Reading time: 6 minutes

When engaging with customers, your business will likely collect their personal information somehow, even just collecting their address for delivery. This is especially true if your business operates online. Every individual has the right to privacy and the right to control how agencies use their personal information. If your business is such an agency, you need to comply with the law’s requirements around how you can handle customers’ personal data. In particular, you need to know what you can use it for. For some guidance, this article will go through some of your business’ legal privacy obligations around how you can use customers’ personal information.

What Information Can I Use?

Personal information is data that your business can use to identify an individual, such as their email address or financial details. When you collect this information, you need to let the individual know that you are doing so and why. You can do this with a privacy statement or a privacy policy. You must collect this information:

  • legally and unobtrusively; and
  • for a clear legal purpose.

For example, collecting personal information from your customers through covert surveillance is not usually legally viable. 

You need to establish a business purpose before you collect the information. As long as you tell your customers your purpose for collection, you are entitled to use it for that purpose. It is essential that you only collect personal information that is necessary for your intended purpose. It is safest to make that purpose specific to avoid confusion. 

Tip: Try to de-identify customers’ personal information where appropriate. For example, if you monitor customers’ website usage for analytics purposes, remove their unique identifiers or similar.

Quality of Information

You need to take reasonable steps to ensure that the information you collect is up to date and accurate. Otherwise, you run the risk of breaching your obligations under the Privacy Act, which may prompt an investigation by the Privacy Commission. Incorrect information is not useful for your business and could lead to potential mistakes, such as mixing up clients or delivery mishaps. You should check for accuracy before you use customers’ personal data. 

Additionally, customers can ask your business for:

  • confirmation that you hold their information;
  • access to their personal information; and
  • corrections to inaccurate or out of date information.

Using Personal Information at Your Business

You can generally only use the personal information you have collected for the purpose told to your customers at the time of collection. If you go back on your word, not only would you lose customer trust, but you also run the risk of legal penalties. 

Tip: Use the ‘no surprises’ test for determining the scope of your usage purpose. For example, a customer may be surprised at how their information is being used. In this scenario, it is likely the information is not being used for the initial purpose. To be safe, you want to avoid such a surprise.

This is the general position you should aim to operate under. However, you can go outside of your initial purpose when using customers’ personal data in some situations. For example, when:

  • the new purpose is directly related to your initial one;
  • you have the customer’s permission;
  • you have de-identified the information, and recognition is not possible;
  • the information’s source is publicly available;
  • you need to comply with another law, such as for a police investigation; and
  • this new usage is necessary for preventing a serious threat.

A new purpose is directly related to your original one when there is a clear and obvious link between the two. It also needs to relate to what you told your customers at the time of collection. It is essential to consider this relationship before using the information in this new way and not as a simple justification for your actions afterwards.

For example, you could not use the addresses you collect for delivery to then send those customers’ promotional pamphlets unless you told them about this extra purpose. There is not a clear and logical link between the two.

You generally cannot disclose the information you collect unless that was one of the purposes you collected it for or you have a customers’ permission. You need to inform customers that you are disclosing their personal information and who you are giving it to.


Once a customer’s personal data has fulfilled its intended purpose, you need to dispose of it safely. You cannot retain personal information for longer than you need it. How you dispose of it will depend on its form. For example, you may: 

  • shred physical documents;
  • blank out names or other identifying features;
  • wipe hard drives; and
  • delete backups.

Note that you may be legally required to keep certain kinds of information for a set time, such as health or tax information.

Key Takeaways

If your business collects customers’ personal information, you need to inform them of that and what you will use it for. You can only use that information for that purpose. The exception is when you have the customer’s permission, or your new purpose is directly related to your initial one. If you would like more information or guidance around what you can use customer personal information for, contact LegalVision’s New Zealand privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any information about an identifiable, living individual. This means you can identify a specific person using this data. Examples include full names, photos, or email addresses.

How can I use customers’ personal information in my business?

When using customers’ personal information at your business, you can only do so according to the purpose you collected for. This is the purpose you would have told customers about. If you go outside of their expectations, you could be undermining your privacy obligations.

When can I dispose of the personal information I hold?

You can dispose of or delete personal information when it has served its purpose, and you no longer need it. For example, if a client decides to change providers, you may choose to delete their information if you do not need it anymore. Some types of information may have special rules about how long you can keep them for, such as health or tax information.

Who can I share customers’ personal information with?

The general presumption is that you cannot share customers’ personal information with a third party unless you have their permission or that was the reason you collected that information for. Another situation is where you need to share that information to comply with the law.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards