Reading time: 6 minutes

Protecting both your customer’s and your privacy should be a priority in your business. As more information is digitised and distributed online, you should ensure you are taking adequate measures to meet your privacy obligations under NZ law. Even if you do not have a significant online presence, you still have a responsibility to secure any personal information you hold, whether digital or physical. You must have an adequate privacy policy in your business and a privacy officer that actively meets their responsibilities under the law. This article will highlight five privacy mistakes you should avoid when doing business in New Zealand to offer some guidance.

1. Collecting Information You Do Not Need

Under the Privacy Act, when you collect personal information, you need to make sure you do not collect more information than you need. You need to have a clear purpose in mind before you collect this information, and your customers should be aware of this purpose. These rules apply to both your customers and your employees.

For example, if you are hiring for a position that involves driving, you can ask potential employees for details of a valid licence. But if the role does not involve driving, you may not have a legitimate purpose for that information, and it is unnecessary.

If you collect extraneous and unnecessary information, this can backfire in a couple of ways:

  • you have more information you need to store and keep track of;
  • there is more information to lose in a data breach; and
  • if you do not have a legitimate goal for that information, you could be breaking the law.

2. Inadequate Security Measures

Another of your responsibilities under the law is to implement reasonable security measures for the personal information your business holds. These responsibilities will vary, depending on the amount and sensitivity of the information you store. The more sensitive the information is, the more intensive your security protocols should be.

For example, say you accept online credit card payments for your customers. Because this is highly sensitive personal information, it is standard practice that you would only accept these details over an encrypted connection. If you do not, you may not be meeting your privacy obligations.

Suppose you run a small business or have a small digital presence. In that case, you may think that malicious third actors would not be interested in gaining access to the personal information you store. However, cyberattacks will target weak systems because they are easy to get into, not because of the information they store. Seek expert advice to ensure your security protocols are adequate.

3. Failing to Inform Your Customers

If you collect personal information, you need to let your customers know:

  • that you are collecting it, and why;
  • what you will use that information for;
  • if any laws apply;
  • who has access to it;
  • whether they can choose not to give their personal data to you, and those consequences;
  • how they can ask to see and correct this information;
  • whether you will share it with anyone else; and
  • how to contact you.

Tip: A helpful rule of thumb when operating with personal information is that the affected individual should not be surprised at how you use their personal data. Ensure you have customer consent where you need to. 

For example, say that you collect customers’ email addresses for a newsletter. If you want to use those same email addresses for advertising purposes, you must let your customers know about this. Otherwise, you will lose customer trust, and you could face legal consequences.

4. Not Planning Ahead

If you experience a privacy breach, dealing with the fallout is significantly more difficult if you do not have a guideline or framework to follow. Therefore, you should develop an incident response plan with your privacy officer to mitigate the adverse effects a breach can have on your business. You want to negate any information leak as fast as possible, which is easier when there is a plan to follow.

When planning for data breaches, make sure you can identify:

  • whether you need to report the breach;
  • who you need to inform;
  • how you can shut down systems to stop further information spread; and
  • who has access to your databases with personal information.

5. Using Inaccurate Information

Another of your privacy law responsibilities is to ensure you only use accurate information. To achieve this, you need to ensure any information you hold is up to date, especially if you hold personal information for long periods. If a customer asks to correct their information, action this request where a legitimate correction needs to be made.

If you use inaccurate or out of date information, this could lead to:

  • inefficient decision-making based on flawed data;
  • unsatisfied customers; and
  • financial penalties.

Key Takeaways

Privacy is an important aspect of your business, as you likely collect the personal information of your customers and employees. The law requires you adequately protect any personal information you hold and that you are vigilant about its usage. If you would like more information or help with your business’ privacy, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any data about an identifiable individual. This is information you can use to identify a living individual, such as names or contact details.

What personal information can I collect?

You can collect personal information as long as you have an identifiable legal purpose for doing so. You must determine this purpose beforehand and let your customers know about this purpose as well.

What is a privacy breach?

A privacy breach is when something prevents you from accessing personal information you hold or an unauthorised person has gained access to it. This can include lost or deleted information as well.

How can I protect personal information in my business?

How you protect personal information will depend on how you collect, store, and use it. If you physically store information, be sure that you keep it under lock and key. Secure any online databases or transmissions with encryption and strong passwords.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation – Finalist – Australasian Law Awards 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice – Winner – Australasian Lawyer 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer