Source: Privacy Commissioner
C Park Traders Limited (formerly trading as PAK’nSAVE Clendon) and Hutchinson Bros Limited (trading as PAK’nSAVE Royal Oak) breached IPP5 by not having adequate oversight of third-party providers.
Recent incidents at two PAK’nSAVE stores highlight the risks to individuals’ privacy when agencies fail to implement adequate security safeguards over third-party providers managing surveillance information. These breaches underscore the potential for serious harm when agencies do not exercise oversight of third-party providers.
What happened?
C Park Traders Limited (formerly trading as PAK’nSAVE Clendon) and Hutchinson Bros Limited (trading as PAK’nSAVE Royal Oak) “the stores” – both in Auckland, reported two separate privacy breaches to the Office of the Privacy Commissioner (OPC) in early 2025. Both incidents involved the unauthorised disclosure of CCTV footage of two customers, accompanied by allegations of theft or criminal activity.
Our review of the two breach notifications found both stores did not meet expectations set out in the Privacy Act 2020 relating to information storage and security.
In both cases, third-party security guards acting on behalf of the stores disclosed images of customers alleged to have shoplifted without authorisation. The images were taken or shared using personal mobile phones and later published on multiple social media sites. Both affected individuals experienced significant harassment and reputational harm as a result.
Privacy Breach by Hutchinson Bros Limited (trading as PAK’nSAVE Royal Oak)
In October 2024 a security guard engaged by the store took a photograph of the affected individual for surveillance purposes. The image was captured on a personal mobile device due to the poor quality of the available CCTV footage and followed store protocol at the time.
In early 2025 the photo was published online, and, after internal investigations, the store concluded in February 2025 that the source of the published image was the third-party security guard. The publication accused the affected individual of shoplifting.
Following the publication, the individual faced harassment and threats.
In this instance, Foodstuffs North Island Limited (FSNI) issued a direct apology to the individual on behalf of the store.
Privacy Breach by C Park Traders Limited (formerly trading as PAK’nSAVE Clendon)
In January 2025, a store employee instructed a contracted security guard to record CCTV footage of an alleged theft incident on their personal phone. The security guard then sent the footage to the employee, who subsequently disclosed it further and published it on social media alongside allegations of theft.
The store became aware of the unauthorised disclosure following the circulation of the footage online. The publication resulted in media attention from an international newspaper. Given that the affected individual is a public figure, the incident attracted widespread attention causing reputational and emotional harm.
In this instance the store and FSNI issued an apology to the individual.
Note: The PAK’nSAVE Clendon store is no longer under the ownership of C Park Traders Limited.
Relevant Privacy Concerns
IPP11 provides that agencies must not disclose personal information unless one of the limited exceptions in the Privacy Act applies. Disclosure of images or CCTV footage without a lawful purpose or applicable exception under the Privacy Act, can cause serious harm and is inconsistent with the protections afforded by IPP 11.
IPP5 requires agencies to ensure there are safeguards in place that are reasonable in the circumstances to protect personal information from loss, misuse, or unauthorised disclosure. This applies whether personal information is handled directly by the agency or through a third-party service provider in accordance with section 11 below.
Section 11 of the Privacy Act makes it clear that an agency is responsible for the actions of its agents when personal information is collected and used by those agents for the agency’s purposes.
Accordingly, agencies engaging third-party providers who access or operate surveillance or loss-prevention technologies (such as CCTV) should ensure that privacy obligations are explicit, enforceable, and routinely monitored. Importantly, these requirements should be documented through enforceable contractual arrangements between the parties.
Taking reasonable steps under IPP 5 also includes conducting due diligence before entering a contractual relationship with a service provider, to ensure that the provider has appropriate capability, governance, and technical safeguards in place. Agencies must be confident that personal information remains protected wherever it is held, and by whomever it is handled.
Additional measures, such as targeted training for personnel and contractors on the sensitivity of surveillance information, alongside clear policies and codes of conduct, provide essential safeguards to ensure this information is handled securely and responsibly by the parties involved.
Privacy Commissioner’s findings
The Commissioner found that both incidents constituted breaches of IPP 11, as they involved unauthorised disclosures of personal information without a lawful purpose or applicable exception under the Privacy Act. However, the Commissioner considered that the underlying cause of both incidents was the absence of reasonable and appropriate safeguards required under IPP 5.
