Reading time: 6 minutes

As customers become more concerned about their privacy and what information businesses use, you should be mindful of your privacy law obligations. Customers will value businesses that are upfront about the information they collect and care about protecting consumer privacy. A vital aspect of this is the type of information to which privacy law applies. This is personal information, which anyone can use to identify a person. If you do not take adequate steps to protect customers’ personal data, not only may you lose customers, but you could face legal penalties as well. This article will explain: 

  • what personal information is; and 
  • your obligations around handling such information.

What Is Personal Information?

Personal information is data that identifies a living individual. If it is data that you can look at and identify a specific person using it, it counts as personal information. It is also known as personally identifiable information (PII).

This means that companies do not have this type of information about them, so they are not protected by the Privacy Act.

Personal information does not just apply to full names. Other examples of such information include:

  • physical addresses;
  • IP addresses;
  • photos;
  • email addresses;
  • location information (such as geotracking); and
  • financial information.

For example, you may use photos of your customers in your advertising. Even if you do not attach a customer’s name, another person can identify them if they recognise them. You need a customer’s permission to use their photo.

If your business handles any personal information, it counts as an ‘agency’ under the Privacy Act. This means you have to follow its rules around dealing with personal information, or else you could face financial penalties. Note that this does not apply to information that is already publicly available.

If there has been a privacy breach at your business that is likely to cause serious harm, you must report that breach to the Privacy Commission.

How Can I Collect Privacy Information?

When you collect personal information about your customers, it must be with a particular lawful business purpose in mind. You can only collect the relevant information you need for this purpose and must not collect any unnecessary data. The more information you collect, the more information you have to store and protect, increasing the risk for privacy breaches. If your purpose changes, then you should get the permission of the person involved.

For example, you could ask customers for their physical addresses for delivery purposes.

Ensure you collect this information from customers themselves, and let them know that you are doing so. You need to tell people:

  • why you are collecting the information;
  • how you are collecting the information;
  • that they can ask to access the information;
  • whether they can opt out;
  • what happens if they opt out; 
  • if any laws apply; and
  • how to contact you regarding privacy.

A good place to do this would be in your privacy policy. Focus on transparency and protection.

How Should I Store Personal Information?

Just like you protect your business’ sensitive information, you must follow the same procedures in protecting your customers’ information. If there is a privacy breach in your business, you will lose customer trust and face legal penalties depending on the nature of the breach.

For example, you would store physical customer files in a locked filing cabinet. Likewise, you should also protect digital databases of customers’ personal information with a password and encryption.

Ensure you limit access to these files, only authorising those you trust. If your information is digital, it may be useful to keep access logs so that you have a record of any unauthorised entry.

Customers have a right to:

  • access their information; and
  • correct their information.

They can ask to see what information of theirs you have stored, and in most cases, you should comply. However, there are some exceptions to this.

For example, you may not have to release information if doing so would threaten a third party’s privacy.

How Can I Use Personal Information?

You can generally only use personal information for the purpose you collected it. You cannot keep this information for longer than you need it. Before you use any information, make sure it is:

  • accurate; 
  • up to date;
  • relevant; and
  • not likely to mislead.

Once the information has fulfilled its purpose, make sure to safely dispose of it.

For example, wipe hard drives with outdated information and double-check that you delete any backups. Also, use shredders to dispose of physical documents.

You can share the data, but only in limited circumstances. You may share it if: 

  • the individual involved has given you permission; or 
  • sharing the information is its purpose for collection.

For example, you may monitor your customers’ usage of your website with cookies, and you share that behaviour with your advertisers so that they know how to advertise. Under NZ law, you will generally need your customers’ permission to do this. Ensure that your customers know you are using their information in this way.

Key Takeaways

Personal information is data that you can use to identify a specific individual. If your business deals with this kind of information, you have certain privacy obligations that you must meet. If you would like more information or help with meeting your obligations around protecting personal information, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is data that you can use to identify a specific, living individual, such as photos or addresses. If your business collects this type of information, you need to comply with NZ privacy law.

Can I share personal information?

In most cases, you cannot share the personal information your business collects. However, you can if you have permission to do so or if that was the purpose for which you collected the information (such as with advertising).

What can I use my customers’ personal information for?

If you collect personal information from your customers, you can only use it for legitimate business purposes. You must also tell them that you are collecting this information, and why.

What does PII stand for?

PII stands for “personally identifiable information.” This refers to information that can identify an individual. In New Zealand, this is just known as “personal information”.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards