How does the Privacy Act apply to my business?
Every New Zealander is protected by the Privacy Act (1993), whether they are at home or at work. In a basic sense the Privacy Act protects New Zealanders from invasion of personal privacy by other individuals or businesses. Everyone needs to comply with the Act - from individuals to clubs, large and small businesses, and government departments and agencies.
A typical business holds information about its employees, customers, suppliers and other stakeholders. As long as the information is about human beings (as opposed to companies) this information is all protected by the Act. That means you are responsible for ensuring that you and your staff manage the information correctly. Failure to do so could affect your reputation as a business. And if what you do causes harm, you might have to pay compensation to the people affected.
On this page:
- Why privacy is important
- Your legal obligations
- Appointing a privacy officer
- Privacy guidelines for using technology
- Getting further help and support
Why is maintaining privacy important? In short, people care about privacy – and they worry about their personal information being compromised or misused by organisations.
Collecting and using information about people – even if it’s just a phone number and address for invoicing – is an everyday part of doing business. Keeping that information safe and secure should be too.
Above all, remember your business relies on people – whether they are customers, staff, contractors or suppliers. Those people trust you to look after the information you have about them. If you lose that trust, they will go somewhere where they are treated better. Also, your business reputation could be badly damaged.
The following case studies demonstrate how your business could be affected.
Oscar owns a panel and paint firm. One day he answers a phone call from a friend about a mutual customer. The friend is concerned about the customer’s creditworthiness, so Oscar tells him about a large unpaid bill. As a result, Oscar’s friend refuses to give the customer credit. Oscar then gets an angry call from the customer who had actually paid the bill early, though the payment went into the wrong account. The customer says he will tell everyone he knows that Oscar’s firm is lousy.
Anna works at a beauty salon. A man rings asking for a client’s new address so he can “send flowers”. She provides the information. A week later the client threatens legal action. Anna had not been aware the man was her client’s abusive former partner.
Good privacy is simply good business practice, regardless of the type of business or industry.
Every business collects information about employees but depending on the industry, your business may also hold personal information about clients or customers, and even their families.
Everyone within your business needs to consider the legal requirements of the Act. This means you need to teach and guide your employees on good privacy practices.
Your obligations broadly involve:
- Telling people what you are doing and why.
- Keeping information safe and secure.
- Obtaining only the personal information that you need to do your business.
- Only using personal information if you’re reasonably sure it’s accurate and up-to-date.
- Respecting a customer’s right to view and edit information.
Here is a closer look at how the principles of the Privacy Act directly apply to businesses and some practical tips on preventing privacy issues arising:
Access to personal information
People have a right to access the personal information you hold about them. You should store personal information in a way that is easily retrievable so you can tell a person that you hold their information when they ask and provide access to it.
If you are in the private sector, you may be able to charge for making information available.
To read the law about this, click through to Privacy Principle 6.
Correction of personal information
People can ask you to correct their personal information if they think it is incorrect. Tell them to let you know if the information is wrong – this is an easy way to ensure your information is up-to-date.
Even if you don’t think a correction is justified, record that the person asked you to correct the information, and note exactly what they thought was wrong. Attach that record to the person's information so that everything is together. Knowing what the person thinks will help you (and anyone who looks at the record later) to make better decisions.
To read the law about this, click through to Privacy Principle 7.
Holding on to personal information
Don't keep personal information for longer than is needed to achieve your purpose. Think about how long you need to keep it for.
To read the law about this, click through to Privacy Principle 9.
Secure storage and disposal of personal information
Make sure that you hold and use personal information in a safe and secure way, and that you dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly.
Think about how you will keep documents secure – do you need a locked cabinet for physical documents? Who has access to your records storage? Do you need password protection or encryption for electronic documents or equipment? Don't forget to look after information in transit – if you have an e-commerce site, have you got a secure channel for payments, for example? To read the law about this, click through to Privacy Principle 5.
If you accidentally lose someone’s information, or your system gets hacked (for example, someone accesses your client account database), you need to think about how to manage the security breach, including notifying the people affected.
To help you see what to do, click through to Breach Notification Guidelines.
Accuracy of personal information
Before you use personal information gathered from any source, you should take steps to check that it is accurate, up-to-date, complete, relevant and not misleading.
Information that is factually incorrect isn't any use to you, and it could lead you (or others) to make wrong decisions about the person or business involved.
To read the law about this, click through to Privacy Principle 8.
All businesses, regardless of size, are required by law to appoint a privacy officer. Don’t worry – this doesn’t mean you need to hire a new member of staff, but you’ll need to make it at least a small part of your role or choose an employee to take on the responsibility. The privacy officer is generally the person who is most familiar with how personal information should be handled. This might be the manager or the person dealing with human resources or customer information.
A privacy officer also adds value to how you deal with people and therefore adds value to your business.
The privacy officer will:
- Develop good policies for handling personal information that suit your particular business needs.
- Handle queries or complaints about privacy from customers or employees.
- Alert you to any risks that might arise with personal information (such as security).
- Liaise with the Office of the Privacy Commissioner if necessary.
If a mistake has occurred, your privacy officer can:
- Help you sort out complaints yourself – quickly, well and without unnecessary expense. This is particularly important if you have an ongoing relationship with the person who has made the complaint.
The Office of the Privacy Commissioner offers training and support for privacy officers.
Portable storage devices
Because of their small size, portable storage devices (such as USB sticks or portable hard drives) can be easily lost, misplaced or stolen. The Privacy Commissioner’s Office has developed a free-to-use portable storage device guide for businesses that you can refer to.
Closed Circuit Television (CCTV) recordings
CCTV captures images of people that can be used, stored, manipulated and disseminated. Businesses that operate these systems need to be aware of how to manage the privacy issues surrounding the use of these capabilities. Good management of personal information is essential to the effective running of CCTV systems (including ensuring they are cost-effective). Any business using CCTV should consult the CCTV guide, which outlines the legal responsibilities of using CCTV and similar technology.
Giving notice to Internet visitors and social media followers about how your organisation collects and uses personal information is good practice. An effective approach to this task is to use a layered privacy notice, which you can find out more about by consulting the effective website privacy notices guide.
The Office of the Privacy Commissioner has developed a range of resources to help businesses better understand their obligations under the Privacy Act. These are available for free download on the website, and some are also available to buy in hard copy if you wish.
Privacy protection – a guide for business is a useful, free resource you can download and use for staff training or as part of the induction process for new staff.
The News and Publications online portal contains brochures and other resources you can download.
Contact the Office of the Privacy Commissioner for general advice by phoning 0800 803 909 or emailing email@example.com.