All businesses collect information about people they work with or for, eg staff, suppliers, customers. New privacy laws may affect how you collect and store personal information. But what makes information personal?
Privacy is important when it comes to personal information about customers and staff. This information needs to be handled carefully. You can collect personal information as long as it’s needed for your business, but it must not be misused or leaked, even accidentally.
This idea is fairly well known, but what is less understood is what personal information actually is.
If you’ve been wondering about this, you’re not alone. This is the number one question the Office of the Privacy Commission receives through their interactive FAQ AskUs.
Personal information is any piece of information that relates to a living, identifiable person. Anything you can look at and say, “This is about a specific person”.
It could be:
Personal information can be found in many different places, including:
The test is whether there's a reasonable chance someone could be identified from the information. It doesn’t need to be "secret" or "sensitive" — it just needs to be about them. For example, using photos of customers in marketing material might not identify the customers by name, but people might still recognise them.
You can ask for personal information from customers and staff. But make sure what you ask for is relevant and needed in that situation. Don’t ask for information you don’t need.
For example, when hiring, only ask for information related to the role you want to fill. If you are hiring someone who will need to drive, you’ll need to check they have a valid driver’s licence. It’s also justified to show if they are eligible to work in New Zealand. But it’s not justified to ask them about their religion or whether they are single.
Build your own privacy statement with the online tool Priv-o-matic.
Priv-o-matic(external link) — Office of the Privacy Commissioner
You can only share personal information (called disclosure) in special circumstances:
Limits on disclosure of personal information(external link) — Office of the Privacy Commissioner
If a customer or worker asks for the information you have on them, you must respond to their request within 20 working days. If the information can be easily accessed, you need to tell them you have information and give them what you have.
The person requesting to see their information doesn’t need to tell you why they want to see it.
Anna works at a beauty salon. A man rings asking for a client’s new address so he can send flowers. She passes on the address, thinking he sounds trustworthy. A week later the client threatens to make a complaint under the Privacy Act.
Anna hadn’t known the man was her client’s abusive former partner.
This is why she shouldn’t have passed on the address — it’s impossible to know why someone may not want their information passed on, so it’s best to let people choose for themselves. Instead, she could have said she’d pass on a message to her client.
Good privacy is simply good business practice, regardless of the type of business or industry.