Reading time: 5 minutes

Privacy issues are becoming more of a concern for your customers. As a result, they want to engage with a business that is both transparent and cares about their privacy. Not only that, but the law also imposes various obligations on businesses that deal with personal information to provide protections for people in New Zealand. Notably, a privacy policy is a document that details how you abide by these obligations. However, this is not a document you can draft at the start of your business and then forget about. For some guidance, this article will explain when you need to update your privacy policies in New Zealand.

The Privacy Act

The Privacy Act governs New Zealand privacy law and sets out various standards for any entity dealing with personal information. It classifies these entities as agencies. Personal information is any data that can identify a living individual, such as:

  • names;
  • phone numbers;
  • financial details;
  • physical addresses;
  • email addresses; or
  • photos.

If your business deals with any personal information, then it is an agency under the Privacy Act. Therefore, you need to abide by its rules, which include:

  • collecting personal information lawfully and for a legitimate purpose;
  • telling people what information you are collecting and why;
  • only using data in the way you intended at the time of collection;
  • not using data in a way your customers/employees would not expect;
  • taking reasonable steps to secure information according to its sensitivity;
  • only keeping information for as long as you need it;
  • disposing of information securely;
  • letting individuals access and correct the personal information you hold about them;
  • only sharing personal information where you have consent or the law requires it;
  • reporting any privacy/data breaches where they are likely to cause serious harm; and
  • having a privacy officer at your business.

What Is a Privacy Policy?

As one of your obligations under the Privacy Act, you need to tell people that you are collecting their personal information and why. Therefore, a useful way to do this is with a general document that you display on your website or in-store, which may be a privacy statement or a privacy policy. This document informs people how you deal with their personal information, including:

  • the fact that you are collecting it
  • what information you collect;
  • why you are collecting their personal information;
  • whether any particular laws justify your collection;
  • who has access to their personal information;
  • whether they can choose not to give you their personal information;
  • the consequences of not giving you their personal information;
  • their right to ask for access and corrections to their personal information; and
  • your contact information for privacy-related matters.

The exact contents (and length) of your privacy policy will depend on the nature of your business and what personal information you collect.

When Do I Need to Update My Privacy Policies?

As technology is continually developing, so are its potential privacy risks. A privacy policy from ten years ago is likely not as comprehensive as what a privacy policy now needs to be. Therefore, your privacy policy should be a living document, which you update on a relatively regular basis. Ideally, you should review your privacy policy at least once a year to keep up to date with your data processing changes, as well as in specific situations, such as when:

  • the law changes, as the Privacy Act did recently in December 2020;
  • you launch a new product or service that is likely to affect privacy;
  • you make any meaningful changes to how you handle personal information at your business; or
  • you are sharing data with a new third party.

Whenever you update your privacy policy, you should inform your customers and other affected individuals of the change before implementing it. Generally, this is a good business practice as it shows your customers that you care about their privacy and control. However, in some cases, the law may require it. 

Notably, for some changes that deal with personal information you already store, you may need an individual’s consent before you can implement those changes, such as sharing them with a new third party.

What Clauses Should My Privacy Policy Include?

The exact structure of your privacy policy or statement may vary, but you should at least include the information detailed above and clauses that contain information:

  • detailing what specific information you collect, like names or website cookies;
  • relating to why you collect an individual’s information;
  • specific to personal information in your particular industry, such as the health sector;
  • reassuring individuals of the security measures you have in place;
  • pertaining to who you share any customers’ personal information with; or
  • relating to your response to any data breaches.

Key Takeaways

A privacy policy is a document that informs people how you deal with personal information. As a result, it also informs them how you comply with your obligations under New Zealand privacy law. As privacy concerns are constantly evolving, you need to update your privacy policy regularly to reflect any major privacy changes in your business. If you would like more information or help with updating your privacy policy, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

Do I need a privacy policy?

If you collect personal information in New Zealand, you need to tell people that you are doing so. A useful place to do this is in a privacy policy or privacy statement.

When should I update my privacy policy?

You should review your privacy policy at least once a year at the bare minimum. Additionally, you should update it when the way you handle personal information changes at all within your business.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards