Reading time: 6 minutes

If your business is an agency that deals with personal information (such as email addresses or phone numbers), then you need to take reasonable steps to protect that information. This applies to your customers’ personal information, as well as your employees’. Otherwise, if there is a privacy breach due to your negligence, this may result in severe legal penalties. Therefore, it is essential to strengthen your business’ security, especially if you operate online. This article will explain your legal obligations regarding the protection of personal information and provide some tips for doing this efficiently.

Holding Personal Information at Your Business

Personal information (also known as personally identifiable information) is information about an identifiable individual. In effect, it means you can use some aspect of the information to identify a living person.

When your business holds this kind of information, the law requires that you maintain certain practices to ensure it is secure and accurate. Ultimately, these protections mean your customers can expect your business to:

  • be transparent about what you use personal information for;
  • protect and keep your databases of personal information secure;
  • allow access to their personal information in most circumstances;
  • keep information correct and up to date;
  • share information only when you are authorised to;
  • hold personal information only for as long as it is necessary; and
  • dispose of personal information when appropriate.

For example, if you share customers’ personal information with social media sites for advertising purposes, you should:

  • tell customers you are doing so;
  • share that information over a secure connection;
  • encrypt any datasets of personal information; and
  • de-identify information where possible.

Privacy Breach Prevention

The most significant risk to the personal information your business stores are privacy breaches. These occur when: 

  • someone has accessed your databases without authorisation;
  • an unauthorised person has deleted, used, or disclosed the personal information you hold;
  • something stops you from accessing your databases of personal information, such as a malware attack or stolen key.

If any of these breaches cause serious harm (or are likely to), then the Privacy Commission may serve you with a compliance notice and legal fines may apply.

For example, identity theft would qualify as serious harm.

Therefore you must take preventative measures against privacy or data breaches. Ultimately, you must improve your security and implement an incident response plan for dealing with a privacy breach. Your privacy officer can help implement this process.

Limit the Information You Collect

You can significantly reduce the risk of a privacy breach by reducing the volume of personal information you hold. The less information you store in the cloud or on your physical business premises, the less there is to leak in the event of a privacy or data breach.

Be sure only to collect the information that is necessary for achieving your purpose. If you do not need to identify the information, such as a customer’s name, then remove that to de-identify the dataset.

For example, say that you collect customer feedback through forms that you send them. When collating this information for updating and improving your business practices, remove any identifying features such as names or contact details. Only keep the content of the feedback, rather than who said it.

Storage and Security

If you do not implement appropriate safeguards to prevent misuse or loss of a customer’s personal information, you run the risk of legal penalties. The kind of security measures your business needs will vary depending on your circumstances. You should conduct a privacy impact assessment to identify what risk areas there may be.

When determining the appropriate measures for protecting personal information, consider:

  • the sensitivity of the information (for example, health and financial information require strong measures);
  • the potential consequences for an individual if there is a breach;
  • what you are using the information for;
  • what security measures you have available; and
  • how your security measures will affect your business’ day to day functioning.

In general, it is a good idea to limit which members of your team have access to sensitive or personal information. Where possible, try to keep logs of times accessed and educate your staff about privacy breach causes. 

The specifics of your security will depend on how you store your information. 

For Digital Security:

For Physical Security:

  • password protect information access;
  • encrypt any information, especially when sharing it;
  • only share information over secure connections;
  • use 2-factor authentication on critical systems;
  • install anti-malware software and firewalls; and
  • educate your staff about email privacy breaches.
  • store information in a secure location, such as a locked filing cabinet;
  • make sure the last person who leaves locks up and sets alarms;
  • keep track of who has important keys; 
  • try to limit when employees take sensitive documents home; and
  • do not leave devices with sensitive information unattended.

Key Takeaways

NZ privacy law imposes certain obligations on your business when you hold customers’ personal information. You need to ensure you store it securely and implement appropriate safeguards against privacy breaches. If you would like more information or help with protecting personal information at your business, contact LegalVision’s data, privacy and IT lawyers on 0800 005 570 or fill out the form on this page.

What is personal information?

Personal information is any data about an identifiable individual. This includes any information you can use to identify a living person, such as their name or phone number.

Does NZ privacy law apply to my business?

If your business deals with personal information, you classify it as an ‘agency’ under NZ privacy law. This means you must comply with the obligations it imposes.

What personal information can I collect from my customers?

You can collect personal information from your customers as long as you let them know that you are doing so. You must also collect this information for an identifiable and legitimate business purpose.

How should I protect personal information in my business?

How you protect personal information in your business will depend on the form of information. If you have physical documents, you should keep them under lock and key. If you store information online, make sure you encrypt it and implement cybersecurity measures.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards