Anyone who collects, uses and stores personal information must follow new and existing rules in the Privacy Act. This applies to all business types, including sole traders and freelancers/contractors. Common examples of personal information collected by businesses include:

• names
• contact details
• employment records
• photos of workers or customers used for marketing, eg flyers or social media posts.

To meet new requirements in the Privacy Act, here are some of your key responsibilities.

Privacy officer

Decide who in your business will take the lead on privacy matters. This could be you, an office manager, or another trusted worker. This person will be your privacy officer, in addition to their current tasks. 

This role involves:

• a general understanding of how the Privacy Act relates to your business
• checking personal information is collected responsibly and stored safely
• making sure any issues or requests for personal information are handled promptly
• handling privacy complaints made to your business, including working with the Office of the Privacy Commissioner (OPC) on any escalated complaints.

Learn about privacy requirements with free online training on the Privacy Commissioner website. Modules include:

• Privacy 101
• Employment and privacy
• Reporting privacy breaches
• Privacy Act 2020

e-Learning(external link) — Office of the Privacy Commissioner

Requests for personal information

If someone asks for their personal information held by your business, you must respond within 20 working days. Most complaints to the Privacy Commissioner are from people denied access to their personal information. 

You and/or your privacy officer should think about how the business stores and handles information:

• Could you respond to a request within the time limit?
• How do you store personal information?
• How secure is it?

You must not delete personal information to avoid the request. This will be illegal in the revamped Privacy Act.  

Privacy breaches

Talk with your staff about what to do if there’s a serious privacy breach. Work through various scenarios together, eg accidentally losing personal information vs cyber attack. This helps everyone knows the steps they should take. 

An important new step is to report serious breaches to the Privacy Commissioner by phone, email or using the online tool Notify Us:

Enquiry form(external link) — Office of the Privacy Commissioner

Notify Us(external link)  — Office of the Privacy Commissioner

Sharing information with overseas companies

Under the new Privacy Act, you may only share personal information with an overseas business if they meet New Zealand’s privacy requirements. This does not apply to overseas cloud-based services.

More guidance is being developed to help you understand these requirements. 

In the meantime visit the Privacy Commissioner’s website for current guidance, and for contact information if you have questions. 

Disclosing personal information outside New Zealand(external link) — Office of the Privacy Commissioner 

You continue to be required to:

• Only collect personal information needed for business reasons.
• Tell people what you collect, including if you use cookies on your website.
• Store personal information safely and securely.
• Only keep information while you need it or are legally allowed to keep it.
• Respond to someone’s request for personal information within 20 working days.
• Update or correct personal information as required, eg new phone number.

You can only share personal information with others in specific circumstances. For example, it’s justified to give a courier a customer’s details to deliver a parcel. It’s one of the reasons your business gathered the information.

It's a good idea to check your privacy statement is up to date. This should tell people how you collect and use personal information. If your business doesn’t have a privacy statement, use this free online tool to create one:

Priv-o-matic(external link) — Office of the Privacy Commissioner