Aroha has run the workshop on Colombo Street in Sydenham, south of the Christchurch CBD, for eleven years. Servicing, brakes, WoFs, tyres. Regulars from Beckenham and Spreydon, a handful of fleet cars from a landscaping business in Hornby. Monday, 9:45 a.m. A letter arrives in the post with the Office of the Privacy Commissioner letterhead — Tāpiri te Rau watermark, Wellington return address. Aroha opens it. "Notification of complaint and request for response under section 69 of the Privacy Act 2020 — Reference OPC/2026/S/00341 — response required within 20 working days."

The covering letter summarises the complaints. Three customers of Aroha's workshop — individually, in the past six weeks — received cold-call marketing from a competing workshop in Addington. The competitor's caller knew: the customer's name, their vehicle make and model, the date of their last service, the work that had been performed, and the approximate next-service-due date. All three complainants pressed the caller for the source of the information. In two cases the caller mentioned that the list had been "bought from someone who used to work in the industry"; in the third, the caller hung up. The three complainants independently lodged complaints with the Privacy Commissioner, attaching recordings or transcripts of the calls. The Commissioner's office has consolidated the complaints and is requesting Aroha's formal response.

Aroha thinks about it and knows immediately what happened. Her service manager of six years had resigned suddenly in February, citing "personal reasons", and had been seen walking out with his own laptop bag. The laptop was Aroha's, but the bag was his. At the time she had not thought to audit what was on it. The service manager had full administrator access to the workshop's customer database — around 2,400 names, addresses, mobile numbers, vehicle registrations, service histories, last invoice totals. Two weeks later the service manager started work at the competing Addington workshop. It is now February-plus-twelve-weeks and the dots are easy to connect.

The file opens two separate Privacy Act failures. First, the underlying breach: the unauthorised export of the customer database by an employee with legitimate access who exceeded authority on departure. That is a breach of Information Privacy Principle 5 (storage and security) on the organisation's side: the workshop did not have adequate controls to prevent this on employee departure. Second, the failure to notify: Aroha did not report the breach to the Office of the Privacy Commissioner or to the affected customers when the suspicion first arose. Privacy Act 2020 Part 6 (sections 112-117) requires notification of a notifiable privacy breach to the Commissioner and to affected individuals as soon as practicable — which the Commissioner's guidance consistently interprets as within 72 hours of the organisation forming a reasonable belief that a notifiable breach has occurred. Twelve weeks is not 72 hours.

Here is what every South Island workshop should already have in place before the next OPC envelope arrives.

What the Privacy Act 2020 actually requires — short version

The Privacy Act 2020, in force since 1 December 2020, governs how every New Zealand organisation collects, stores, uses and discloses personal information. The full framework is organised around the thirteen Information Privacy Principles (IPPs). For a small workshop, four of the IPPs carry most of the weight and one additional obligation — the breach notification regime — determines what happens when something goes wrong.

IPP 1 — Purpose of collection. Collect personal information only for a lawful purpose connected to a function of the organisation. A workshop collects customer data to provide the service, to issue GST-compliant invoices, to send service reminders, and to contact the customer about current work. Those purposes are lawful and connected. Reselling the list to a third party is not a purpose connected to the workshop's function — which is why the competing Addington workshop's acquisition of the list is a breach of IPP 1 on both sides (the purchaser has processed personal information for a purpose for which it could not lawfully have been collected by the purchaser itself).

IPP 5 — Storage and security. Take reasonable steps to protect personal information against loss, unauthorised access, use, modification, disclosure and other misuse. Reasonable scales with the size of the organisation — a small workshop is not expected to install enterprise-grade cybersecurity — but the standard is still "reasonable". Letting a departing service manager walk out with unlimited export rights to the customer database, without any lock-out audit, fails the reasonable-steps test. Standard practice in 2026 expects: role-based access, individual logins, revocation on the day an employee leaves, and an audit log of who exported what.

IPP 6 — Access to personal information. Individuals are entitled to access personal information an organisation holds about them on request. A workshop must be able to retrieve a single customer's complete record on demand and provide it within 20 working days. This requires a searchable, organised data-keeping system — shared Google Sheets scattered across personal Gmail accounts do not meet this obligation.

IPP 11 — Limits on disclosure of personal information. Disclose personal information only with the individual's authorisation, for the purpose it was collected, or for a specifically permitted purpose under the Act. Sending service-reminder SMSes to your own customers about their own vehicles is within the collection purpose and does not require a separate authorisation (although a courteous opt-out mechanism is good practice). Sending marketing of another workshop's services using the data you collected is outside the purpose and a plain IPP 11 breach.

Part 6 — Notifiable privacy breaches and compliance notices (s.112-117). The critical 2020-Act innovation. A privacy breach is "notifiable" if it is reasonable to believe it has caused or is likely to cause serious harm to any affected individual. Serious harm is assessed on several factors set out in section 113: the nature of the information, the person who obtained the information, whether the information is protected by encryption, and whether the unauthorised access is believed to be ongoing. A customer database going to a competitor for marketing exploitation typically meets the serious-harm threshold — the affected individuals have not consented, cannot easily prevent recurrence, and the commercial exploitation itself is the harm.

