The Context
On 15 December 2025, New Zealand Police notified the Privacy Commissioner of a critical data breach. A technical defect in their Incident Management Tool, active from 4-15 December, failed to redact sensitive information in case disclosure packages sent to external justice sector partners. This was not an isolated glitch; it affected \”a proportion of redacted documents\” across multiple cases. The exposed data included material \”likely to place a person’s health or safety at risk.\” This is not just an IT failure. It is the direct consequence of a governance failure: a Rapid Review in June 2025 identified systemic IT security weaknesses, yet by December, only 8 of 26 remediation actions (31%) had been completed.
The Risk
Directors are personally liable here. The breach constitutes a prima facie failure under the Privacy Act 2020, which mandates notification and mitigation for serious harm. More critically, it demonstrates a breach of the duty of care under Section 131 of the Companies Act 1993. You cannot plead ignorance of a known, critical vulnerability. The June 2025 review was your warning. The 11-day delay between discovering the fault (4 Dec) and halting disclosures (15 Dec) compounds the negligence. The Chief Victims Advisor has already demanded information on \”at-risk victims and witnesses.\” If a victim, informant, or witness is harmed because their identity was exposed in this unredacted data, the liability extends beyond the organisation to the boardroom. You approved—or failed to challenge—the security remediation timeline that left the door open for this event.
The Control
This is a failure of oversight, not technology. Your governance framework allowed a known, critical risk to fester for six months without adequate escalation or resource allocation. The Police’s incomplete remediation plan was a ticking bomb. Your role is to ensure that in your organisation, such plans are treated as existential priorities, not back-burner IT projects. The reputational and legal fallout from compromising the justice system’s integrity is immeasurable. Ask your team:
For our three most critical operational systems, what is the exact status of all outstanding high-risk remediation actions from the last 12 months, and what specific board-level decision is blocking their completion?
What is our real-time protocol for halting a business process when a data integrity fault is suspected, and who has the unambiguous authority to pull that trigger without seeking further approval?
When was our last table-top exercise simulating a catastrophic data breach in a legally privileged or safety-critical context, and what governance failure did it reveal?