The Context
In December 2025, the Privacy Commissioner took the rare step of publicly naming two PAK’nSAVE stores—Clendon and Royal Oak—for serious breaches of the Privacy Act 2020. The trigger was third-party security guards sharing customer images, including those of a former MP and a foreign minister, alongside allegations of theft. The Commissioner found both stores had no enforceable written agreements with their contractors and no routine monitoring of their conduct. This is not a story about rogue guards; it is a systemic failure of data governance and a textbook case of outsourced accountability.
The Risk
The Commissioner’s ruling was explicit: “outsourcing functions does not outsource accountability.” For directors, this is a direct line to personal liability. Under the Privacy Act 2020, an ‘agency’ (which includes your company) is responsible for the actions of its agents. A failure to have proper safeguards, as seen here, creates a heightened risk of harassment and reputational harm to individuals, meeting the threshold for breach. While no fines were detailed in this ruling, the public naming is a reputational sledgehammer. More critically, it establishes a precedent of negligence that plaintiffs can use in civil suits for damages. Your duty under Section 131 of the Companies Act 1993 to exercise reasonable care, diligence, and skill includes ensuring your company’s data governance framework is robust and actively managed—not just a policy in a drawer.
The Control
Your data is only as secure as your weakest contractual link. The fix isn’t more technology; it’s enforceable governance over every third party who touches sensitive information. Assume your current agreements are inadequate and your monitoring is non-existent. Start there.
Do we have a current, centralised register of every third-party contractor (security, IT, cloud, marketing) with access to customer or employee personal information, and what specific data they can access?
For each contractor on that list, can you produce the signed, legally enforceable agreement that explicitly details their Privacy Act 2020 obligations, our right to audit their compliance, and the penalties for breach?
What is our active monitoring protocol—beyond an annual review—to verify these contractors are handling data as contractually required, and who on the executive team is personally accountable for its execution?