaints surged 21% last year to nearly 1,600 cases, and the OPC closes 90% within six months. Five documents determine whether your investigation goes well or badly — and most businesses can prepare them in weeks. Request your Privacy Breach Readiness Report to find out where you stand. Read on for the full breakdown.
The numbers from the Office of the Privacy Commissioner's (OPC) most recent Annual Report tell a story that every New Zealand business owner should pay attention to. Serious breach notifications rose 43% to almost 600 in the 2024/25 financial year (OPC Annual Report 2024/25). Privacy complaints jumped 21% to nearly 1,600 cases — up from 1,003 the previous year (OPC Annual Report 2024/25). Many of those complaints involved unauthorised sharing of personal information by retailers, mishandled health data transfers, and algorithmic biases in lending decisions (OPC Annual Report 2024/25).
These are not abstract statistics. Behind every one of those 1,598 complaints is a real investigation, a real organisation scrambling to locate records, and a real assessment of whether that organisation met its obligations under the Privacy Act 2020. The question is not whether the Privacy Commissioner will investigate businesses in your sector. The question is whether you will be ready when it happens to you.
How the OPC Actually Investigates a Complaint
Most business owners have a vague sense that the Privacy Commissioner handles complaints, but few understand the mechanics of how an investigation unfolds. Knowing the process removes the uncertainty and allows you to prepare properly.
Step 1: Complaint received. Any individual can lodge a complaint with the OPC, typically online or by phone. The complaint does not need to be legally sophisticated — the OPC accepts complaints in plain language and helps complainants articulate their concerns. A complaint can also be initiated by the Commissioner on their own motion if a systemic issue comes to light.
Step 2: Initial assessment. The OPC reviews the complaint to determine whether it falls within jurisdiction and whether there is sufficient basis to proceed. Not every complaint leads to a full investigation. Some are outside the scope of the Privacy Act, and others are resolved through early contact with the organisation involved.
Step 3: Fast resolve track. For straightforward matters, the OPC operates a "fast resolve" process that managed approximately 1,200 cases in the most recent reporting year (OPC Annual Report 2024/25). This track focuses on achieving a practical resolution — often an apology, correction of records, or a change in practice — without a formal investigation. Organisations that respond quickly and cooperatively to fast resolve enquiries typically achieve better outcomes.
Step 4: Full investigation. Where the matter is more complex, involves systemic issues, or cannot be resolved informally, the OPC conducts a formal investigation. This involves written requests for information, interviews, review of internal documentation, and a detailed assessment against the relevant Information Privacy Principles. The organisation under investigation is given the opportunity to respond to the complaint and provide evidence of compliance.
Step 5: Determination and enforcement. Following investigation, the Commissioner can make findings, issue compliance notices (which are legally binding), or refer the matter to the Human Rights Review Tribunal. The OPC closed nearly 90% of complaints within six months in the most recent year (OPC Annual Report 2024/25), meaning that for most organisations, the investigation cycle from complaint to resolution is relatively swift.
What Evidence They Ask For
When the OPC contacts your organisation — whether through the fast resolve process or a formal investigation — they will request specific documentation. The organisations that respond effectively are those that have these materials already prepared and accessible. Those that scramble to assemble evidence under pressure inevitably present a weaker picture.
Personal data inventory or register. The OPC expects organisations to know what personal information they hold, where it is stored, who has access, and how long it is retained. If you cannot produce a current, complete data inventory, it signals a fundamental gap in your privacy governance.
Privacy impact assessments. For any significant processing activity — new systems, new data sharing arrangements, new products that handle personal information — the OPC looks for evidence that you assessed the privacy implications before proceeding. A privacy impact assessment demonstrates that you considered risks and implemented safeguards proactively, not reactively.
Breach response records. If the complaint relates to a privacy breach, the OPC will request your breach response documentation: when the breach was detected, what containment steps were taken, how affected individuals were notified, and what corrective measures were implemented. Under the Privacy Act 2020, organisations must notify both the OPC and affected individuals of breaches that pose a risk of serious harm.
Staff training records. The OPC regularly examines whether organisations have trained their staff on privacy obligations. This is particularly relevant in complaints involving human error — an employee sharing information they should not have, or failing to verify identity before disclosing records. Evidence of regular, documented privacy training demonstrates a culture of compliance.
