Dear Privacy Commissioner,

I am making this request as an author of a legal publication focused upon the interpretation of provisions in the Privacy Act 2020.

My request relates to a case handled by your office in which an agency was found to have repeatedly failed to notify the Privacy Commissioner of a notifiable privacy breach. Eventually, the Commissioner named the company (see PBN23505 [2024] NZPrivCmr1 - Ultimate Care Group Limited) but did not prosecute the company under s 118.

I am interested in accessing information that illuminate the reasons for the Commissioner's decisions to (1) decline to prosecute and (2) to name the company.

Related to these two decisions I am interested in the application and interpretation of the Commissioner's own published policies in this area, namely, the 'Naming agencies in public reports' policy of December 2024 and the 'Prosecution policy' of 23 November 2020.

So my request is for any written advice to or by the Privacy Commissioner informing or explaining the decision, or the application of the Commissioner's policies on the decision, to:
1. Not prosecute Ultimate Care Group Limited under s 118 Privacy Act 2020.
2. To name Ultimate Care Group Limited in a decision note. (I would be grateful if you would confirm which precise provision of the Act the publication was made under.)

I make these requests in the knowledge that the Commissioner has already revealed the identity of the agency in the case and many features of the Commissioner's process and the actions of the company.

Yours faithfully,

B Stewart