Skip to main content Skip to page navigation

In association with

Protecting private information

Most small businesses hold information about employees, customers, suppliers and other stakeholders. As long as this information is about people rather than businesses, the Privacy Act protects it. That means you must make sure you and your staff manage the information correctly. If you don’t, your reputation could suffer and you may end up paying compensation for privacy breaches.

Here’s what you need to know about complying with the Act, and what you can and can’t do with personal information.

Why privacy is important

Why is maintaining privacy important? People care about privacy — and they worry that information about them could be compromised or misused.

Collecting and using information about people — even a phone number and invoicing address — is an everyday part of doing business. Keeping that information safe and secure should be too.

Remember your business relies on people — whether they’re customers, staff, contractors or suppliers. Those people trust you to look after the information you have about them. If you lose that trust, they will go somewhere where they’re treated better. The Privacy Commissioner's Office has more information:

Download the guideGood privacy is good business (external link) — Office of the Privacy Commissioner

Or call 0800 803 909 | email enquiries@privacy.org.nz — Office of the Privacy Commissioner

Credit note case study

Case study

Customer complaint

Oscar owns a panel and paint firm. One day he answers a phone call from a friend about a mutual customer. The friend is concerned about the customer’s creditworthiness, so Oscar tells him about a large unpaid bill. 

As a result, Oscar’s friend refuses to give the customer credit. Oscar then gets an angry call from the customer who had actually paid the bill early, though the payment went into the wrong account. The customer says he will tell everyone he knows that Oscar’s firm is lousy.

What you need to do

Every business collects information about employees, but depending on the industry, your business will also hold personal information about clients or customers, even their families.

Everyone within your business needs to consider the legal requirements of the Act. This means you need to teach and guide your employees on good privacy practices.
Things you must do include:

  • telling people what you are doing and why 
  • keeping information safe and secure 
  • obtaining only the personal information you need to do your business
  • only using personal information if you’re reasonably sure it’s accurate and up-to-date 
  • respecting a customer’s right to view and edit information.

The Privacy Act (external link) — Office of the Privacy Commissioner

case study privacy

Case study

Legal action

Anna works at a beauty salon. A man rings asking for a client’s new address so he can “send flowers”. She provides the information. A week later the client threatens legal action. 

Anna had not been aware the man was her client’s abusive former partner.

Good privacy is simply good business practice, regardless of the type of business or industry.

Personal information

People can ask you to correct their personal information if they think it is incorrect. Tell them to let you know if the information is wrong — this is an easy way to ensure your information is up-to-date.

Even if you don’t think a correction is justified, record that the person asked you to correct the information, and note exactly what they thought was wrong. Attach that record to the person's information so that everything is together. Knowing what the person thinks will help you (and anyone who looks at the record later) to make better decisions.

Access to personal information (external link) — Office of the Privacy Commissioner

Correcting information

People can ask you to correct their personal information if they think it is incorrect. Tell them to let you know if the information is wrong — this is an easy way to ensure your information is up-to-date.

Even if you don’t think a correction is justified, record that the person asked you to correct the information, and note exactly what they thought was wrong. Attach that record to the person's information so that everything is together. Knowing what the person thinks will help you (and anyone who looks at the record later) to make better decisions.

Correcting personal information (external link) — Office of the Privacy Commissioner

Holding on to information

Don't keep personal information for longer than is needed to achieve your purpose. Think about how long you need to keep it for.

Storing and disposing of information

Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly.

Think about how you will keep documents secure — do you need a locked cabinet for physical documents? Who has access to your records storage? Do you need password protection or encryption for electronic documents or equipment? Can you see who accessed and looked at confidential electronic files and when they did? Don't forget to look after information in transit – if you have an e-commerce site, have you got a secure channel for payments, for example?

Storage and security of personal information (external link) — Office of the Privacy Commissioner

Accuracy

Before you use personal information gathered from any source, you should take steps to check that it is accurate, up-to-date, complete, relevant and not misleading.
Information that is factually incorrect isn't any use to you, and it could lead you or others to make wrong decisions about the person or business involved.

Data breaches

If you accidentally lose someone’s information, or your system gets hacked, eg someone accesses your client account database, you need to think about how to manage the security breach, including notifying the people affected.

Privacy breach guidelines (external link) — Office of the Privacy Commissioner

All businesses, regardless of size, must by law appoint a privacy officer. Don’t worry — this doesn’t mean you need to hire a new member of staff. But you’ll need to make it at least a small part of your role or choose an employee to take on the responsibility. The privacy officer is generally the person who is most familiar with how personal information should be handled. This might be the manager or the person dealing with human resources or customer information.

A privacy officer also adds value to how you deal with people and therefore adds value to your business.

The privacy officer will:

  • develop good policies for handling personal information that suit your particular business needs 
  • handle queries or complaints about privacy from customers or employees 
  • alert you to any risks that might arise with personal information (such as security)
  • liaise with the Office of the Privacy Commissioner if necessary.

If there’s been a mistake, your privacy officer can help you sort out complaints yourself — quickly, well and without unnecessary expense. This is particularly important if you have an ongoing relationship with the person who has made the complaint.

The Office of the Privacy Commissioner offers training and support for privacy officers.

Guidance for privacy officers (external link) — Office of the Privacy Commissioner

CCTV recordings

CCTV captures images of people that can be used, stored, manipulated and disseminated. Businesses that operate these systems need to be aware of how to manage the privacy issues surrounding the use of these capabilities. Good management of personal information is essential to the effective running of CCTV systems (including ensuring they are cost-effective). Any business using CCTV should consult the CCTV guide on the Office of the Privacy Commissioner website, which outlines legal responsibilities of using CCTV and similar technology.

Website privacy

Giving notice to internet visitors and social media followers about how your organisation collects and uses personal information is good practice. An effective approach to this task is to use a layered privacy notice.

Read the the effective website privacy notices guide (external link) — Office of the Privacy Commissioner

Use the Privacy Statement Generator (external link)   Office of the Privacy Commissioner