At the time of these incidents, both stores lacked key safeguards that retailers should have in place when providing third party providers access to sensitive information such as surveillance information. On that basis, the Commissioner determined that the stores breached IPP5.
The Commissioner found that:
- Hutchinson Bros Limited (trading as PAK’nSAVE Royal Oak) had no written contract with its security provider. The absence of enforceable terms meant the store had no contractual levers to require the provider comply with privacy obligations. There was also no clarity on escalation procedures, and no ability to compel cooperation in investigations of privacy incidents.
- C Park Traders Limited (formerly trading as PAK’nSAVE Clendon) had a written contract in place with the third-party security provider, but it contained only a generic confidentiality clause and no enforceable privacy obligations.
- Neither store had provided privacy training to security personnel to include surveillance information. Despite FSNI having a policy in place, neither store clarified and enforced responsibilities for workers handling CCTV until after the incident occurred.
In these cases, the safeguards around personal information were insufficient. There were a lack of physical controls (namely, mobile device protection) and organisation controls (policies, contracts, training, and staff behaviour).
FSNI and the relationship with Stores
OPC engaged with FSNI which provides certain support to its member stores. Both stores operate under the cooperative FSNI. The stores remain individually accountable for ensuring compliance with the Privacy Act.
The Commissioner acknowledges FSNI’s cooperation and proactive engagement during this process.
In responding to these incidents, FSNI acknowledged the absence of contractual provisions at the store level. Additionally, FSNI has taken the following remedial actions in response to our prompting and recommendations:
- carrying out training with store personnel (including security contractors) on privacy obligations
- requiring stores to have written agreements in place with all contractors that process personal information on behalf of stores (including security)
- introducing a mandatory Security Systems Code of Conduct across all stores
- requiring all stores to have written agreements with contractors handling personal information
- prohibiting the use of personal phones for security activities
- delivering network-wide privacy and data security training, and
- updating breach assessment protocols to ensure any unauthorised disclosure of personal information on social media is treated as notifiable.
Harm and broader impact
Despite the measures put in place at the time of the incidents by FSNI, these incidents were likely to cause serious harm. The individuals affected may have suffered significant emotional distress and reputational harm after their images were shared publicly and associated with allegations of theft. In both cases, once the images and allegations appeared online, they were replicated and discussed widely, including in mainstream media.
Beyond individual harm, such incidents can erode public confidence in how retailers use surveillance technologies. Customers entering a supermarket cannot reasonably opt out of being filmed, their trust depends on assurance that footage will be used responsibly and kept secure. Supermarkets are considered essential services with many thousands of customers being monitored in each store by CCTV each week, creating a significant privacy risk when systemic privacy safeguards are not in place, or are ineffective.
Our compliance response
Our response was driven by the Compliance and Regulatory Action Framework (CARAF) and Naming Policy. The focus was on both uplifting compliance across the FSNI network and raising awareness more broadly of agency responsibilities when sharing information with third party service providers.
The Commissioner considers that naming the stores is appropriate given:
- Seriousness of the privacy issue: These incidents risked significant reputational and emotional harm to the affected individuals.
- Public interest: Supermarkets are high-surveillance environments. They are also an essential service. Customers cannot opt out of being filmed, so public trust relies on assurances that surveillance footage will be protected from misuse.
- Deterring this practice: The PAK’nSAVE brand has a strong public presence, and these incidents attracted significant media attention. Naming the stores aligns with the Commissioner’s mandate to promote privacy awareness and deter poor practices across the retail sector.
Lessons for other agencies
This finding serves as a reminder to all agencies: outsourcing functions does not outsource accountability. When contractors handle personal information, the principal agency must ensure that privacy expectations are clear, enforceable, and actively managed. Our Office recommends that agencies ensure that:
- Strong contractual measures are in place. All third-party providers should be covered by written agreements containing clear and enforceable privacy clauses, including requirements to notify the agency immediately of any privacy breach.
- Due diligence is taken before entering a contract with a service provider, to ensure they are equipped to meet the agency’s responsibilities under the Privacy Act.
- Privacy training extends to contracted workers as well as employees, and where CCTV or other surveillance systems are used, training should be tailored to those specific functions.
- Surveillance information is collected and stored only on authorised company systems and devices and handled on the assumption that it may contain sensitive personal information.
Misuse or inappropriate disclosure and access of surveillance material can cause serious harm to affected individuals. Strong contracts, targeted training, and secure systems are essential to prevent harm and maintain public confidence in how personal information is managed.
