Privacy Commissioner Guidance on "Serious Harm" — When a Cyber Incident Triggers Mandatory Notification

Under section 117 of the Privacy Act 2020, an NZ business that suffers a privacy breach must notify the Office of the Privacy Commissioner (OPC) and the affected individuals — but only if the breach has caused or is likely to cause "serious harm". That phrase does most of the work in the Act, and it's where most NZ businesses get the assessment wrong on first contact. This guide walks through OPC's published guidance on serious harm, the factors that move an incident from "internal containment" to "mandatory notification", and how cyber insurance pays for the legal advice you'll need to make the call.

The serious-harm test in section 117

Section 117 of the Privacy Act 2020 sets out a single test: a notifiable privacy breach has occurred if it is "reasonable to believe" the breach has caused, or is likely to cause, serious harm to an affected individual. The Act doesn't define "serious harm" exhaustively — but it lists factors to consider, and OPC has expanded those into operational guidance. The factors include:

• The actions taken by the agency to reduce the risk of harm
• Whether the personal information is sensitive (financial, health, identity-document data)
• The nature of the harm that may be caused
• The person or body that has obtained or may obtain the personal information as a result of the breach
• Whether the personal information is protected by a security measure (encryption, etc.)
• Any other relevant matter

The threshold is fact-sensitive. A breach involving one person's home address and email might be containable; the same disclosure for a domestic-violence survivor is plainly serious harm. A breach involving 50,000 records of low-sensitivity data may or may not pass the threshold, depending on the type of data and the parties who obtained it. The judgement is binary in the end — you either notify or you don't — but the path to the judgement involves weighing each factor.

OPC's serious-harm guidance in practice

The Privacy Commissioner has published practical guidance for agencies assessing whether a breach meets the threshold. Read in full at privacy.org.nz/responsibilities/privacy-breaches/, the guidance identifies several scenarios that typically meet the serious-harm threshold:

• Disclosure of identity documents (driver licence, passport, birth certificate) to unauthorised parties — high identity-fraud risk
• Disclosure of bank-account or credit-card details
• Disclosure of health information, particularly mental-health, sexual-health, or other sensitive categories
• Disclosure of information about children
• Disclosure of information that could be used to embarrass, intimidate, or stalk an individual
• Disclosure of information that could compromise an individual's physical safety (e.g. address of a person at risk)
• Disclosure of large volumes of personal information to a third party, especially where re-identification is feasible

Equally, OPC's guidance identifies scenarios that typically do not meet the threshold:

• The information was promptly contained and the recipient is reliably known not to have read or copied it (e.g. a misdirected email recalled before being opened)
• The information is publicly available elsewhere (e.g. a name and business email already on the public website)
• The information was strongly encrypted with the encryption key not exposed, and the encryption is current-standard (not, say, AES-128 ECB or an outdated cipher)
• The recipient is bound by a confidentiality obligation that makes onward disclosure unlikely (e.g. another health provider with statutory confidentiality)

The "encryption" qualifier is the one most NZ businesses overestimate. If a stolen device or a leaked file was encrypted with strong, current cryptography and the encryption key was not also compromised, the breach often falls below the threshold. But cyber incidents that bypass encryption (e.g. credentials phished, then attacker logs in and accesses decrypted data) don't get the encryption defence — the data was accessed in clear-text from the attacker's vantage.

The NotifyUs tool

OPC's NotifyUs tool is the online portal for filing breach notifications. It also serves as a decision-support tool: walking through the questions on the portal can clarify whether a notification is required. The tool asks structured questions about the nature of the data, the affected population, containment actions taken, and the likely harm.

The Act requires notification "as soon as practicable" after the agency becomes aware of the breach. There is no fixed 72-hour rule as exists under GDPR — but "as soon as practicable" is interpreted firmly. Most NZ legal commentary suggests 72 hours is a reasonable working target unless the facts genuinely require longer to gather. Delayed notifications draw OPC's interest.

