The Office of the Privacy Commissioner's annual report shows reported private sector breaches overtaking the public sector for the first time -- and human error is the major cause of breaches.
However, reported hacks resulting in a breach of privacy increased markedly in 2019, up from six in 2018 to 43 in the year ended 30 June.
Currently the breach notification regime is voluntary, but compulsory breach notification is on the way and is expected to increase the number of reported breaches significantly, the report said.
"We receive voluntary breach notifications from a variety of public and private sector agencies," it said.
"We encourage this because we can guide agencies on how they should respond to breaches, and how they can stop them from happening again."
The notifications also help identify common privacy issues and risks and lessons learned from these breaches are used in developing education resources.
This year agencies reported 222 breaches (see chart below). Ninety-five of those were from public agencies and the other 127 from private agencies.
"Because breach reporting is voluntary, there is no way of knowing what proportion of all the breaches that occur are reported to our office," the report noted.
Human error - including mistakes using email, posting to websites and loss or theft of documents or devices - was the most common cause of privacy breaches.
The Privacy Bill now before Parliament will make it mandatory for agencies to notify the Commissioner of significant privacy breaches.
2019 may also be remembered as the year in which the importance of online privacy finally became mainstream, the report said.
"In the digital privacy space, the fallout from Facebook’s Cambridge Analytica scandal, and social media platforms hosting disturbing videos of terrorist violence, were among incidents that brought an unparalleled level of public and regulatory scrutiny upon the practices of big tech companies," the report said.
The new Privacy Bill will also have an extra-territorial effect, meaning privacy obligations will explicitly apply to agencies conducting business in New Zealand, whether or not they have a physical presence here.
The Privacy Commissioner is currently looking into a change in Trade Me's terms and conditions for the use of private data, allowing it to target advertising.
Privacy commissioner John Edwards told Stuff yesterday he intended to seek further information from the online marketplace on what appeared to be a proposal for the unauthorised use of customer information.
"We will then evaluate the options available," Edwards said.