Office of the Privacy Commissioner
PO Box 10094, Wellington 6140
Level 11, 215 Lambton Quay
Wellington, New Zealand
P +64 4 474 7590 F +64 4 474 7595
E [email address]
0800 803 909 Enquiries
privacy.org.nz
10 February 2026
Blair Stewart
By email only to:
[FYI request #33491 email]
Tēnā koe Blair
Official Information Act Request (Our ref: OIA/0500)
We refer to your Official Information Act request received on 13 January 2026.
Your request:
My request relates to a case handled by your office in which an agency was found to
have repeatedly failed to notify the Privacy Commissioner of a notifiable privacy breach.
Eventually, the Commissioner named the company (see PBN23505 [2024] NZPrivCmr1
- Ultimate Care Group Limited) but did not prosecute the company under s 118.
I am interested in accessing information that il uminate the reasons for the
Commissioner's decisions to (1) decline to prosecute and (2) to name the company.
Related to these two decisions I am interested in the application and interpretation of the
Commissioner's own published policies in this area, namely, the 'Naming agencies in
public reports' policy of December 2024 and the 'Prosecution policy' of 23 November
2020.
So my request is for any written advice to or by the Privacy Commissioner informing or
explaining the decision, or the application of the Commissioner's policies on the
decision, to:
1. Not prosecute Ultimate Care Group Limited under s 118 Privacy Act 2020.
2. To name Ultimate Care Group Limited in a decision note. (I would be grateful if you
would confirm which precise provision of the Act the publication was made under.)
I make these requests in the knowledge that the Commissioner has already revealed
the identity of the agency in the case and many features of the Commissioner's process
and the actions of the company.
OIA/0500/A1151631
2
Our response
I can confirm that the Privacy Commissioner made the decision to comment publicly on the
Ultimate Care privacy breach as the outcome of this compliance initiative under sections 122
and 206(2) of the Privacy Act.
Internal advice was provided to the Privacy Commissioner to inform his decision on the
compliance outcome, i.e. to issue the decision note, taking into account OPC’s Naming
Policy and OPC’s Compliance and Regulatory Action Framework.
OPC’s Naming Policy sets out the factors to consider when proposing to name an agency as
being in breach of the Privacy Act 2020. The ability to publicly name an agency is a key
compliance tool for influencing agency and sector behaviour and enables a single case to
have a wider impact for individuals. It also provides an opportunity for the Commissioner’s
work and regulatory impact to be visible and discussed in the public domain.
Any decision to name an agency is subject to the Commissioner’s obligation in section 210
to provide the affected agency with a prior opportunity to be heard. That opportunity was
provided on this occasion.
We are not releasing OPC’s internal advice and analysis as the Commissioner’s decision
note reflects the Commissioner’s assessment of the matters that ought to be disclosed for
the purpose of giving effect to the Act under section 206(2). Further details including internal
advice and analysis remain subject to the obligation of secrecy under section 206(1).
Your request for internal advice and the application of OPC’s policies is therefore declined
under section 18(c)(i) of the Official Information Act on the basis that making this information
available would be contrary to the provisions of a specified enactment, i.e. the Privacy Act’s
obligation of secrecy under section 206(1).
Please note that if you are not satisfied with this response to your request, under section 28
of the Of icial Information Act 1982 you have the right to ask the Ombudsman to investigate
and review our decision on your request, however we would appreciate the opportunity to
discuss this with you first.
Nāku iti noa, nā
Liz MacPherson
Deputy Privacy Commissioner
OIA/0500/A1151631