When a notifiable breach is identified, the organisation must notify the Commissioner and the affected individuals as soon as practicable. Commissioner guidance is consistent: ideally within 72 hours of forming a reasonable belief that a notifiable breach has occurred, even if the organisation is still investigating. Late notification is a separate breach. Failure to notify when an organisation knew or ought to have known is an offence punishable by a fine of up to NZ\$10,000 under section 118. That fine sounds trivial compared to Singapore's 10-percent-of-turnover or South Africa's R10 million — and it is — but the fine is not the threat. The threat is the Commissioner's compliance notice, the public record of the breach finding, and the downstream customer claims that ride on top of the OPC decision.

Why the NZ\$10,000 penalty is not the point

New Zealand's Privacy Commissioner has a far weaker financial-penalty toolkit than Singapore's PDPC, South Africa's Information Regulator, Quebec's CAI, or even Mexico's PROFECO's analogues. But the consequences of a Privacy Act finding are not limited to the fine. Several weigh more:

Compliance notices under section 123. The Commissioner can issue a compliance notice requiring the organisation to take specific steps (or stop specific practices) to comply with the Act. Failure to comply with a compliance notice is a separate offence carrying a fine of up to NZ\$10,000 per breach. The Commissioner uses compliance notices to lock in the outcome of an investigation — they are durable, enforceable and public.

Access directions under section 104. When an access or correction request is refused, the Commissioner can direct the organisation to provide the information or correct the record. These directions are enforceable in court.

Civil proceedings under section 213. Affected individuals may bring proceedings in the Human Rights Review Tribunal for interference with privacy. The Tribunal can award damages up to NZ\$350,000 per proceeding for emotional harm, pecuniary loss, and other compensable heads. In a multi-complainant scenario — three customers in Aroha's case, potentially 2,400 on the database — the damages exposure scales.

Published findings. The Commissioner publishes case notes and annual-report summaries. Named organisations appear on search engines. The 2024-25 OPC Annual Report noted a 43 per cent increase in the number of serious privacy breaches notified to the regulator — the enforcement trend line is rising, and public findings are becoming a reputational cost with measurable conversion impact on Google search.

Commercial downstream. A workshop under active OPC investigation typically loses its approved-repairer status with sensitive fleet clients (government, insurance panels, commercial drivers) who require clean privacy compliance as a standing condition of the contract.

The fine is noise. The compliance notice, the Human Rights Review Tribunal proceeding, and the published finding are the signal.

Five measures every Sydenham workshop should already have in place

1. Named Privacy Officer — registered internally and published

Privacy Act 2020 section 201 requires every agency — organisation, in the Act's language — to have at least one Privacy Officer. Duties include encouraging compliance with the IPPs, dealing with access and correction requests, working with the Commissioner on investigations, and ensuring the agency complies with the Act. The Privacy Officer can be the owner for a small workshop — no specialist qualification is required. The name and contact must appear on the workshop's website and be available to any customer on request. For Aroha, appointing herself as Privacy Officer and publishing the contact is the first step — it should have been done in December 2020 when the Act came into force.

2. Written privacy policy — visible, plain-English, IPP-mapped

A one-page privacy policy stating: what personal information is collected, the lawful purposes (provision of service, GST invoicing, service reminders, communication about current work), the retention period (7 years for GST-related records per Inland Revenue, 2 years for service history beyond that, deleted on request for marketing), the individual's rights (access, correction, objection, complaint to the OPC at privacy.org.nz), how the workshop responds to access requests (within 20 working days), how it handles breaches (Privacy Officer notified, assessment, Commissioner notified if serious harm is likely). Print, laminate, display at the counter. Publish on the website. Two hours of work.

3. Data-collection practice that meets IPP 1 — minimum necessary

Collect only the personal information genuinely needed to run the workshop: name, mobile, email, address, vehicle registration / VIN / year / make / model, service history, last invoice. Do not collect driver's licence number unless genuinely required for a specific transaction (such as an interaction with NZTA). Do not collect date of birth or gender — not relevant to workshop service. Minimum necessary means less data to breach and less data to secure.

4. Security safeguards that scale to 2026 expectations — not to 2010 expectations

The "reasonable steps" standard moves with the times. In 2026, reasonable steps for an independent workshop include: individual user logins with role-based access (no shared logins), access revoked the day an employee leaves, an audit log of data exports, automatic timeouts on idle sessions, multi-factor authentication on any cloud service that supports it, physical devices protected by passcode or biometrics, no customer data in personal cloud storage or personal email accounts, no printed customer lists left in public areas of the workshop, a written staff data-handling policy signed by every employee at onboarding (and enforced at exit interviews).

