Dear Privacy Commissioner,

I am making a request under the Official Information Act 1982.

I am seeking statistical, operational, compliance, enforcement, and trend information held by the Office of the Privacy Commissioner relating to privacy complaints, investigations, privacy breach notifications, enforcement activity, and privacy compliance in New Zealand.

Unless otherwise specified, please provide information separately for each calendar year:

* 2020
* 2021
* 2022
* 2023
* 2024
* 2025
* 2026 year-to-date

Please provide the following information.

1. Privacy Complaints

For each year, please provide:

* Total number of privacy complaints received.
* Total number of privacy complaints closed.
* Number of complaints carried forward into the following year.
* Monthly complaint volumes.
* Complaint volumes by Information Privacy Principle (IPP), where recorded.
* Complaint volumes by complaint category or issue type.
* Complaint volumes by sector or industry.
* Complaint volumes by organisation type (public sector, private sector, charity, education, healthcare, local government, central government, etc.) where recorded.
* The top complaint categories for each year.
* The top sectors generating complaints for each year.

2. Complaint Categories and Classification

Please provide:

* A list of all complaint categories used by the OPC during the requested period.
* A list of all investigation categories used by the OPC during the requested period.
* A list of all privacy breach categories used by the OPC during the requested period.
* Any internal classification guides, taxonomies, manuals, definitions, coding standards, or documentation used to categorise complaints, investigations, or privacy breaches.

3. Investigations

For each year, please provide:

* Number of investigations commenced.
* Number of investigations completed.
* Average investigation duration.
* Median investigation duration.
* Number of investigations resulting in mediation.
* Number of investigations resulting in settlement.
* Number of investigations resulting in formal findings.
* Number of investigations resulting in referrals to other agencies.
* Number of investigations referred to the Human Rights Review Tribunal.
* Number of investigations involving systemic privacy issues.
* Number of investigations involving repeated or ongoing non-compliance.

4. Compliance and Enforcement Activity

For each year, please provide:

* Number of compliance notices issued.
* Number of compliance notices complied with.
* Number of compliance notices not complied with.
* Number of compliance notices withdrawn.
* Number of formal warnings issued.
* Number of enforcement actions undertaken.
* Number of cases involving serious privacy breaches.
* Number of cases involving repeated privacy breaches.
* Number of cases involving significant organisational compliance failures.

5. Privacy Breach Notifications

For each year, please provide:

* Total number of privacy breach notifications received.
* Monthly privacy breach notification volumes.
* Privacy breach notifications by sector.
* Privacy breach notifications by category.
* Privacy breach notifications by cause where recorded.
* Number assessed as serious privacy breaches.
* Number assessed as not meeting the serious privacy breach threshold.
* The most common causes of privacy breaches.
* The sectors with the highest number of reported privacy breaches.

6. Website, Digital, and Online Privacy Issues

To the extent recorded by the OPC, please provide for each year:

* Number of complaints involving websites.
* Number of complaints involving privacy policies.
* Number of complaints involving online services.
* Number of complaints involving cookies, tracking technologies, analytics technologies, behavioural advertising, profiling, or similar practices.
* Number of complaints involving unauthorised online disclosure of personal information.
* Number of complaints involving cybersecurity incidents affecting personal information.

7. Access and Correction Rights

For each year, please provide:

* Number of complaints relating to requests for access to personal information.
* Number of complaints relating to requests for correction of personal information.
* Number of complaints involving failure to respond within statutory timeframes.
* Number of complaints involving refusal of access.
* Number of complaints involving refusal of correction.

8. Business Compliance Trends

Please provide any information held identifying:

* The most common privacy compliance failures observed by the OPC.
* The most common reasons organisations become the subject of complaints.
* The most common deficiencies identified in privacy policies.
* The most common deficiencies identified in privacy management practices.
* The most common deficiencies identified in website privacy disclosures.
* Any recurring compliance issues identified by the OPC between 2020 and 2026.

9. Reports, Briefings, Analysis, and Trend Information

Please provide copies of:

* Annual statistical reports not already publicly available.
* Internal trend analyses.
* Internal dashboards.
* Briefing papers.
* Presentations.
* Board papers.
* Ministerial briefings.
* Research reports.
* Compliance trend reports.
* Enforcement trend reports.
* Privacy breach trend reports.
* Any reports discussing emerging privacy risks or recurring compliance failures.

10. Datasets

Where reasonably practicable, please provide anonymised datasets and statistical information in machine-readable formats such as CSV, XLSX, JSON, or similar formats.

11. Format

Where information is available in a database or reporting system, I request extracts in their original electronic form where practicable.

If any part of this request is likely to require substantial collation or research, I am willing to discuss reasonable refinement of scope before any refusal is considered under section 18(f) of the Official Information Act 1982.

Where information is withheld, please identify the statutory grounds relied upon.

Yours faithfully,

Jack