In association with
Protecting customer and employee information
Protecting private information about people is just as important as safeguarding other important business data. This includes contact details, employment agreements, personnel records, and payment information.
Here’s what you must and must not do.
Privacy is important
Whether it’s customer details or staff files, it’s likely you keep some private information on file.
Breaches or careless handling of private information may cost you dearly. Customers will lose confidence in you. Your brand and reputation will take a hit.
You can only collect personal information needed for business purposes. And you must not let it be leaked or misused, even accidentally.
You should follow the same protocols as you do to protect all your business systems and data. This means keeping any private information stored online safe from breaches or hackers. It also means doing whatever you reasonably can to protect any paper files or documents.
How you safeguard personal information depends on the sorts of information you collect. The Privacy Act requires you to protect information in ways that are reasonable, given the circumstances. The more sensitive the information, the more measures you will need to take to protect it.
You must report a serious privacy breach to the Privacy Commissioner. NotifyUs is an online tool that can help you work out if a breach is serious. If it is, the tool can help you report the breach.
Reporting privacy breaches (NotifyUs)(external link) — Office of the Privacy Commissioner
Privacy Act
Who it applies to: Any person or business that collects, uses and stores personal information. This might be address information collected online or in person, for sending invoices.
Why: To make sure personal information is kept safe and secure.
What you must do:
- Only collect what you need for business purposes, eg name and contact details.
- Tell people how, when and why you are collecting their information. This includes using cookies on your website.
- Tell people what will happen if they don’t give you their personal information.
- Keep their personal information safe.
- Only use it if you are reasonably sure it’s accurate and up to date.
- Let people see their information and correct any mistakes.
Do not:
- Ask for more information than you need.
- Let personal information be leaked, hacked or found in any other way.
- Keep information longer than you need it — or are legally required to keep it.
- Pass on someone’s details without their permission.
- Send personal information overseas without checking if it will be protected.
How the Act is enforced: If you break any of these rules, even accidentally, a customer or an employee may make a complaint under the Privacy Act.
Privacy for organisations(external link) — Office of the Privacy Commissioner
How can I avoid a privacy complaint?(external link) — Office of the Privacy Commissioner
Handling personal information
Collecting and using information about people, even a phone number and invoicing address, is an everyday part of doing business. You must:
- Keep that information safe and secure.
- Only ask for the personal details you need for business purposes, eg name and contact details.
- Only use personal information, eg email or street address, after taking reasonable steps to make sure it’s accurate and up to date.
- Respect a customer’s right to view and edit their information.
- Get permission before passing on email addresses to another organisation or business.
- Tell people what information you are collecting from them, and why.
- Tell people if you need to send their personal information overseas.
Check for accuracy
Before you use personal information gathered from any source, you should take reasonable steps to check it is accurate, up to date and not misleading.
Information that is factually incorrect isn't of any use to you. And it could lead you or others to make wrong decisions about the person or business involved.
People can ask you to correct their personal information. Tell them to let you know of any errors or out-of-date information — this is an easy way to make sure your records are accurate.
How does a business respond to a request to correct or delete information(external link) — Office of the Privacy Commissioner
Good privacy practices aren't just limited to customer information.
Privacy Act guidelines apply to all sensitive information, eg personnel files.
How to store and dispose of information
Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly.
Think about how you will keep records secure:
- Do you need a locked cabinet for physical documents?
- Who has access to it?
- What kind of password protection or encryption for electronic documents or equipment should you use?
- Can you see who has accessed confidential electronic files, and when they did it?
- If you have an e-commerce website, are payments secure?
- Is the software holding or processing the information up to date to protect against vulnerabilities?
It’s best practice to restrict access to personal information. Think about who really needs access and only grant it to those people. Do that for both view and editing permissions. Review the list of those who have access regularly and remove access for anyone who no longer needs it, eg an employee who has left the business or moved to another role.
Storage and security of personal information(external link) — Office of the Privacy Commissioner
Top online security tips for your business(external link) — Own Your Online
IT and social media policy(external link) — Workplace Policy Builder
Case study
Legal action
Anna works at a beauty salon. A man rings asking for a client’s new address so he can send flowers. She passes on the address, thinking he sounds trustworthy. A week later the client threatens to make a complaint under the Privacy Act.
Anna hadn’t known the man was her client’s abusive former partner.
This is why she shouldn’t have passed on the address — it’s impossible to know why someone may not want their information passed on, so it’s best to let people choose for themselves. Instead, she could have said she’d pass on a message to her client.
Good privacy is simply good business practice, regardless of the type of business or industry.
Privacy officers
All businesses, regardless of size, must by law appoint a privacy officer. Don’t worry — this doesn’t mean you need to hire a new member of staff.
But you need to make it at least a small part of your role, or choose an employee to take this on. A privacy officer should be the person most familiar with how personal information should be handled. This might be a manager or the person dealing with human resources or customer information.
The duties of a privacy officer include:
- Developing good policies for handling personal information that suit your business’s needs.
- Handling queries or complaints about privacy from customers or employees.
- Alerting you to any risks to personal information, eg careless handling or cyber attacks.
- Liaising with the Office of the Privacy Commissioner if necessary.
If something goes wrong, the privacy officer can help sort out complaints — quickly, thoroughly and without unnecessary expense. This is particularly important if you have an ongoing relationship with the person who complains.
The Privacy Commissioner offers training and support for privacy officers.
What is a privacy officer? Am I required to have a privacy officer?(external link) – Office of the Privacy Commissioner
Where can I find guidance for privacy officers?(external link) — Office of the Privacy Commissioner
Privacy statements
If your business collects personal information from people, then you must tell them you’re doing it.
Under New Zealand law, a privacy statement must tell them how, when and why you’re collecting personal information, and what you’ll be doing with it.
To help small businesses create their own basic privacy statements for websites, apps or paper forms, the Office of the Privacy Commissioner has produced a handy online tool – the Priv-o-matic.
Privo-o-matic (external link)— Privacy Commissioner
If you take credit card payments, consider your PCI compliance.
This means you will meet the Payment Card Industry Data Security Standards (PCI DSS) to handle and protect customers’ credit card details.
If there's a data breach
If you accidentally lose or release someone’s information, or your system gets hacked, you must act fast to manage the security breach, including telling the people affected.
You must also take steps to prevent it happening again. The Privacy Commissioner’s privacy breach guidance has detailed information on:
- types of data breaches
- how to deal with them
- putting processes in place to prevent future breaches.
Data Breaches(external link) — Office of the Privacy Commissioner
Data breaches(external link) — Own Your Online
