Does my business need a privacy statement?
Find out about privacy statements and whether your business needs one.
In New Zealand, businesses are required to comply with the requirements of the Privacy Act 2020 (the Privacy Act) if it carries out business in New Zealand and collects, processes, stores or discloses personal information.
What is a privacy statement?
A privacy statement or notice outlines how your business will handle any personal information provided to it by or on behalf of customers, clients and users. It should outline what information may be collected, where it will be stored, how it will be used and who it will be disclosed to. Privacy notices are often made available to the public on business websites.
What is the purpose of a privacy statement?
Privacy policies are created to inform customers, clients and users of the types of information your business may collect, the purpose of the collection and how they will be used. A person may choose not to provide their information if they wish, so this is why the statement needs to be provided before the information is collected. The personal information that a business collects could range from names, emails and phone numbers to payment details, medical records, biometric information and more. Whatever the type of information is collected, customers, clients and users need to be informed about how their information will be used, that they have rights of access to and correction of their personal information and where they can go to have access to their personal information.
How to write a privacy statement for your small business
Although the details included in a privacy statement may vary depending on the type of activities your business carries out, there are some key components that most policies will feature. These include (without limitation):
The name of your business the policy applies to
The business contact details
The contact details of the data protection or privacy officer of your business
A description of the type of information your business will collect
An outline of how the collected information will be used, including, if applicable, how it will be shared with relevant third parties
A description of how the customer, client or user can access their information, request a correction, or ask for their information to be deleted
If personal information is being disclosed to third parties that are located outside New Zealand, then additional disclosures or consents may be required.
You may find it helpful to review this guide provided by the Office of the Privacy Commissioner before preparing your statement. While you may be tempted to copy a privacy notice that is currently in use by another business, it is best to create your own document. There may be differences in the way that your business collects and handles information, or the policy you have found simply may not adhere to current New Zealand privacy legislation, leaving your business unwittingly exposed.
It may be a good idea to have a lawyer prepare your statement for you or review your statement when complete, to ensure all legal requirements are addressed. If your privacy statement does not adhere to the requirements of the Privacy Act, your business could be fined in the future. If you do use a template, we recommend using Priv-o-matic by the Office of the Privacy Commissioner.