If you collect, store or use personal information about employees and/or customers, it’s important to:
Here’s what you need to know and do to keep people’s information safe and secure.
When: From 1 December 2020
What: Changes to the Privacy Act mean businesses must:
Overseas businesses operating in New Zealand must meet privacy requirements, including multi-nationals offering services like cloud software or social media.
The revamped Act gives the Privacy Commissioner greater powers. This includes:
So it’s a good idea to appoint a privacy officer, eg add privacy duties to a trusted employee’s existing role.
Why: The Privacy Act aims to keep people’s personal information safe and secure. The law updates reflect changes in technology and the ways business is done online and offline.
Privacy Act 2020(external link) — Office of the Privacy Commissioner
Anyone who collects, uses and stores personal information must follow new and existing rules in the Privacy Act. This applies to all business types, including sole traders and freelancers/contractors. Common examples of personal information collected by businesses include:
To meet new requirements in the Privacy Act, here are some of your key responsibilities.
Decide who in your business will take the lead on privacy matters. This could be you, an office manager, or another trusted worker. This person will be your privacy officer, in addition to their current tasks.
This role involves:
Learn about privacy requirements with free online training on the Privacy Commissioner website. Modules include:
e-Learning(external link) — Office of the Privacy Commissioner
If someone asks for their personal information held by your business, you must respond within 20 working days. Most complaints to the Privacy Commissioner are from people denied access to their personal information.
You and/or your privacy officer should think about how the business stores and handles information:
You must not delete personal information to avoid the request. This will be illegal in the revamped Privacy Act.
Talk with your staff about what to do if there’s a serious privacy breach. Work through various scenarios together, eg accidentally losing personal information vs cyber attack. This helps everyone knows the steps they should take.
An important new step is to report serious breaches to the Privacy Commissioner by phone, email or using the online tool Notify Us:
Enquiry form(external link) — Office of the Privacy Commissioner
Notify Us(external link) — Office of the Privacy Commissioner
Under the new Privacy Act, you may only share personal information with an overseas business if they meet New Zealand’s privacy requirements. This does not apply to overseas cloud-based services.
More guidance is being developed to help you understand these requirements.
In the meantime visit the Privacy Commissioner’s website for current guidance, and for contact information if you have questions.
Disclosing personal information outside New Zealand(external link) — Office of the Privacy Commissioner
This includes multi-nationals and other overseas organisations operating in New Zealand.
You continue to be required to:
You can only share personal information with others in specific circumstances. For example, it’s justified to give a courier a customer’s details to deliver a parcel. It’s one of the reasons your business gathered the information.
It's a good idea to check your privacy statement is up to date. This should tell people how you collect and use personal information. If your business doesn’t have a privacy statement, use this free online tool to create one:
Priv-o-matic(external link) — Office of the Privacy Commissioner
Contact the Office of the Privacy Commissioner by phone on 0800 803 909 or use their online form.
Enquiry form(external link) — Office of the Privacy Commissioner