Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
Many New Zealanders began 2026 with some sobering privacy news. In early January, Manage My Health — a private patient portal contracted to the public health system — announced it had been affected by a serious cyber incident involving the sensitive health information of thousands of users. Ransom hackers accessed and downloaded documents stored in the My Health Documents section of the portal and threatened to make these available on the dark web.
The MMH breach is one of the most serious privacy incidents in New Zealand's history. The scale of the incident and the sensitivity of the health information involved have understandably generated public concern. But beyond the specifics of what went wrong, the breach has also drawn attention to a more systemic issue: whether New Zealand's privacy enforcement settings are strong enough to deter serious failures in the first place.
From an enforcement perspective, the Office of the Privacy Commissioner has acted decisively within its existing powers, launching a formal inquiry and signaling that the issues raised go beyond a single organization. Even so, MMH highlights a long-standing gap in the Privacy Act 2020 relating to the absence of meaningful financial penalties for serious privacy breaches.
Under the current framework, meager financial penalties — up to NZD10,000 — are available only in relation to the commission of a small number of offenses, including a failure to notify the privacy commissioner of a serious privacy breach. However, there are no financial penalties at all for breaching the information privacy principles in the first place, such as a failure to take reasonable steps to protect personal information from harm.
This puts New Zealand's regime well out of step with overseas approaches. For example, following reforms to the Australian Privacy Act 1988, the Office of the Australian Information Commissioner can pursue very substantial civil penalties for serious or repeated interferences with privacy. Maximum penalties can reach greater than AUD50 million, a multiple of the benefit obtained, or a percentage of annual turnover. While not every breach attracts such penalties, their availability materially changes the risk weighing for boards and executives.
In practice, this difference matters. Organizations faced with significant penalties for noncompliance with privacy laws are likely to be less willing to "risk accept" weaknesses in privacy and security controls once they understand the potential financial exposure. Penalties of that magnitude elevate privacy risk into the same category as other board-level financial and regulatory risks.
New Zealand's regime relies almost entirely on reputational damage, regulatory influence and post-incident remediation to drive change. This is not sustainable. The privacy commissioner has been explicit in recent public commentary about the need for stronger enforcement levers, including the ability to impose or seek significant fines for serious breaches. Others, including Consumer NZ, have joined the call, promoting a petition to parliament — which closes 28 Feb. — for the introduction of a penalties regime. The MMH breach can only strengthen these calls for change.
Of course, financial penalties are not a silver bullet, and enforcement alone cannot substitute for good governance, leadership and organizational culture. But the MMH breach does suggest that New Zealand's current model may struggle to deliver clear, predictable deterrence at the top end of privacy risk. If incidents of this scale do not lead to consequences that boards genuinely fear, what signal does that send to other organizations holding sensitive information?
Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
