Recently a Facebook group that was informal, member-driven, and private became the subject of a legal ruling under the Privacy Act 2020. The case involving the “Bad Tenants, New Zealand (Landlords Only)” group, and the $7,500 award against its administrator for failing to comply with a privacy request.

Cloud Contact Centre as a Service (CCaaS) has become a core part of how organisations in New Zealand interact with customers, bringing together voice, messaging, and digital channels into a single cloud environment. Increasingly, these platforms are powered by artificial intelligence, which promises efficiency and improved customer experience. At the same time, AI introduces a different class of privacy risk, one that is less about simply holding information, and more about continuously analysing, inferring, and reshaping it in ways that are often invisible to the individual.

Somewhere between the first line of code and the first paying customer, there is a quiet decision every SaaS builder makes, whether privacy is something you will design, or something you will retrofit. Most choose the latter, not out of neglect, but out of urgency to get to market.

When you build a SaaS product, you are not just creating features. You are defining relationships.

AI note-takers arrive as something deceptively simple: tools that listen, transcribe, and organize. They promise clarity, efficiency, a kind of external memory that doesn’t tire or drift. But in doing so, they don’t just capture words, they capture voices. A voice is not just data, it can also be biometric information. That distinction matters more than it first appears.

During our work we often hear a familiar reassurance: “We have a policy for that.” It sounds comforting and responsible. But a recent decision from the Office of the Privacy Commissioner (PBN3791), involving something as ordinary as a lost USB stick, is a sharp reminder that policies alone don’t protect anything. What is required to mitigate the risk is a combination of controls, readiness, and culture.

You probably tell your friends a lot about yourself. Your opinions, your plans, the version of your life that feels safe to share. There’s a kind of control in that, an understanding that what people know about you is, at least partly, your decision.

Your phone however doesn’t work like that. It watches, quietly, constantly, without needing permission in the way we usually think about it. Your phone is watching not just what you say, but what you do.

In both New Zealand and Australia, it is often assumed that privacy ends when life does. The Privacy Acts in New Zealand and Australia are both primarily concerned with information about living individuals. Once a person dies, the rights of access and correction no longer exist along with other obligations under the respective Privacy Act. But stopping the analysis there misses most of what actually matters in practice, individuals.

In the span of just a few years, the way we authenticate ourselves has undergone a quiet but profound transformation. Passwords, once the cornerstone of digital security, are increasingly being replaced by something far more personal, our faces. From unlocking smartphones to boarding flights and authorising payments, facial recognition has become a seamless part of everyday life.

There’s a quiet shift likely to happen with the introduction of IPP3A. Not the kind that arrives with urgency or sweeping change programmes, but something more subtle, something that shows up gradually, in inboxes and workflows, in small moments that start to accumulate. Whereas your organisation used to historically get a scattering of privacy requests this now becomes more frequent. What was once manageable starts to feel persistent. And processes that have quietly worked in the background begin to show their limits.

The term data broker often conjures images of shadowy data trading, but the reality is usually much less dramatic. A data broker is simply an organisation that gathers personal information from multiple sources, combines those datasets, and provides the resulting insights to others. From 1 May 2026, changes to the Privacy Act introduce Information Privacy Principle 3A (IPP3A). The amendment strengthens transparency obligations when organisations collect personal information from a source other than the individual concerned.

The Biometric Code is already in force. But the real deadline for many organisations is still ahead. The Biometric Processing Privacy Code 2025 came into force on 3 November 2025 for any new biometric processing. However, organisations that were already using biometric systems before that date have until 3 August 2026 to comply. Biometric processing is not always visible, sometimes it appears in very ordinary workplace tools.  

We’ve all been there, a quiet aside after a meeting, a message sent with good intentions, a casual “Oh, did you hear about…?” It doesn’t feel like gossip in the moment. Sometimes we tell ourselves we’re helping others be supportive, preparing them to show up for someone who’s going through a hard time. But there is a line, and when it’s crossed, what appears to be innocent sharing can become a privacy breach with very real human consequences.

When organisations see a rise in access, correction, deletion, or opt-out requests, the first instinct is to consider how to streamline the Privacy Request Process. This is important, but they’re rarely the sole solution.

For many organisations, the privacy assessment process including Privacy Impact Assessments (PIAs) is recognised as an essential part of managing risk, yet the reality of how it is often carried out tells a different story.

Automating the privacy assessment process does not require new, expensive technology or a complete overhaul of systems. In fact, the building blocks for an effective, automated approach already exist within most organisations.

Every day across New Zealand, organisations engage vendors to support their operations. In many cases, these vendors require access to personal information to deliver their services.

But a critical question is not asked often enough “Is this vendor just acting on our instructions, or are they using personal information for their own purposes as well?”

More and more organisations are encouraging their people to contribute beyond their day jobs including joining charity boards, helping professional associations, or volunteering in community roles. It’s a positive trend that builds capability, networks, and a sense of purpose. But there’s a quiet privacy risk that often goes unnoticed.

When organisations think about collecting personal information, they often picture the direct kind of collection, when someone fills out a form, subscribes to a service, or makes an online purchase. But there’s another, often less visible way that personal information comes into your organisation’s possession, known as indirect collection.

The Privacy Act gives people a broad right to access their personal information to provide transparency, accountability, and fairness. The act sets the rules for what you can redact when someone makes a privacy request. You can redact information on a number of grounds including that it would breach another person’s privacy, compromise an investigation, endanger someone’s safety, or reveal privileged legal advice.

In an age where digital convenience often takes precedence over caution, many organisations across New Zealand routinely collect and store photographic identification as part of customer onboarding processes. The most commonly collected documents are driver licences and passports. It can seem efficient, even responsible, to hold on to a copy “for the record.” Yet what feels like a simple administrative safeguard can in fact create a long-term privacy risk that is difficult to unwind.

In New Zealand, cats are everywhere — from beloved companions curled up on sofas to stealthy hunters roaming the bush at night. But as our relationship with animals evolves, an interesting question arises: do cats have privacy rights? And if not, should they?