"All NZ Transport Agency staff who were impacted were notified immediately after the USB [drive] was lost last year, and the Transport Agency also notified the Office of the Privacy Commissioner."
In December, Transport Minister Phil Twyford confirmed the drive had been misplaced.
In response to written questions from the Opposition he said it was not password protected, nor was it encrypted, but contained the names and email addresses of 1104 NZTA staff members.
Twyford said he was made aware of the situation by NZTA's chairman on December 2. NZTA staff were informed on November 30.
After the information about the misplaced drive was made public in early December, an NZTA spokeswoman said there was "minimal risk" of a person's identity being stolen.
The National Party's data and cybersecurity spokesman Shane Reti previously said it was hard to believe and unacceptable that NZTA would courier staff identity data without password protection and without encryption.
In a statement, a spokesman for the Privacy Commissioner said NZTA had notified the office of the breach but it had not yet decided if it would launch an investigation.
"Usually we investigate in response to complaints. If any individual feels that a breach has harmed them, they can make a complaint to us and we will evaluate whether an investigation is necessary.
"We can launch an investigation without a complaint but, in this case, we have not made any decisions about whether or not we will at this stage."
He said NZTA had been following the Privacy Commission's data breach guidance in evaluating and responding to the loss.
