Privacy FAQs

Privacy is often understood at a high level, but the complexities often arise when moving into the detail. These are common questions we hear from organisations navigating their obligations.

New Zealand

  • Yes. The Privacy Act applies to organisations of all sizes, including small businesses, sole traders, and not-for-profits, if they collect or use personal information.

  • Personal information is information about an identifiable individual. It can cover anything, in any format: spoken, written, stored digitally, captured by CCTV, or measured in biometric scans.

    Personal information includes obvious direct identifiers like a name or phone number, but it also covers indirect identifiers including a mix of details that, when combined, point to a single person.

    If a person can reasonably be identified from the information, it is likely covered.

    Care should be taken to not interchange the term PII as they are not the same.

  • If you collect personal information, you are required to have a clear and accessible privacy statement explaining:

    • What you collect

    • Why you collect it

    • How it is used and shared

    • How individuals can access or correct their information.

    Be aware a privacy statement is different from a privacy policy.

  • It is best practice to have a privacy policy but is not required legislatively.

    A privacy policy is an organisation’s internal document that sets out how personal information is to be handled inside your organisation, who carries which responsibilities, and what practices and safeguards are in place, such as when is a privacy assessment required. It’s the document your staff refer to when managing personal information to ensure they comply with your organisation's requirements.

    Be aware a privacy statement is different from a privacy policy.

  • Every organisation in New Zealand is required by law to have a Privacy Officer? That includes businesses of all sizes, public agencies, and not-for-profits — no one is exempt.

    Who Should Be Your Privacy Officer?

  • The Office of the Privacy Commissioner has a selection of knowledge articles available.

    The Office of the Privacy Commissioner has recently changed the way it responds to public enquiries and will no longer provide 1:1 advice to organisations unless there is a statutory requirement to do so. Organisations are expected to rely on their internal Privacy Officer capability to answer privacy questions and manage compliance. ThreeBlackCats are here to help.