Privacy Update: Businesses, it’s time to check your privacy policies

By Rhys Thompson

8 August 2021

In our experience most New Zealand’s businesses are very aware of the need to ensure compliance with their health and safety obligations, but not all are aware of the need to comply with privacy laws.  

All businesses will collect and handle some form of personal information which is subject to New Zealand’s privacy laws and as such need to comply with New Zealand’s privacy laws.

To those not familiar with our privacy laws, the extent of personal information captured is surprisingly broad. It includes personal information collected about people external to the business (e.g. customers) but also people within the business (e.g. employees).  Personal information can take a number of forms and for example may include information held on files, registers, emails, written records and audio and video recordings (including your security cameras).

The types of businesses captured is also very broad and includes most activities undertaken for profit. For example, most mum and dad residential property investors don’t realise that they are subject to and need to comply with privacy laws regarding tenants personal information.

Privacy Officer

The starting point for compliance with privacy laws is appointing a privacy officer. Every business is required by law to have an appointed privacy officer. Your privacy officer can be a person within your business (e.g. a director or senior manager) or an external advisor (e.g. your lawyers). The role of the privacy officer is to encourage and ensure compliance with our privacy laws. In order to meet their obligations the privacy officer will need to be fully engaged with how your businesses collects, uses and disposes of personal information.

If you are looking at appointing an internal privacy officer the Privacy Commissioner has extensive free resources and e-courses available on its website (

What’s new

Late last year, the Privacy Act 2020 came into force and made a range of significant updates to New Zealand’s privacy laws. One notable change is a requirement for businesses to notify the Privacy Commissioner where a privacy breach is likely to cause serious harm.

Consequently, it is now recommended that in addition to a privacy policy all businesses have a privacy breach response plan which sets out how you will respond to privacy breaches in a way that complies with New Zealand privacy laws.

What’s at stake?

In terms of legal consequences fines for privacy breaches generally range from around $5,000 to $50,000. However, fines for the most serious of breaches in New Zealand have be known to exceed $150,000. In addition to monetary liability, privacy breaches also have consequences for your business’ reputation.

Governance Responsibilities

If you have an executive or governance function within your organisation you should be asking for a regular privacy reports alongside your health and safety reports. The privacy report should cover a range of matters including your key metrics (privacy disclosure requests, breaches and response and resolution times), details of controls, IT security systems, security audits, timetabling and financing).

Talk to us

If you need advice or assistance with your privacy compliance program get in touch with the team at Pitt and Moore and ask for Rhys Thompson. He can be contacted on (03) 545 7899 or

Disclaimer: The information contained in this publication is of a general nature and is not intended as legal advice. It is important that you seek legal advice that is specific to your circumstances.

Topics: All Select