Privacy is a key concern for many people and it is something your business should seriously consider. Indeed, you business may be subject to a range of privacy laws to ensure that you meet community expectations in the way that you collect and use information. The Privacy Act applies to personal information, which is as any information about an identifiable individual.

Examples of personal information include: 

  • name;
  • home address;
  • email address;
  • telephone number;
  • photographs of people; and
  • opinions about people.

If you carry on business in New Zealand and handle personal information, then you need to comply with the law. This article will explore some basic steps that you can follow to help your business meet its compliance obligations.

Do Not Collect Anything You Do Not Need

The best way to reduce risk is to minimise the personal information you collect. If the personal information is not necessary for a lawful purpose connected with your business’ function or activity, then you should not collect it. This means you should assess why you need the information and think about whether it truly is necessary before collecting any personal information. 

Where possible, you should collect de-identified information.

For example, it is useful to know the date of birth of your customer so that you can assess the demographics of your customer base. However, if it is not strictly necessary, then you should avoid asking for the customer’s date of birth. Instead, you could collect statistics about the location your customers access your website from, without specifically identifying any one person. 

Collect Personal Information for a Specific Purpose

If you decide that the collection of personal information is necessary, you should pinpoint the specific purpose making it necessary. It is useful to record this purpose internally to help your staff stay across the purpose of collecting and using information.

For example, if you collect an email address to send invoices, you should record this as the specific purpose of collection. You should avoid using that information for another reason, such as sending marketing, unless you also collected that information for another purpose or are otherwise permitted to use it for another purpose. 

Another option is to de-identify information after you collect it. This is relevant if you need to collect personal information, but you only need to keep it for a short period of time. Instead of destroying it, you may choose to anonymise the information by removing all the identifying aspects. When making information anonymous, you also need to consider whether there is a risk of re-identification.

For example, if the data is combined with another data set.

Secure the Information You Hold

You should secure the information you hold from a privacy breach. You can keep personal information safe by putting technical security measures in place to secure it against digital threats. 

For example, encryption or  two-factor authentication, which are commonly used security methods. 

You can also put in place physical or organisational measures to protect information.

For example, it is useful to have a staff policy outlining how to handle personal information appropriately. It is also good practice to ensure your staff can only access the information they require to do their job. 

Further, it is important to know what you need to do if the information you hold is breached. Preparing a data breach response plan is a means of planning for a bad situation and putting in place steps to minimise the fallout from such a breach. It can also help you comply with your legal notification obligations.

Train Your Staff to Comply with Privacy Laws

To ensure that you comply with NZ privacy laws, you need to ensure that your staff understand your business’ obligations. It is vital that you train your staff in the security policies you have in place and that they comply with and use these security measures on a day to day basis. In addition to security, your staff need to know about the legal obligations for handling personal information, including how they are permitted to handle the information of your customers. Further, they must be aware of how to respond to a suspected privacy breach or a request to access information.

You should supplement your privacy policy with annual training for staff, to reinforce the details in the policy. This training should include role plays which help your staff to properly understand the process they must follow in various situations. Training may also be useful if you introduce a new method of collection or use of personal information.

Review Your Privacy Practices

Things change over time; therefore, it is important that you regularly review your privacy practices. It is advisable to carry out an annual review to confirm any changes in the privacy laws applicable to your business and if needed, update privacy documentation. Of course, big changes, such as if something becomes invalid or a new obligation arises to undertake a process (like the introduction of the privacy breach notification requirement) then these changes may need to be made more than once annually.

You should also review your privacy policy if you introduce a new concept as part of your business model.

For example, if you provide the option for facial recognition logins to your software then you need to consider the privacy risks associated with the use of this technology, how you will mitigate these risks and how you will treat the information collected.

Key Takeaway

Your business’ compliance with privacy laws is crucial in avoiding investigation by the privacy commissioner and in meeting your customers’ expectations with respect to privacy management. You should ensure you understand your legal obligations under the Privacy Act and check that you are meeting these. If you have any questions about privacy documentation, privacy training or how to implement good privacy practices, contact LegalVision’s New Zealand privacy lawyers on 0800 005 570 or complete the form on this page.

FAQs

What is personal information?

Personal information is any information about an identifiable individual. This could include information like a person’s name, home address, email address or telephone number. 

What personal information should be collected?

You should only collect information that is necessary for a lawful purpose connected with your business’ function or activity. You should also pinpoint and record the specific purpose that makes the collection of information required. 

How can you keep personal information safe?

You can secure personal information by putting in place security measures designed to protect against digital threats. These could include data encryption or two-factor authentication. You can also use physical or organisational measures to protect information, such as implementing staff practices outlining how to handle personal information. 

What is anonymising information?

Anonymising information is the process of removing all the identifying aspects, rather than deleting the information. If you make information anonymous, you must consider whether re-identification is a risk and take steps to avoid this.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited legal consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer