Most of us carry the quiet assumption that a privacy breach won’t happen to us, whether in our personal lives or in how we handle data at work. With that mindset, it’s easy to put building capability in privacy at the bottom of your to-do list. But as Dr Lisa Patterson explored in this month’s Capability @ Lunch session, the implications of uninformed treatment of data can lead to some harmful consequences.

Putting the Human at the Centre

Lisa began her session by emphasising that personal information has value. That might sound obvious, but Lisa’s research surfaced why so many New Zealander’s disengage from privacy: feeling like their personal information isn’t valuable enough to steal, and the belief that a privacy breach wouldn’t happen to them.

Both of these assumptions, Lisa argued, underestimate the true breadth of harm a privacy breach can cause.

The Real Impact

When we picture a privacy breach, financial harm tends to come to mind first. But the impacts go much further.

Lisa outlined a wide range of harms that are frequently overlooked:

• Physical risks, particularly in situations involving domestic violence;
• Reputational damage through identity theft or public exposure
• Professional consequences affecting employment
• Social and relational harm
• Loss of autonomy and dignity
• Psychological and emotional impacts
• Discrimination
• Aggregation, where small pieces of data combine to reveal far more than any single piece would suggest

Privacy harm, Lisa reminded us, is complex, layered, and deeply human.

She brought this to life through two case studies. In one, a Hawke’s Bay woman posted a photo on Facebook of a cake decorated with derogatory comments about a former employer. The employer shared the image with recruitment agencies, and the Human Rights Review Tribunal ultimately awarded the woman $168,070 in damages, the highest damages payout awarded directly to an individual for a privacy breach in New Zealand to date.

In another case earlier this year, a woman nearly lost her home after a liquidator mistakenly identified her as someone else with the same name. A failure to properly check records had enormous consequences for a real person.

The key takeaway Lisa emphasised here was that behind every data point, there is a person.

The Legal Landscape

New Zealand’s privacy framework has evolved to reflect the realities of the digital world. The Privacy Act 1993 was replaced by the Privacy Act 2020, strengthening protections and updating obligations for a modern context.

Every ‘agency’ in New Zealand that collects and holds personal information must have a privacy officer. The term agency includes almost every entity operating in NZ including businesses, public sector agencies, not-for-profits, and sole-traders. The Privacy Act is principles-based, built around 13 core information privacy principles with a recently introduced 14th, guiding how organisations collect, use, store, and share personal information. This resource created by The Office of the Privacy Commissioner provides a summary of each of the principles.

Data That Carries Greater Risk

Lisa noted that not all data is equal. Health information is particularly sensitive because, unlike a password, it cannot be changed. It can reveal details not just about an individual but about their relatives too, and the growing use of AI in healthcare adds further complexity around transparency and consent. Biometric data, whether static like fingerprints or dynamic like typing patterns and voice, carries similar weight.

A Bigger Picture

Privacy does not stop at borders. Laws like the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allow authorities to access data held by US-based companies, and different countries apply vastly different standards. The General Data Protection Regulation (GDPR) is widely regarded as the gold standard, offering stronger individual rights and significantly higher penalties than most other frameworks.

Closer to home, data is also shaped by cultural context. Organisations including Te Mana Raraunga and Te Kāhui Raraunga advocate for Māori data governance grounded in Te Tiriti o Waitangi. Without culturally grounded approaches, there is a real risk of harm and data extraction rather than genuine partnership and benefit.

Building Privacy In from the Start

New technologies are introducing new risks. Deepfakes have evolved into tools of impersonation and exploitation. Surveillance is becoming embedded in everyday devices. And even small, seemingly insignificant data points can, when combined, reveal far more than intended.

The best approach to all of this is to build privacy in from the beginning, before data is even collected: a design methodology called Privacy by design. Understanding the full information lifecycle, from collection and use through to retention and destruction, is key. Tools like Privacy Threshold Assessments and Privacy Impact Assessments help organisations identify and manage risk before it becomes a problem. The Office of the Privacy Commissioner provides further information on assessing risk, available here.

Privacy is not just about compliance. It is about people. When we understand the value of personal information, we are better equipped to protect it, reduce harm, and build systems that genuinely work for everyone.

If you’re interested in building on what you learnt from this session, you can register for Lisa’s micro-credential, Privacy in the Public Sector. Click here to visit the course page and find out more.

---

What’s Next?

Our next Capability @ Lunch session will explore why so many projects struggle, and what practical project management can do to change that.

These sessions are proudly brought to you by Kāpuhipuhi Wellington Uni-Professional in partnership with Hāpai Public.