Notes from the Asia-Pacific region: Breach exposes gaps in NZ’s privacy framework
Notes from the Asia-Pacific region: Breach exposes gaps in NZ’s privacy framework
Publish Date: 2026-02-05 09:43:00
Source Domain: iapp.org
Editor’s note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
Many New Zealanders began 2026 with some sobering privacy news. In early January, Manage My Health — a private patient portal contracted to the public health system — announced it had been affected by a serious cyber incident involving the sensitive health information of thousands of users. Ransom hackers accessed and downloaded documents stored in the My Health Documents section of the portal and threatened to make these available on the dark web.
The MMH breach is one of the most serious privacy incidents in New Zealand’s history. The scale of the incident and the sensitivity of the health information involved have understandably generated public concern. But beyond the specifics of what went wrong, the breach has also drawn attention to a more systemic issue: whether New Zealand’s privacy enforcement settings are strong enough to deter serious failures in the first place.
From an enforcement perspective, the Office of the Privacy Commissioner has acted decisively within its existing powers, launching a formal inquiry and signaling that the issues raised go beyond a single organization. Even so, MMH highlights a long-standing gap in the Privacy Act 2020 relating to the absence of meaningful financial penalties for serious privacy breaches.
Under the current framework, meager financial penalties — up to NZD10,000 — are available only in relation to the commission of a small number of offenses, including a failure to notify the privacy commissioner of a serious privacy breach. However, there are no financial penalties at all for breaching the information privacy principles in the first place, such as a failure to take reasonable steps to protect personal information from harm.
This puts New Zealand’s regime well out of step with overseas approaches. For example, following reforms to the Australian Privacy…
