If I could add to that, I would say that the other thing working here is that in all cases, this is being overseen by the Office of the Privacy Commissioner. At first instance, a business may make the call as to whether something creates a significant risk of harm, but ultimately that will be up to the OPC to review at some point, or a court, and if organizations get it wrong, that's an offence under this act. They're subject to fines on summary conviction, so there's a lot of incentive there for them to get it right.
On February 17th, 2015. See this statement in context.