Skip to main content Skip to page navigation

In association with

Protecting customer and employee information

Protecting private information about people is just as important as safeguarding other important business data. This includes contact details, employment agreements, personnel records, and payment information.

Here’s what you must — and must not — do.

Privacy is important

Whether it’s customer details or staff files, it’s likely you keep some private information on file.

Breaches or careless handling of private information may cost you dearly. Customers will lose confidence in you. Your brand and reputation will take a hit.

You can only collect personal information needed for business purposes. And you must not let it be leaked or misused — even accidentally.

You should follow the same protocols as you do to protect all your business systems and data. This means keeping any private information stored online safe from breaches or hackers. It also means doing whatever you reasonably can to protect any paper files or documents.

How you safeguard personal information depends on the sorts of information you collect. The Privacy Act requires you to protect information in ways that are reasonable, given the circumstances. The more sensitive the information, the more measures you will need to take to protect it.

Who it applies to: Any person or business that collects, uses and stores personal information. This might be address information collected online or in person, for sending invoices.

Why: To make sure personal information is kept safe and secure.

What you must do:

  • Only collect what you need for business purposes, eg name and contact details. 
  • Tell people how, when and why you are collecting their information. This includes using cookies on your website.
  • Tell people what will happen if they don’t give you their personal information. 
  • Keep their personal information safe.
  • Only use it if you are reasonably sure it’s accurate and up-to-date.
  • Let people see their information and correct any mistakes.

Do not:

  • Ask for more information than you need.
  • Let personal information be leaked, hacked or found in any other way.
  • Keep information longer than you need it — or are legally required to keep it.
  • Pass on someone’s details without their permission.

How the Act is enforced: If you break any of these rules, even accidentally, a customer may make a complaint under the Privacy Act.

How to avoid a complaint (external link) — Privacy Commissioner

Information privacy principles (external link) — Privacy Commissioner

Protecting personal information

Collecting and using information about people — even a phone number and invoicing address — is an everyday part of doing business. You must:

  • Keep that information safe and secure. 
  • Only ask for the personal details you need for business purposes, eg name and contact details.
  • Only use personal information, eg email or street address, after taking reasonable steps to make sure it’s accurate and up-to-date. 
  • Respect a customer’s right to view and edit their information.
  • Get permission before passing on email addresses to another organisation or business. 
  • Tell people what information you are collecting from them, and why.

Create a plain English privacy statement for your business with the online tool Priv-o-matic.

Priv-o-matic (external link) — Privacy Commissioner tool

Your privacy obligations (external link) — Privacy Commissioner

Check for accuracy

Before you use personal information gathered from any source, you should take reasonable steps to check it is accurate, up-to-date and not misleading.

Information that is factually incorrect isn't of any use to you. And it could lead you or others to make wrong decisions about the person or business involved.

People can ask you to correct their personal information. Tell them to let you know of any errors or out-of-date information — this is an easy way to make sure your records are accurate.

Correcting personal information (external link) — Office of the Privacy Commissioner

Good privacy practices aren't just limited to customer information.

Good privacy practices aren't just limited to customer information.

Privacy Act guidelines apply to all sensitive information, eg personnel files. 

How to store and dispose of information

Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly.

Think about how you will keep records secure:

  • Do you need a locked cabinet for physical documents? 
  • Who has access to it? 
  • Do you need password protection or encryption for electronic documents or equipment? 
  • Can you see who has accessed confidential electronic files, and when they did it? 
  • If you have an e-commerce website, are payments secure?

Storage and security of personal information (external link) — Privacy Commissioner

IT and social media policy (external link) — Workplace Policy Builder

case study privacy

Case study

Legal action

Anna works at a beauty salon. A man rings asking for a client’s new address so he can send flowers. She passes on the address, thinking he sounds trustworthy. A week later the client threatens to make a complaint under the Privacy Act.

Anna hadn’t known the man was her client’s abusive former partner.

This is why she shouldn’t have passed on the address — it’s impossible to know why someone may not want their information passed on, so it’s best to let people choose for themselves. Instead, she could have said she’d pass on a message to her client.

Good privacy is simply good business practice, regardless of the type of business or industry.

Protect customer information: Free online training module

Don't store data and records longer than you need to.

Don't store data and records longer than you need to.

It will make managing — and safeguarding — your data easier.

All businesses, regardless of size, must by law appoint a privacy officer. Don’t worry — this doesn’t mean you need to hire a new member of staff.

But you need to make it at least a small part of your role, or choose an employee to take this on. A privacy officer should be the person most familiar with how personal information should be handled. This might be a manager or the person dealing with human resources or customer information.

The duties of a privacy officer include:

  • Developing good policies for handling personal information that suit your business’s needs.
  • Handling queries or complaints about privacy from customers or employees.
  • Alerting you to any risks to personal information, eg careless handling or cyber attacks.
  • Liaising with the Office of the Privacy Commissioner if necessary.

If something goes wrong, the privacy officer can help sort out complaints — quickly, thoroughly and without unnecessary expense. This is particularly important if you have an ongoing relationship with the person who complains.

The Privacy Commissioner offers training and support for privacy officers.

Guidance for privacy officers (external link) — Office of the Privacy Commissioner

Privacy statements

If your business collects personal information from people, then you must tell them you’re doing it.

Under New Zealand law, a privacy statement must tell them how, when and why you’re collecting personal information, and what you’ll be doing with it.

To help small businesses create their own basic privacy statements for websites, apps or paper forms, the Office of the Privacy Commissioner has produced a handy online tool – the Priv-o-matic.

Privo-o-matic  (external link) — Privacy Commissioner

If you take credit card payments, you must be PCI compliant.

If you take credit card payments, you must be PCI compliant.

This means you must meet the Payment Card Industry Data Security Standards (PCI DSS) to handle and protect customers’ credit card details.

If there's a data breach

If you accidentally lose or release someone’s information, or your system gets hacked, you must act fast to manage the security breach, including telling the people affected.

You must also take steps to prevent it happening again. The Privacy Commissioner’s data safety toolkit has detailed information on:

  • types of data breaches
  • how to deal with them
  • putting processes in place to prevent future breaches.

Data safety toolkit (external link) — Privacy Commissioner

How helpful did you find this information?