Skip to content

The Employers Guide to the Privacy Act 2020 

Table of Contents

New Zealand’s Privacy Act 2020 regulates the collection, storage, use, and disclosure of personal information by agencies and businesses. The Act aims to protect individuals’ privacy rights. In particular there are 13 principles that govern how your business should be collecting, handling and using the personal information of an employee. It is important that your business does not misuse any private information. You can be subject of a complaint under the Privacy Act even if you only accidentally missed private information. This article will provide employers with a comprehensive guide to understanding the Privacy Act. 

What if My Business Needs to Ask for Private Information?

If your business needs to collect information, you need to inform the persons whose information you are collecting. Further to this, your business should have a privacy statement which should include:

  • how you are collecting the information;
  • when you are collecting the information;
  • why you are collecting the information; and
  • what you will be doing with it.

How to Handle Personal Information

Managing and utilising employee information, such as contact details and addresses, is an integral aspect of conducting business. It is important to ensure that you:

  • safeguard and protect this information securely;
  • only request the necessary personal details for business transactions, such as names and contact information;
  • utilise personal information, such as emails and phone numbers, only after verifying its accuracy and ensuring it is up-to-date;
  • allow employees to request and view their personal information;
  • obtain consent from the employee before sharing email addresses with other organisations or businesses;
  • inform individuals about the information being collected from them and the reasons behind it; and
  • notify individuals if their personal information needs to be transmitted overseas.

How to Store Private Information 

It is important that all information that you own about employees is stored in a secure way. Once it is no longer needed, it should be disposed of securely. It is recommended that you have policies, training, and expectations for team members around how private information should be handled and disposed of. You may want to restrict access for most employees to personal information unless it is integral to their job. It is recommended that you constantly check access to information within your business such as who may have the keys to access or passwords to certain documents.

Use of Privacy Officers

It is important that all businesses have a privacy officer. This does not need to be a new staff member but can be an existing staff member or even yourself. You must ensure that the privacy officer is someone who is familiar with how information should be handled. Often this could be a manager or someone in the Human resources department. The Privacy Officer has multiple duties including:

  • ensuring policies are in place to handle private information;
  • managing privacy complaints about clients, customers and other employees;
  • alerting the employer to any risks to access to personal information; and
  • liaising with the Privacy Commissioner if required.
Continue reading this article below the form
Need legal advice?
Call 0800 005 570 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Role of the Privacy Commissioner

Under the Privacy Act, the Privacy Commissioner oversees various important tasks. Most notably, the Privay Commissioner investigates complaints of breahces of privacy. Further to this, the Privacy Commissioner makes public statements related to an individual’s privacy. 

The Privacy Commissioner may intervene in your workplace if there are complaints made regarding privacy breaches. For instance, your employee may discover that your business is mishandling their data or sharing it improperly. It is likely then that the Privacy Commissioner will launch an investigation into your business’s practices.

It’s important to note that the Privacy Commissioner lacks: 

  • the authority to mandate monetary payments to employees; 
  • impose fines;
  • coerce parties into accepting settlement offers; and
  • enforce acceptance of their findings.

Instead, their role primarily revolves around determining whether there has been a breach of the Privacy Act and facilitating a resolution between the concerned parties.

Personal Information Requests

Principle 6 of the information privacy principles under the Privacy Act gives people the right to request access to their own personal information. Generally, if someone, especially an employee, requests access to personal information about themselves, you must provide it. But it is important to note that people are only able to request information about themselves. The Privacy Act does not allow for information to be requested about another person unless:

  • the person is acting on behalf of the person whose information is being requested; and
  • there is written permission for the information to be sought.

What if I Want to Refuse Access to the Information?

Sometimes there may be good reason for you to refuse access to a request for personal information. This may be because providing access to personal information may also result in another person’s information being released. However, generally, you must provide this information. This is unless there is a valid reason not to provide it under the Privacy Act. You may be able to refuse access to information for the following reasons:

  • you do not have the information;
  • releasing the information could put someone in danger;
  • the information was provided in confidence;
  • the information is not retrievable;
  • the request is “vexatious” – this means that the request was not made in good faith or there has been an abuse of process; or
  • the request is “trivial” – this means that the information may be something that the requestor already knows or is not relevant to the requestor.

It is important to have a valid reason if you fail to provide the information requested. Otherwise, the Privacy Commission can issue a direction requiring you to release the information.

Front page of publication
Corporate Governance Guide for SMEs in NZ

Download our free guide to understand your corporate governance responsibilities.

Download Now

Key Takeaways

Understanding and adhering to the regulations outlined in the Privacy Act 2020 is vital for you as an employer. The Privacy Act governs the handling of personal information to safeguard individuals’ privacy rights. It is important that you, as an employer, remain vigilant to prevent inadvertent breaches that could lead to complaints to the Privacy Commissioner. Employers must appoint a Privacy Officer to oversee compliance, manage complaints, and mitigate risks. Your Privacy Officer should also understand the role and limitations of the Privacy Commissioner in resolving disputes and facilitating resolutions. As an employer, you should prioritise privacy protection and implement robust privacy policies and procedures. This well help your business navigate the complexities of managing personal information responsibly and ethically.

If you need help understanding how to legally collect, handle and use your employees’ personal information, contact our experienced employment lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0800 005 570 or visit our membership page.  

Register for our free webinars

Tips for Navigating a Business Dispute

Learn how your business can effectively resolve a commercial dispute without going to court. Register for our free webinar today.
Register Now
See more webinars >
Louise Miao

Louise Miao

Associate | View profile

Louise is an Associate in LegalVision’s Employment team. She assists a large range of clients in setting up their employment agreements and workplace policies, while also assisting companies going through a restructuring or termination process.

Qualifications: Bachelor of Laws, Bachelor of Health Sciences, University of Auckland.

Read all articles by Louise

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2022 Law Firm of the Year - Australasian Law Awards

  • Award

    2021 Law Firm of the Year - Australasian Law Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times

  • Award

    2020 Excellence in Technology & Innovation Finalist - Australasian Law Awards

  • Award

    2020 Employer of Choice Winner - Australasian Lawyer