Is My Business an Agency Under NZ Privacy Law?
As more of our day to day processes shift online, customers are growing more concerned about privacy. This is because completing a transaction online involves transmitting sensitive information. It is important to remember that taking responsibility for personal information can have bad consequences if unintended parties get access to it. Therefore, the law sets specific standards for businesses to follow when they handle information of this nature. In legal terms, any organisation that deals with personal information qualifies as an agency and must meet privacy law requirements. However, if you run a small business that deals with little personal information, you may be wondering whether you qualify under this definition. Therefore, this article will explain what an agency is under New Zealand privacy law and how this applies to your business’ privacy obligations.
New Zealand Privacy Law
The Privacy Act sets out New Zealand’s requirements for agencies and how they should handle personal information. This is any information about an identifiable individual, which includes:
- names;
- photos;
- email addresses;
- physical addresses;
- IP addresses;
- financial details; or
- mobile numbers.
Indeed, this law operates on 13 principles and sets mandatory standards for any agency dealing with this kind of personal data. Accordingly, these information principles apply to all personal information at all of its stages within your business.
The following table details the specifics of this application to such information.
| Collection | Individuals need to know when an agency collects their information and what information you collect. Therefore, you should unintrusively collect direct from the source where possible. This is because you can only collect necessary personal information. |
| Usage | It is important to tell customers what you will use this information for. You generally cannot change this use after collection unless you have consent. Therefore, you should only use accurate data. |
| Storage/Retention | You can only keep data for as long as it serves its initial purpose. Therefore, you must dispose of unnecessary information securely, such as shredding physical documents. |
| Security | Implementing reasonable safeguards for personal information, according to its sensitivity, is crucial. |
| Disclosure |
You generally cannot share personal information unless that was why you collected it. Otherwise, you need consent. |
| Access |
All individuals have the right to access and correct any personal information any agency holds about them. |
What Is an Agency?
The simple explanation is that any organisation that collects and uses the personal information of New Zealand citizens qualifies as an agency. Therefore, they must comply with privacy law. Because of this, if your business collects information that can identify a living individual, you need to follow the requirements above. It is important to remember this applies to personal information about both your customers and employees.
However, there are some exceptions to this definition. The Privacy Act does not apply to:
- courts and tribunals doing judicial tasks;
- news media when gathering and reporting news; and
- members of Parliament acting in an official capacity.
Indeed, this definition can also become less clear if you run a sole trader business, where the only person operating the business is you. Do you qualify as an organisation in that scenario? The answer is yes. When dealing with personal information for your business, you qualify as an agency, even as an individual.
For example, you may individually run a sole trader business selling your craft goods online. Perhaps a customer asks you for access to their personal information, specifically to determine what delivery address you have on file. You are then responsible for giving them this information and honouring their access request.
On the contrary, the Privacy Act does not apply if you are using or sharing personal information connected with your personal or household affairs. However, this exception does not apply when you handle personal information in a way that would be highly offensive to a reasonable person.
Managing Your Obligations as an Agency
As an agency, your business must therefore meet its obligations under the Privacy Act. Because of this, you need to handle personal information per the law’s privacy principles. You also need to make sure you:
- have a privacy officer;
- report any data breaches likely to cause serious harm;
- manage obligations to specific kinds of information, such as personal health information;
- follow the law’s requirements for sharing personal information overseas;
- handle unique identifiers with due care; and
- comply with any of the Privacy Commission’s compliance notices.
This is important because if a customer feels that you have not handled their information the way you should as an agency, they can complain to the Privacy Commission. They can then investigate and issue a compliance notice to fix the issue. If you do not comply with this notice or breach the Privacy Act in another way, you can face penalties up to $10,000.
Key Takeaways
Your business will qualify as an agency under privacy law if it deals with any personal information about an identifiable individual. This applies to all organisations, even if that organisation is just one individual. If you would like more information or help with meeting your privacy obligations as an agency, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.
Frequently Asked Questions
Personal information is any information about an identifiable individual. This means that if you use the information, either by itself or in combination with other data, you can identify who it is about. Examples include names or addresses.
An agency is any organisation that handles the personal information of New Zealand citizens. This can include individuals, but in most cases does not apply to the court, the news media, or MPs.
The Privacy Act is New Zealand’s primary law that protects the privacy of New Zealand citizens. It regulates how businesses and organisations can collect and use personal information.
Was this article helpful?
Thanks!
We appreciate your feedback – your submission has been successfully received.
About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.
If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.
