Does your business collect personal information from people? Then you must tell them how, when and why. Create a privacy statement with the online tool Priv-o-matic.
If your business collects personal information from people, then you must tell them you’re doing it.
Under New Zealand law, a privacy statement must tell them how, when and why you’re collecting personal information, and what you’ll be doing with it.
To help small businesses create their own basic privacy statements for websites, apps or paper forms, the Office of the Privacy Commissioner has produced a handy online tool – the Priv-o-matic (external link) .
The Priv-o-matic is designed for businesses that don’t have a lot of time or resources available for compliance.
Sometimes, of course, it's obvious that you’re collecting the information and what you're going to use it for. But people are still understandably cautious about giving out their personal information.
They need to know they can trust you. They are more likely to do so if you tell them up front what you're doing with their information and why.
The Priv-o-matic guides you through the process of creating a basic privacy statement. It asks questions about:
Priv-o-matic then generates the text – in plain English - of a privacy statement suited to your business.
There are options if you want to include a clause to reassure people their data is kept securely, or to explain how long you keep it for and how you dispose of it.
If your business collects sensitive information, such as about a person’s health, or it’s complex or intrusive, contact the Privacy Commissioner (external link) as collecting this type of information requires further guidance.
Priv-o-matic highlights other issues that might require further work, such as if you collect information known as “unique identifies”. This includes IRD numbers, driver licence and passport numbers. Using such information is complex. Make sure you’re aware of how to do it legally. The Privacy Commissioner (external link) can help.
You can also contact the Privacy Commissioner if you’re getting personal information from a third party, like a credit agency. The Priv-o-matic doesn’t cover that either.