Protecting private information about people is just as important as safeguarding other important business data. This includes contact details, employment agreements, personnel records, and payment information.
Here’s what you must and must not do.
Whether it’s customer details or staff files, it’s likely you keep some private information on file.
Breaches or careless handling of private information may cost you dearly. Customers will lose confidence in you. Your brand and reputation will take a hit.
You can only collect personal information needed for business purposes. And you must not let it be leaked or misused, even accidentally.
You should follow the same protocols as you do to protect all your business systems and data. This means keeping any private information stored online safe from breaches or hackers. It also means doing whatever you reasonably can to protect any paper files or documents.
How you safeguard personal information depends on the sorts of information you collect. The Privacy Act requires you to protect information in ways that are reasonable, given the circumstances. The more sensitive the information, the more measures you will need to take to protect it.
You must report a serious privacy breach to the Privacy Commissioner. NotifyUs is an online tool that can help you work out if a breach is serious. If it is, the tool can help you report the breach.
Reporting privacy breaches (NotifyUs)(external link) — Office of the Privacy Commissioner
Who it applies to: Any person or business that collects, uses and stores personal information. This might be address information collected online or in person, for sending invoices.
Why: To make sure personal information is kept safe and secure.
What you must do:
How the Act is enforced: If you break any of these rules, even accidentally, a customer or an employee may make a complaint under the Privacy Act.
Privacy for organisations(external link) — Office of the Privacy Commissioner
How can I avoid a privacy complaint?(external link) — Office of the Privacy Commissioner
Collecting and using information about people, even a phone number and invoicing address, is an everyday part of doing business. You must:
Before you use personal information gathered from any source, you should take reasonable steps to check it is accurate, up to date and not misleading.
Information that is factually incorrect isn't of any use to you. And it could lead you or others to make wrong decisions about the person or business involved.
People can ask you to correct their personal information. Tell them to let you know of any errors or out-of-date information — this is an easy way to make sure your records are accurate.
How does a business respond to a request to correct or delete information(external link) — Office of the Privacy Commissioner
Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly.
Think about how you will keep records secure:
It’s best practice to restrict access to personal information. Think about who really needs access and only grant it to those people. Do that for both view and editing permissions. Review the list of those who have access regularly and remove access for anyone who no longer needs it, eg an employee who has left the business or moved to another role.
Storage and security of personal information(external link) — Office of the Privacy Commissioner
IT and social media policy(external link) — Workplace Policy Builder
Anna works at a beauty salon. A man rings asking for a client’s new address so he can send flowers. She passes on the address, thinking he sounds trustworthy. A week later the client threatens to make a complaint under the Privacy Act.
Anna hadn’t known the man was her client’s abusive former partner.
This is why she shouldn’t have passed on the address — it’s impossible to know why someone may not want their information passed on, so it’s best to let people choose for themselves. Instead, she could have said she’d pass on a message to her client.
Good privacy is simply good business practice, regardless of the type of business or industry.
All businesses, regardless of size, must by law appoint a privacy officer. Don’t worry — this doesn’t mean you need to hire a new member of staff.
But you need to make it at least a small part of your role, or choose an employee to take this on. A privacy officer should be the person most familiar with how personal information should be handled. This might be a manager or the person dealing with human resources or customer information.
The duties of a privacy officer include:
If something goes wrong, the privacy officer can help sort out complaints — quickly, thoroughly and without unnecessary expense. This is particularly important if you have an ongoing relationship with the person who complains.
The Privacy Commissioner offers training and support for privacy officers.
What is a privacy officer? Am I required to have a privacy officer?(external link) – Office of the Privacy Commissioner
Where can I find guidance for privacy officers?(external link) — Office of the Privacy Commissioner
If your business collects personal information from people, then you must tell them you’re doing it.
Under New Zealand law, a privacy statement must tell them how, when and why you’re collecting personal information, and what you’ll be doing with it.
To help small businesses create their own basic privacy statements for websites, apps or paper forms, the Office of the Privacy Commissioner has produced a handy online tool – the Priv-o-matic.
Privo-o-matic (external link)— Privacy Commissioner
This means you will meet the Payment Card Industry Data Security Standards (PCI DSS) to handle and protect customers’ credit card details.
If you accidentally lose or release someone’s information, or your system gets hacked, you must act fast to manage the security breach, including telling the people affected.
You must also take steps to prevent it happening again. The Privacy Commissioner’s privacy breach guidance has detailed information on:
Data Breaches(external link) — Office of the Privacy Commissioner
Data breach(external link) — CERT NZ