Skip to main content

Tailor your own privacy statement

Does your business collect personal information from people? Then you must tell them how, when and why. Create a privacy statement with the online tool Priv-o-matic.

If your business collects personal information from people, then you must tell them you’re doing it.

Under New Zealand law, a privacy statement must tell them how, when and why you’re collecting personal information, and what you’ll be doing with it.

To help small businesses create their own basic privacy statements for websites, apps or paper forms, the Office of the Privacy Commissioner has produced a handy online tool – the Priv-o-matic (external link) .

If you don’t collect any personal information, there’s no need for a privacy statement.

If you don’t collect any personal information, there’s no need for a privacy statement.

The Priv-o-matic is designed for businesses that don’t have a lot of time or resources available for compliance.

Sometimes, of course, it's obvious that you’re collecting the information and what you're going to use it for. But people are still understandably cautious about giving out their personal information.

They need to know they can trust you. They are more likely to do so if you tell them up front what you're doing with their information and why.

The Priv-o-matic guides you through the process of creating a basic privacy statement. It asks questions about:

  • The type of information you collect, such as name, contact and billing information.
  • How you collect it.
  • Why you’re collecting it.
  • Who you share it with.
  • How people can contact you.

Priv-o-matic then generates the text – in plain English - of a privacy statement suited to your business.

Don’t use Priv-o-matic if you’re legally required to collect information.

Don’t use Priv-o-matic if you’re legally required to collect information.

Instead contact the Privacy Commissioner (external link) for advice.

There are options if you want to include a clause to reassure people their data is kept securely, or to explain how long you keep it for and how you dispose of it.

If your business collects sensitive information, such as about a person’s health, or it’s complex or intrusive, contact the Privacy Commissioner (external link) as collecting this type of information requires further guidance.

Priv-o-matic highlights other issues that might require further work, such as if you collect information known as “unique identifies”. This includes IRD numbers, driver licence and passport numbers. Using such information is complex. Make sure you’re aware of how to do it legally. The Privacy Commissioner (external link) can help.

You can also contact the Privacy Commissioner if you’re getting personal information from a third party, like a credit agency. The Priv-o-matic doesn’t cover that either.

How helpful was this article?