A stolen handbag containing names of hundreds of patients who had undergone a sensitive medical procedure was one of a record number of data breaches reported in the past year.
The Office of the Privacy Commissioner received 121 data breach notifications in the past financial year, its just-published annual report shows.
The most common breach was when electronic or physical information was sent to the wrong recipient, followed by the loss or theft of a file.
There were also six cases of an employee browsing information.
Anonymised examples of breaches provided to the Herald by the OPC include a university staff member accidentally including an attachment in an email to masters candidates.
The table included names, grade point averages and evaluative comments about applicants.
In another case, a third-party web application used by government agency and which allowed access to a database containing sensitive information was hacked by a group, who put up a picture to prove the espionage.
Investigators found no evidence that personal information was taken or accessed.
In the case of the health worker's stolen handbag, it was found and returned, with the list of patient details.
Privacy Commissioner John Edwards said that because reporting remains voluntary, there was no way of knowing how many mistakes weren't flagged.
"We get notified of all sorts of things - from very serious ones through to ones that are more accurately characterised as near misses."
The 121 breaches in 2014/15 were slightly up from the 116 the previous year - but much higher than the 16 in 2008/09.
Mr Edwards said ministers and chief executives were more focused on issues being reported after high-profile cases, such as a 2011 breach by ACC where thousands of clients' details were mistakenly sent to Bronwyn Pullar.
"When senior management make clear their expectations that this stuff is logged and learned from, there would be a greater incidence of reporting to us as well."
Reports are kept confidential, and the OPC is mostly passive recipients of information, but advice is offered if desired.
Mandatory breach reporting is expected to be part of the Government's reform of the Privacy Act.
The Law Commission, in its 2011 privacy law review, recommended mandatory reporting, and that was largely supported by a Cabinet paper released last year.
A regime put forward in the paper would have two tiers of breach notification, with serious breaches with a real risk of harm requiring notification both to the commissioner and affected individuals.
Mr Edwards said mandatory reporting could shed light on how many incidents were not being reported.
