General

Protecting customer and employee information Te pare i ngā mōhiohio o ngā kiritaki me ngā kaimahi

In association with
Protecting private information about people is essential. This includes contact details, employment agreements, personnel records, and payment information.

The Privacy Act

The Privacy Act requires you to protect information in ways that are reasonable, given the circumstances. The goal is to make sure personal information is kept safe and secure.

It applies to any person or business that collects, uses and stores personal information. This might be addressing information collected online or in person, for sending invoices.

You must:

  • only collect what you need for business purposes – for example, name and contact details
  • tell people how, when and why you’re collecting their information. This includes using cookies on your website
  • tell people what will happen if they don’t give you their personal information
  • keep their personal information safe
  • only use it if you’re reasonably sure it’s accurate and up to date
  • let people see their information and correct any mistakes.

You must not:

  • ask for more information than you need
  • let personal information be leaked, hacked or found in any other way
  • keep information longer than you need it or are legally required to keep it
  • pass on someone’s details without their permission
  • send personal information overseas without checking if it will be protected.

If you break any of these rules, even accidentally, a customer or an employee may make a complaint under the Privacy Act.

Good privacy practices aren't just limited to customer information. Privacy Act guidelines apply to all sensitive information – for example, personnel files. 

Understanding the Privacy Act

Handling personal information

Before you use personal information gathered from any source, you should take reasonable steps to check it’s accurate, up to date and not misleading.

Information that is factually incorrect could lead you or others to make wrong decisions about the person or business involved.

People can ask you to correct their personal information. Tell them to let you know of any errors or outdated information – this is an easy way to make sure your records are accurate.

You can only collect personal information needed for business purposes, and you must make sure it doesn’t leak or get misused, even by accident.

Follow the same protocols as you do to protect all your business systems and data. This means:

  • keeping any private information stored online safe from breaches or hackers
  • doing whatever you reasonably can to protect any paper files or documents.

How you safeguard personal information depends on the sorts of information you collect. The more sensitive the information, the more measures you will need to take to protect it.

Breaches or careless handling of private information might mean customers will lose confidence in you, damaging your brand and reputation.

Responding to requests to correct or delete informationOffice of the Privacy CommissionerWhat you need to tell customers
IT risks and scams protecting customer info

How to store and dispose of information

Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly.

To keep your record secure, think about: 

  • if you need a locked cabinet for physical documents
  • who has access to it
  • what kind of password protection or encryption for electronic documents or equipment you should use
  • if you can see who has accessed confidential electronic files, and when they did it
  • if your e-commerce website payments are secure
  • if the software holding or processing the information is up to date.

It’s best practice to restrict access to personal information. Think about who really needs access and only grant it to those people. Do that for both view and editing permissions. 

Review the list of those who have access regularly and remove access for anyone who no longer needs it – for example, an employee who has left the business or moved to another role.

Storage and security of informationOffice of the Privacy Commissioner
Case study

Good privacy is good business

case study good privacy is good business

Anna, a beauty salon owner, gave out a client’s address to a caller who claimed he wanted to send flowers. He seemed trustworthy. He turned out to be the client’s abusive ex-partner.

This is why you should never pass on personal information without consent. Good privacy practices protect clients and are essential for businesses.

Privacy officers

All businesses, regardless of size, must by law appoint a privacy officer.

You don’t need to hire a new member of staff. You can either:

  • do it yourself as a small part of your role
  • choose an employee to take this on. 

A privacy officer should be the person most familiar with how personal information should be handled. This might be a manager or the person dealing with human resources or customer information.

The duties of a privacy officer include:

  • developing good policies for handling personal information that suit your business’s needs
  • handling queries or complaints about privacy from customers or employees
  • alerting you to any risks to personal information – for example, careless handling or cyber attacks
  • liaising with the Office of the Privacy Commissioner if necessary.

If something goes wrong, the privacy officer can help sort out complaints quickly, thoroughly and without unnecessary expense. This is particularly important if you have an ongoing relationship with the person who complains.

Learn more about privacy officersOffice of the Privacy Commissioner

Privacy statements

If your business collects personal information from people, you must tell them you’re doing it.

Under New Zealand law, a privacy statement must tell them how, when and why you’re collecting personal information, and what you’ll be doing with it.

Use the Office of the Privacy Commissioner’s tool Priv-o-matic to create your own basic privacy statements for websites, apps or paper forms.

Create a privacy statementOffice of the Privacy Commissioner

What is a breach?

A data breach happens when either:

  • an unauthorised person accesses personal information
  • personal information is released into an unsecure environment. 

Unlike hacking, which always has malicious intent, a breach can be either deliberate or accidental.

The most common cause of a data breach is a mistake made by someone in your business. Robust planning on how to handle and protect personal information and other important business data is key. What’s more important is making sure all staff are well trained.

Privacy breachesOffice of the Privacy CommissionerData breachesOwn Your Online

What to do if there's a data breach

If you accidentally lose or release someone’s information, or your system gets hacked, you must:

  • act fast to manage the security breach, including telling the people affected
  • take steps to prevent it happening again
  • report a serious privacy breach to the Privacy Commissioner.

NotifyUs is an online tool that can help you work out if a breach is serious. If it is, the tool can help you report the breach.

The Privacy Commissioner’s privacy breach guidance has detailed information on:

  • types of data breaches
  • how to deal with them
  • putting processes in place to prevent future breaches.
NotifyUsOffice of the Privacy Commissioner

Learn more about

IT risks and scams