Consent mechanisms and privacy notices. Where the processing relies on consent, the OPC will examine your consent collection mechanisms, privacy notices, and how clearly individuals were informed about how their data would be used.
Notification and decision logs. For breach notifications and access or correction requests, the OPC expects to see a documented trail of decisions — who decided what, when, and on what basis.
The Oranga Tamariki Lesson
The OPC's investigation into Oranga Tamariki (the Ministry for Children) provides one of the most instructive examples of enforcement under the Privacy Act 2020. The Privacy Commissioner described the privacy breaches as "grievous" (OPC enforcement action, Oranga Tamariki). The case involved systemic failures in how the agency handled sensitive personal information about children and families in its care.
What makes this case significant for other organisations is not the scale — Oranga Tamariki is a government ministry — but the nature of the failures identified. The investigation revealed breakdowns in basic data handling practices: information shared without adequate safeguards, insufficient controls over who could access sensitive records, and a lack of systematic privacy governance.
The lesson for private sector organisations is direct. The OPC applies the same Information Privacy Principles to a five-person accounting firm as it does to a government ministry. The principles are technology-neutral and scale-neutral. What matters is whether you have implemented reasonable safeguards appropriate to the sensitivity of the information you handle and the risks your processing creates.
Organisations that treat privacy as a compliance checkbox rather than an operational discipline are the ones most likely to face findings similar to Oranga Tamariki — not because they are acting in bad faith, but because they have not built the systems and habits that prevent failures from occurring.
No Fines Does Not Mean No Consequences
New Zealand is one of the few developed economies without a civil penalty regime for privacy breaches. Unlike Australia, where the Privacy Act imposes fines of up to A$50 million (approximately NZ$54 million) for serious or repeated interferences with privacy (Baker McKenzie, Australian Privacy Law Guide), New Zealand organisations do not face direct financial penalties from the Privacy Commissioner.
Australia's shift to meaningful penalties was direct cause and effect. The Optus data breach in September 2022 exposed 9.8 million customer records, and the Medibank breach the following month compromised 9.7 million records — including sensitive health claims data covering mental health, HIV status, and drug and alcohol treatment. Within weeks, the Australian Parliament passed legislation increasing maximum penalties from AUD $2.2 million to AUD $50 million or 30% of adjusted turnover (Privacy Legislation Amendment Act 2022). The Australian Information Commissioner has since filed civil penalty proceedings against both companies. Medibank's breach costs alone have exceeded AUD $126 million to date (iTnews, 2024). New Zealand's Privacy Commissioner has publicly cited Australia's enforcement trajectory as a model and is advocating for similar reform.
This absence of fines in New Zealand leads some businesses to underestimate the consequences of non-compliance. That is a serious miscalculation. The Privacy Act 2020 provides the Commissioner with several enforcement tools that carry real weight — and the reform trajectory is clear.
Compliance notices. The Commissioner can issue compliance notices requiring an organisation to take specific actions to remedy a breach or bring its practices into line with the Privacy Act. These notices are legally binding. Failure to comply with a compliance notice is an offence.
Human Rights Review Tribunal. The Commissioner can refer matters to the Human Rights Review Tribunal, which has the power to award damages to complainants. Critically, the Tribunal can award damages not only for financial loss but also for humiliation, loss of dignity, and injury to feelings. These awards can be substantial, and the proceedings are a matter of public record.
Criminal offences. Section 211 of the Privacy Act 2020 creates criminal offences including misleading an agency to obtain access to personal information and destroying documents to prevent access to information. These offences carry penalties of up to $10,000. While criminal prosecutions are rare, the provision exists and the OPC has indicated willingness to use all available tools.
Reputational damage. The OPC publishes its findings and enforcement actions. Media coverage of privacy failures is significant and sustained in New Zealand. A public finding by the Privacy Commissioner — particularly one involving mishandled customer data or a botched breach response — damages customer trust in ways that are difficult and expensive to repair.
Insurance implications. Cyber and professional indemnity insurers increasingly ask about privacy compliance as part of their underwriting process. A history of OPC complaints, or an inability to demonstrate compliance frameworks, can affect both premiums and coverage availability.
