Reading time: 5 minutes

Every business has privacy concerns that they need to manage. Notably, there are various documents and planning structures that your business can utilise to fulfil your privacy obligations. The law requires some forms of privacy documents, such as privacy policies or privacy statements. Additionally, there are other privacy documents the law does not necessarily mandate but are still helpful for internal documentation purposes. For instance, one of these documents is a privacy management plan. This document outlines how you will manage and protect privacy in your business and can be a starting point for other privacy processes. This article will explain what a privacy management plan is in New Zealand.

What is a Privacy Management Plan?

In New Zealand, a privacy management plan is an internal document that you can develop to outline:

  • potential privacy risks;
  • privacy risk management;
  • how your business will comply with the Privacy Act;
  • privacy values and principles important to your business; and
  • specific goals for managing privacy across your business and its lifetime.

You can use a privacy management plan when you are just starting with your business or about to start a new venture or project. The key to a privacy management plan is to set measurable goals to achieve within a certain timeframe.

For example, you may wish to start the process of changing your business’ privacy management to a privacy by design model. Developing a privacy management plan would be helpful to plan this process and set specific goals to achieve an effective transition.

What privacy commitments your business can take on will vary over its lifetime and depend on your resources. Therefore, you can use a privacy management plan to outline and update this process as your business changes. 

Why Do I Need a Privacy Management Plan?

New Zealand privacy law requires that you have some kind of document telling people how you deal with their personal information, which is usually a privacy policy or privacy statement. Additionally, the law also has standards for your processes when handling this information at all stages, including:

  • collection;
  • usage;
  • disposal;
  • disclosure;
  • security; and
  • storage.

For example, the law expects that you take reasonable steps to protect personal information according to its importance and sensitivity. Therefore, you may implement more intensive security measures for personal health information than other kinds of personal information due to its sensitive nature.

New Zealand law requires that you handle personal information transparently and carefully. Although it does not require a privacy management plan, this can be a valuable way to meet your existing obligations under the Privacy Act. Undoubtedly, such a plan can identify potential privacy risks at your business and start measurable efforts to address those risks.

For instance, you may have increased privacy risks because you do not have employees experienced with cybersecurity matters within your business. Therefore, you would highlight measures you can take to address that risk, such as:

  • hiring a cybersecurity expert;
  • training your existing employees in cybersecurity matters; or 
  • engaging a consultant.

NZ Startup Manual: A Legal Handbook For Founders

Essential reading for anyone building their startup. This free guide includes practical advice and seven real-life case studies.

Download Now

How Can I Write a Privacy Management Plan?

Firstly, you should make sure you understand your business’ obligations under the Privacy Act and what compliance would look like in the workplace. With this in mind, how exactly you do this will depend on the unique circumstances of your business and the nature of the personal information you deal with.

Additionally, it is a good idea to get help on matters you may not be familiar with yourself.

For example, there are various resources available to you regarding privacy law, such as:

  • your business’ privacy officer;
  • the privacy practices of other businesses/organisations in your industry;
  • the Office of the Privacy Commissioner; or
  • privacy lawyers.

In any event, you should cater your privacy management plan to those who are going to read and implement it in practice. Certainly, there will be some overlap with your privacy policy, but your plan is for a different audience.

Ultimately, your privacy policy is for your customers, whereas your privacy management plan is for people within your business. 

What Should a Privacy Management Plan Include?

Your business’ privacy goals will be particular to your situation, and your privacy management plan should outline those goals. In particular, your privacy management plan should have actionable steps for complying with the Privacy Act under a framework that works for your business. Such steps may include:

  • increased privacy training for employees;
  • improving your privacy breach response plan;
  • upgrading your cybersecurity measures; or
  • developing mechanisms for feedback about privacy matters from both customers and members of your team.

Therefore, it would be useful to conduct a privacy audit or similar evaluation tool to determine how to deal with privacy concerns.

Key Takeaways

A privacy management plan is a way of developing actionable measures to comply with your business’ obligations under the Privacy Act. If you would like more information or help with your privacy management plan, contact LegalVision’s New Zealand IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is a privacy management plan?

A privacy management plan usually refers to a business document that sets out how you plan to manage privacy within your business. It will involve specific privacy goals and ways you can achieve those goals.

What is personal information?

Personal information is any data about an identifiable person. For example, if you can use the information to identify a living person, it qualifies as personal information in New Zealand.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards