Kia ora

 

This is to acknowledge your official information request.  We will respond
as soon as we are able but no later than 13 February 2026.

 

Aku mihi

 

OIA team

 

Office of the Privacy Commissioner  Te Mana Mātāpono Matatapu
PO Box 10094, Wellington 6140

privacy.org.nz 

 

[1][IMG] 

[2][IMG]

[3]NZBN 9429041913161

 

Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [4]subscribe to our newsletter. Have a
privacy question? [5]AskUs

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments.
Please treat the contents of this message as private and confidential.
Thank you.

 

-----Original Message-----
From: B Stewart <[FOI #33491 email]>
Sent: Monday, 12 January 2026 7:31 pm
To: OIA <[Privacy Commissioner request email]>
Subject: Official Information request - Exercise of powers in a case of an
agency's failure to notify a privacy breach

 

Dear Privacy Commissioner,

 

I am making this request as an author of a legal publication focused upon
the interpretation of provisions in the Privacy Act 2020.

 

My request relates to a case handled by your office in which an agency was
found to have repeatedly failed to notify the Privacy Commissioner of a
notifiable privacy breach. Eventually, the Commissioner named the company
(see PBN23505 [2024] NZPrivCmr1 - Ultimate Care Group Limited) but did not
prosecute the company under s 118.

 

I am interested in accessing information that illuminate the reasons for
the Commissioner's decisions to (1) decline to prosecute and (2) to name
the company.

 

Related to these two decisions I am interested in the application and
interpretation of the Commissioner's own published policies in this area,
namely, the 'Naming agencies in public reports' policy of December 2024
and the 'Prosecution policy' of 23 November 2020.

 

So my request is for any written advice to or by the Privacy Commissioner
informing or explaining the decision, or the application of the
Commissioner's policies on the decision, to:

1. Not prosecute Ultimate Care Group Limited under s 118 Privacy Act 2020.

2. To name Ultimate Care Group Limited in a decision note. (I would be
grateful if you would confirm which precise provision of the Act the
publication was made under.)

 

I make these requests in the knowledge that the Commissioner has already
revealed the identity of the agency in the case and many features of the
Commissioner's process and the actions of the company.

 

Yours faithfully,

 

B Stewart

 

-------------------------------------------------------------------

 

This is an Official Information request made via the FYI website.

 

Please use this email address for all replies to this request:

[6][FOI #33491 email]

 

Is [7][Privacy Commissioner request email] the wrong address for Official Information
requests to Privacy Commissioner? If so, please contact us using this
form:

[8]https://fyi.org.nz/change_request/new?bo...

 

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:

[9]https://fyi.org.nz/help/officers

 

If you find this service useful as an Official Information officer, please
ask your web manager to link to us from your organisation's OIA or LGOIMA
page.

 

 

-------------------------------------------------------------------

 

References

Visible links
1. https://www.privacy.org.nz/tuhono-connec...
2. https://www.privacy.org.nz/responsibilit...
3. https://www.nzbn.govt.nz/mynzbn/nzbndeta...
4. http://privacy.org.nz/subscribe/
5. http://www.privacy.org.nz/ask
6. mailto:[FOI #33491 email]
7. mailto:[Privacy Commissioner request email]
8. https://fyi.org.nz/change_request/new?bo...
9. https://fyi.org.nz/help/officers

hide quoted sections