The Personal Information Protection Act 2016 (PIPA) came into full effect on 1 January 2025.

This is the first report in which the Office of the Privacy Commissioner (PrivCom) is sharing insights, and we will continue to do so every quarter. 

Please note this report is limited to reported personal information breaches, written requests, and general queries received by the PrivCom Investigations Unit during Q1 (1 January - 31 March 2025) and that some statistics may be subject to change with updated information.

Q1 Statistics Summary

Personal Information Breaches

• There was a total of five (5) reported personal information breaches, affecting an estimated three thousand (3,000+) people. 

  
  

• The majority of the reported personal information breaches related to unauthorised disclosures of or access to personal information which were likely to adversely affect individuals. 

   

• Of the total personal information breaches received in Q1, four (4) were concluded by quarter end and one (1) remains open.

Written Requests

• There was a total of six (6) written requests received and accepted by PrivCom.

  
  

• Of the total written requests received during Q1, two (2) were written requests asking for a Review and four (4) were requests initiating a Complaint under PIPA.  

  
  

• Of the total written requests received during Q1, four (4) were closed by PrivCom by way of resolution prior to a formal investigation, while two (2) remained open post-quarter end.

General Queries

• There was a total of twenty-two (22) general queries received by the PrivCom Investigations Unit.

  
  

• The general queries related to PIPA guidance, general concerns, and procedural steps.

  
  

• Of the general queries received during Q1, all twenty-two were closed by PrivCom informally during Q1 by providing recommendations or guidance to relevant resources.

Q1 Key Takeaways

Personal Information Breach Assessment

Organisations have highlighted the challenge of both measuring when a breach is likely to adversely affect an individual, while complying with the breach notification to PrivCom “without undue delay”.

We urge organisations to ensure the following is implemented and reviewed periodically:

• The designation of a Privacy Officer that can effectively fulfil the requirements of the role.

  
  

• Accessible policies and procedures, which will assist the overall assessment of Personal Information Breaches.

• The development of risk assessments, impact questionnaires, impact assessments and any further tools

• Conduct training for all employees on PIPA compliance and expectations.  

With these measures in place, organisations will have clear lines of responsibility for managing an incident or breach and can refer to their risk assessments to evaluate questions of likely adverse effects.

Exhaustion of Alternative Grievance, Complaint or Review Procedures

PrivCom has identified a number of requests from individuals that highlighted the fact that other grievance and/or legal proceedings were actively being sought, while also attempting to pursue a right under PIPA. 

It is important to note that PIPA is not intended to be a tool to circumvent or supplement any current grievance, legal, complaint or review procedures available to an individual. It is important for individuals to consider the best procedure to attempt to resolve their specific matter, as the Commissioner has the authority to require the exhaustion of any other procedures in accordance with section 38(3) of PIPA.

As a general rule, the Commissioner will require an individual to first attempt to exercise their rights through a PIPA Rights Request before making a complaint that an organisation has not observed a right set out under PIPA.

While other grievances or legal proceedings may take precedence over bringing a specific matter to PrivCom, an individual's data privacy rights under sections 17, 18 and 19 should not be prejudiced if these actions are not related to the other matters being pursued.

Transitional aspects of PIPA

PrivCom has received written requests or general queries related to personal information that an organisation collected or used prior to PIPA coming into effect on 1st January 2025.

The compliance requirements under PIPA were not in effect until that time, so PrivCom is not empowered to consider non-compliance prior to then.

Further, section 4(2) of PIPA states that for the purposes of the act, such personal information is deemed to have been collected pursuant to consent given by the individual and may be used by the organisation for the purposes for which the information was collected. Therefore, the continuing possession and use of the personal information after 1st January 2025 would be permitted by the deemed consent.

If an individual wishes, they should contact the organisation to withdraw their consent or otherwise exercise their rights through a PIPA Rights Request. If the individual’s consent has not been withdrawn, then the organisation likely could continue to rely on the deemed consent as the condition for using personal information.