The Privacy Commissioner is warning anyone republishing information hacked from the adultery website Ashley Madison that they could themselves end up under scrutiny.
Material is emerging on the internet which lists personal data, including thousands of email addresses which appear to belong to New Zealanders.
Customer data from the dating site for married people who want to cheat on their spouse was reportedly leaked on the "dark web", meaning it is accessible only via encrypted browsers.
Privacy Commissioner John Edwards told Morning Report that republishing information could be a breach of the Privacy Act and may also fall foul of a new cyber bullying law.
"It's not carte blanche just to use information from a public source if it would be unreasonable to do so - and republishing hacked stolen data would probably hit that threshold."
Mr Edwards said there were a number of email addresses which came from government departments, but any employer who acted to hold employees to account without careful verification could themselves end up breaching the law.
Technology commentator Paul Brislen agreed employers would be hard pressed to bring any employment action on the basis of a work email appearing in the data.
Mr Brislen said about 30 government email addresses were linked to the site, but since it did not require verification, the owners of the address would not necessarily know they were signed up.
"The website doesn't require authentication, so you can put in anyone's email address and it will activate an account for you," said Mr Brislen.
"I wonder just how many of those are disgruntled people who are using somebody else's email address - I understand the Prime Minister's is in there somewhere - or whether or not it is colleagues playing games with each other, and that kind of thing."
A spokesman for the Prime Minister said it was "clearly a fake" email address.
Hackers stole data last month and threatened to reveal it unless the site was taken down.
Technology website Wired said 9.7 gigabytes of data was posted, and the material appeared to include members' account and credit card details.
The hackers, who called themselves the Impact Team, said they had managed to steal the real names and addresses of the site's users, including those who had previously paid to "delete" their accounts.
Small pieces of the data had already been leaked in July.
-RNZ / BBC