Put Yourself in The Individual’s Shoes

When a privacy breach occurs, organisations often consider the impacts to them rather than the impacted individuals. They assess the reputational risks around notification, compliance obligations and legal liability. But what can easily get lost in the noise is consideration for the individuals involved and the harm that has or may occur to them.

Under the Privacy Act 2020, New Zealand organisations have a responsibility to notify the Office of the Privacy Commissioner (OPC) and affected individuals if a privacy breach has or is likely to cause serious harm. The law deliberately centres this threshold on the impacted individual, not the convenience or preferences of the organisation with very limited exceptions around not notifying.

Too often, organisations downplay the human impact, focusing instead on technical or operational concerns that caused the breach. If they do think about the individual impacted they consider them in light of their own life experiences rather than speaking to the individual to understand the impacts on them. In a recent case note the Privacy Commissioner noted “When agencies are considering whether harm has been suffered by a complainant, it is essential that it seeks to understand the actual impact on the client, not what they think the impact should be without having lived that individual’s life experiences. What might not affect one person, can have a significant impact on another.”

The ICO launched a hard-hitting campaign called the Ripple Effect in October last year about the impact of a breach on individuals, supported with some great resources.

Failing to notify affected individuals doesn’t just breach legal obligations—it erodes trust in the organisation. People remember how you made them feel, especially in moments of vulnerability like a breach.