A Practice Note addressing legal requirements and considerations when handling data breaches, cyberattacks, or other information security incidents in New Zealand or drafting data breach response notifications regarding personal data originating from New Zealand. This Note also discusses the Privacy Act 1993, the Privacy Act 2020, guidance from the Office of the Privacy Commissioner (OPC), National Cyber Security Centre (NCSC) programs, and computer emergency response team (CERT) resources, including CERT NZ. The New Zealand-specific guidance in this Note may be used with the generally applicable resources listed in the Global Cyber Incident Response and Data Breach Notification Toolkit.