The call for stronger powers. The Privacy Commissioner has publicly called for stronger enforcement powers, including the ability to impose financial penalties (RNZ, 2024). While legislative change has not yet occurred, the direction of travel is clear. Organisations that build robust privacy frameworks now will be ahead of the curve when penalties inevitably arrive.
The Five Things Every Business Should Have Ready
You do not need a dedicated privacy team or a six-figure compliance budget to be prepared for an OPC investigation. You need five things, maintained consistently and kept current.
1. A current personal data inventory. Know what personal information you hold, where it lives, who can access it, and how it flows through your organisation. This is the single most important document in any privacy investigation. Without it, you cannot demonstrate that you understand your own data landscape, and the OPC will draw the obvious inference.
Your data inventory should cover every system that processes personal information — from your CRM and payroll platform to your email marketing tool and cloud storage. It should record whether data crosses borders, how long it is retained, and the legal basis for each processing activity.
2. A documented breach response plan. When a breach occurs, you need a plan that your team can execute without hesitation. The plan should define roles and responsibilities, set clear timelines for containment and notification, identify notification paths, and include pre-drafted notification templates for both the OPC and affected individuals.
The Privacy Act 2020 requires notification of breaches that are likely to cause serious harm. Having a documented plan — and evidence that your team has rehearsed it — demonstrates the kind of organisational preparedness the OPC expects.
3. Staff privacy training records. Every person in your organisation who handles personal information should receive privacy training. This includes not only formal training sessions but also role-specific guidance for staff in high-risk positions — those handling health data, financial information, or customer complaints.
Maintain records of who was trained, when, and on what topics. The OPC consistently identifies inadequate staff training as a contributing factor in privacy breaches.
4. Privacy impact assessments for key processing activities. Any time you introduce a new system, change how you process personal information, or enter into a new data sharing arrangement, conduct a privacy impact assessment. Document the risks you identified and the safeguards you implemented.
Privacy impact assessments do not need to be lengthy documents. A structured, two-page assessment that clearly identifies the privacy risks and mitigation measures for a specific project is far more valuable than a generic policy document that no one reads.
5. Notification templates and decision logs. Prepare breach notification templates in advance — one for the OPC and one for affected individuals. When a breach occurs, you will not have time to draft these from scratch while simultaneously managing containment.
Maintain a decision log for all privacy-related decisions: breach assessments (including decisions that a breach did not meet the notification threshold), responses to access and correction requests, and any decisions about data sharing or retention. This log becomes your primary evidence of good faith and reasonable conduct if a complaint is investigated.
Frequently Asked Questions
Can the Privacy Commissioner fine my business?
Not directly. New Zealand does not currently have a civil penalty regime for privacy breaches. However, the Commissioner can issue legally binding compliance notices, refer matters to the Human Rights Review Tribunal (which can award damages), and publish findings that cause significant reputational harm. The Commissioner has publicly called for stronger enforcement powers including financial penalties.
How long does an OPC investigation typically take?
The OPC closed nearly 90% of complaints within six months in the most recent reporting year. For straightforward matters handled through the fast resolve process, resolution can come within weeks. Complex investigations involving systemic issues take longer.
What triggers an OPC investigation?
Any individual can lodge a complaint, and the Commissioner can also initiate investigations on their own motion if a systemic issue comes to light. The most common triggers are complaints from individuals about unauthorised sharing of personal information, mishandled data, or failures to respond to access requests. Mandatory breach notifications can also lead to investigations if the OPC identifies concerns about your response.
Be Ready Before You Need to Be
The trajectory is clear. Complaint volumes are rising. Breach notifications are accelerating. The OPC is processing cases faster than ever, and the Commissioner is publicly advocating for stronger enforcement powers.
The businesses that navigate this successfully are those that prepare before they need to. A Privacy Breach Readiness Report takes weeks, not months, and gives you a clear picture of where you stand against the standards the OPC applies during investigations — your data inventory, breach response plan, staff training, privacy impact assessments, and notification processes.
The best time to prepare for a Privacy Commissioner investigation is before you know one is coming.
Request your Privacy Breach Readiness Report — find out where you stand before the OPC asks the same question.