For Aroha's case specifically, the audit of the service manager's laptop on the day of his resignation — checking exports, removing access, requiring return of any USB or physical media — would have revealed the database export immediately and opened the 72-hour notification window with a far stronger narrative of diligence.

5. Breach response plan — notifiable-breach assessment in 72 hours

A one-page plan posted in the office and rehearsed annually. When a breach is suspected: (a) Privacy Officer is informed immediately, (b) scope of affected data and individuals is assessed, (c) likelihood of serious harm is evaluated against the section 113 factors (nature of the information, identity of the recipient, whether information was encrypted, whether the unauthorised access is ongoing), (d) if notifiable, the OPC is notified via privacy.org.nz/responsibilities/privacy-breaches/notify-us/ within 72 hours even if investigation is ongoing, (e) affected individuals are notified in plain language with practical steps they can take, (f) the breach is recorded in an internal register with the response and remediation. The plan takes an afternoon to write. Its absence when a breach occurs is the single biggest aggravating factor the Commissioner considers at decision stage.

What is likely to happen in Aroha's file

Aroha responds to the OPC letter within the 20-working-day window with the assistance of a privacy advisor (around NZ\$2,500 to NZ\$6,000 in fees for the investigation phase). Her response will need to address: how the breach happened, why it was not reported within 72 hours, what remedial steps have been taken since, what plan is in place for future breaches. The Commissioner's investigation typically concludes in three to six months with one of several outcomes: closed with recommendations, closed with a compliance notice under section 123, referred to the Human Rights Review Tribunal (rare for a single-breach matter but possible for repeat offenders), or closed with a finding of interference with the privacy of the individuals concerned published as a case note on the OPC website.

Most likely outcome in Aroha's case: a compliance notice requiring appointment of a Privacy Officer with published contact, implementation of a written privacy policy, implementation of role-based access controls with audit logging, evidence of a breach response plan in place, and notification to the remaining 2,397 database individuals who were not already aware. A published case note on the OPC website naming the workshop. Statutory fine under section 118 for late notification: up to NZ\$10,000, typically reduced based on cooperation and remediation evidence — so perhaps NZ\$5,000 to NZ\$8,000 in practice. Subrogation and Human Rights Review Tribunal proceedings by individual complainants possible but less likely at that scale.

Direct costs to Aroha: privacy advisor fees (NZ\$2,500 to NZ\$6,000), fine (NZ\$5,000 to NZ\$8,000), remediation implementation (Privacy Officer publishing, policy writing, access-control changes — NZ\$3,000 to NZ\$8,000 depending on whether she upgrades to a workshop management system), and the published finding that will live on Google search for years. Total: NZ\$10,500 to NZ\$22,000, plus the reputational drag. Loss of approved-repairer status with her two insurance panels is a downstream risk — the panels review annually and a current OPC compliance notice counts against renewal.

Had the five measures been in place from December 2020 when the Act came into force? No breach via employee export (role-based access, audit on exit), no serious-harm threshold crossed. Or, if a similar breach had still occurred, a 72-hour notification with a documented response plan and transparent customer communication — which the Commissioner's decisions consistently treat as substantially mitigating, often closing with a warning rather than a compliance notice.

Cost of the five measures, set up once? An afternoon per measure over a week. Five measures, five afternoons. NZ\$0 in ongoing cost if the workshop management system is already in use; NZ\$50 to NZ\$200 per month if the workshop upgrades from spreadsheets.

The data you are already keeping

Mekavo stores customer personal information inside a system with individual user accounts and role-based access; actions are logged; access is revocable with one click on employee departure; personal devices and consumer cloud accounts are not part of the data path; the intake form captures only the minimum necessary personal information. The Privacy Officer's name is set once in the workshop's profile and appears on the printable privacy policy. The breach response plan template is linked in the help centre alongside the OPC notification portal.

The Privacy Act 2020 is not the Act that most New Zealand workshops have read. The Commissioner's enforcement tempo is rising (43 per cent growth in reported serious breaches year-on-year in 2024-25). The NZ\$10,000 fine is a rounding error next to the compliance-notice overhead, the Tribunal exposure, and the published finding. What a workshop can change is the architecture of the data it keeps, who can touch it, what happens when someone on the team leaves, and how fast it can respond when something goes wrong. Five measures. Set them up once. Keep them running on every shift.

Official resources

Last updated: April 2026. The statute and enforcement trend data cited were current at the date of publication. For an active OPC investigation with a response deadline approaching, a suspected notifiable breach under assessment, or a Human Rights Review Tribunal proceeding related to privacy, consult a lawyer admitted in New Zealand with privacy or public-law practice before responding to the Commissioner or to the complainant.

Note on scenarios: The shops, names, addresses, and case reference numbers in this article are fictional and used solely to illustrate how the cited statutes operate in practice. Any resemblance to actual shops, owners, or events is coincidental. The statutes, regulations, and agency procedures cited are real and current as of publication.