Privacy wake-up call: why Kiwi organisations can’t ignore this $5.8 million lesson

Privacy wake-up call: why Kiwi organisations can’t ignore this $5.8 million lesson

On 8 October 2025, the Australian Federal Court dropped a bombshell: a $5.8 million civil penalty against Australian Clinical Labs Limited (ACL) for breaching the Privacy Act 1988 (Cth). It’s the first civil penalty of its kind in Australia, and it signals a new era of enforcement. For New Zealand organisations, this isn’t just an Aussie headline; it’s a warning shot. The Privacy Act 2020 is no longer a paper tiger, and the regulator here is watching closely.

So, what does this landmark decision mean for Kiwi organisations? Let’s break it down.

Why this matters for New Zealand organisations

The ACL case is a textbook example of what happens when privacy and cybersecurity take a back seat. The company acquired Medlab Pathology, inherited weak IT systems, and then suffered a ransomware attack that exposed 223,000 individuals’ sensitive health data on the dark web. The kicker? ACL waited over four months to notify the regulator—when the Court expected notification within 2–3 days.

Under New Zealand’s Privacy Act, the Notifiable Privacy Breach regime requires organisations to notify the Privacy Commissioner and affected individuals as soon as practicable if a breach poses a risk of serious harm. Delay isn’t just bad form; it can have real consequences.

Key lessons for New Zealand

Here are the big takeaways for organisations operating under the Privacy Act (NZ):

1. Reasonable steps aren’t optional: The Court slammed ACL for failing to take “reasonable steps” to protect personal information. In New Zealand, Principle 5 of the Privacy Act sets a similar standard. That means:
   • Implementing robust security measures like multi-factor authentication, application whitelisting, and firewall monitoring.
   • Regularly testing incident response plans.
   • Training staff so they know what to do when things go pear-shaped.

If your systems are running on legacy tech or missing basic protections, you’re sitting on a ticking time bomb.

2. Don’t outsource accountability: ACL leaned heavily on a third-party cybersecurity provider, whose investigation was woefully inadequate. The Court made it clear: you can’t just rely on external advice and wash your hands of responsibility. Senior management must exercise independent judgment. In New Zealand, the same principle applies—outsourcing doesn’t absolve you of liability.
3. Speed matters: The Australian Court expected notification within 2–3 days of having reasonable grounds to believe a breach had occurred. New Zealand law uses the phrase “as soon as practicable,” which our Commissioner expects to be within 72 hours. Waiting weeks (or months) is not an option. Have a clear playbook for breach assessment and notification and rehearse it.
4. Due Diligence in M&A: ACL’s failure to identify Medlab’s IT weaknesses during acquisition was a costly mistake. If you’re buying a business in New Zealand, privacy and cybersecurity due diligence should be on that checklist. Any deficiencies need fixing before or immediately after completion.

The bigger picture: culture of compliance

The penalty wasn’t just about technical failures, it was about culture. The Court noted ACL’s lack of adequate training, unclear incident playbooks, and poor governance. In New Zealand, the Privacy Commissioner has repeatedly stressed the importance of building a privacy-first culture. That means:

• Board-level oversight of privacy risks.
• Regular audits and penetration testing.
• Embedding privacy into product design and business processes.

What’s next for New Zealand?

While our Privacy Act doesn’t yet have the same civil penalties as Australia, the winds of change are blowing. The Commissioner has called for stronger enforcement powers, and public tolerance for privacy breaches is at an all-time low. Expect tougher scrutiny, especially in sectors handling sensitive data—health, finance, and tech.

Practical steps for Kiwi organisations

• Review your security posture: Are your controls fit for purpose given the sensitivity and volume of data you hold?
• Update your incident response plan: Make sure roles, responsibilities, and timelines are crystal clear.
• Train your team: From the boardroom to the helpdesk, everyone needs to know their part in a breach scenario.
• Test, test, test: Run breach simulations. Identify gaps before attackers do.
• Prioritise privacy in M&A: Treat data security like any other critical asset.

Special thanks to Partner Peter Fernando for preparing this article.

If you would like to discuss any of the above further, please get in touch with a member from our Data Protection and Privacy Team.

Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.