What cyber insurance pays for in the serious-harm assessment

The serious-harm assessment is where legal advice matters most — and where cyber insurance is most useful in practice. A typical NZ cyber policy will cover:

• Legal-advice costs for assessing whether the breach meets the serious-harm threshold. This is usually charged hourly by privacy specialists at $400-$700 per hour; even a contained incident often requires 4-8 hours of legal review. Cyber insurance pays from first dollar (no excess on many policies for breach-response legal advice).
• Breach-notification preparation — drafting the notification letters to affected individuals and the OPC submission. Often a single-engagement cost of $5,000-$15,000 for the legal/PR work, depending on scale.
• Communication-platform costs — printing, mailing, email-platform fees for large-population notifications.
• Call-centre support — establishing a temporary call-centre for affected individuals to ask questions, if the breach is large enough to need one.
• Credit-monitoring or identity-monitoring services for affected individuals where the breach involves identity-document or financial data.
• OPC investigation defence costs if the Commissioner opens a formal investigation under section 116.

The amounts are stated in your policy's coverage section as either dollar sub-limits or as "reasonable costs incurred with insurer consent". Read your policy's breach response or privacy notification section carefully — the sub-limits vary widely across NZ insurers.

Common assessment mistakes

1. Treating the threshold as the volume of records. 50,000 low-sensitivity records may not meet serious harm; 50 high-sensitivity records may. Volume is one factor among many.
2. Assuming encryption defeats the test. Only if the encryption was strong AND the key wasn't also compromised AND the attacker didn't bypass encryption by impersonating a legitimate user.
3. Waiting for certainty. The test is "likely to cause" — not "certain to cause". Reasonable belief, not proof. Delaying notification while you investigate further is a common failure mode that OPC has criticised in case notes.
4. Conflating containment with eliminated risk. A misdirected email recalled within minutes may be containable. A misdirected email that was open in the recipient's inbox for 12 hours, even if "recalled" later, is harder to contain — the recipient may have read, copied, or screenshotted it.
5. Not consulting legal counsel. The threshold is genuinely ambiguous in many cases. Privacy-specialist legal advice is what cyber insurance pays for; declining the advice and self-assessing exposes the agency to a later "you should have notified" finding from OPC.

OPC enforcement posture

OPC's published case notes (at privacy.org.nz/about-us/case-notes/) give a sense of the Commissioner's approach. Where agencies notify proactively and remediate quickly, OPC's response is typically educational — guidance, perhaps a Compliance Notice. Where agencies fail to notify or delay materially, OPC has shown willingness to issue Compliance Notices and, in the more serious cases, refer to the Director of Human Rights Proceedings for civil enforcement under section 96 of the Act.

For cyber-insurance-purpose planning: the cost of getting the serious-harm assessment wrong on the under-notify side is far larger than the cost of notifying when arguably the threshold wasn't met. Insurers and OPC both prefer the agency that notifies marginally too often over the agency that notifies marginally too little.

Practical workflow for a cyber-incident with potential privacy implications

1. Hour 0: Detect incident. Contain. Preserve forensic evidence. Notify your cyber insurer's incident-response hotline.
2. Hours 0-24: Engage insurer-panel forensics firm to determine scope. Engage privacy-specialist legal counsel under your cyber policy's breach-response cover.
3. Hours 24-72: Legal counsel applies the section-117 serious-harm test against the forensic findings. Decision made on notification.
4. Hour 72 onward (if notifiable): File via NotifyUs. Notify affected individuals. Communicate with OPC if they make further enquiries.
5. Weeks 1-12: Ongoing OPC engagement, individual communications, credit-monitoring delivery, and any subsequent media or regulatory follow-up.

Primary sources cited in this guide

• Office of the Privacy Commissioner — Privacy breaches guidance (privacy.org.nz)
• Office of the Privacy Commissioner — NotifyUs tool (privacy.org.nz)
• Office of the Privacy Commissioner — Case notes (privacy.org.nz)
• Privacy Act 2020 — full text (legislation.govt.nz)
• Companion guide: Privacy Act 2020 — section 117 breach notification mechanics

Disclaimer: This article is general information, not personalised privacy or insurance advice. Privacy Commissioner guidance is authoritative — read it directly. For any actual breach assessment, engage privacy-specialist legal counsel. Cyber Insurance Quotes NZ is operated by First Commercial Insurance Brokers Ltd (FSP748591). FCIB Disclosure Statement.