Collecting Customer Information: Privacy Issues for New Zealand Transport Businesses

If you run a transport business in New Zealand, customer information is part of the job. Bookings, delivery instructions, passenger details, GPS data, payment records and support messages all carry privacy risk. The main problem is that many businesses collect more data than they need, fail to explain what they are doing with it, or keep it for too long after the trip, freight job or service is finished.

This is where founders often get caught. A courier startup might store driver and customer location histories indefinitely. A shuttle operator might collect emergency contact details without a clear reason. A logistics company might share customer details with subcontractors without properly covering this in its terms or privacy documents.

The good news is that the core rules are practical. If you are collecting customer information for a transport business, this guide explains what the Privacy Act 2020 expects, when privacy issues usually come up, and the practical steps that help reduce complaints, compliance problems and trust issues before they grow into something expensive.

Overview

New Zealand transport businesses can usually collect customer information if they have a clear business purpose, tell people what is being collected and why, keep it secure, and only use or share it in ways that fit that original purpose or another lawful basis. The detail matters because transport businesses often handle location data, time-sensitive contact details, and operational information that can reveal a lot about a person’s movements and habits.

  • Work out exactly what customer information you collect at booking, during service delivery, and after completion.
  • Check whether each data point is actually necessary for the transport service you provide.
  • Give customers a clear privacy notice explaining collection, use, storage, sharing and access rights.
  • Make sure subcontractors, software providers and dispatch platforms handle information consistently with your privacy position.
  • Secure customer records, limit staff access, and have a process for privacy breaches and access requests.
  • Set sensible retention periods so information is not kept longer than needed.

What Collecting Customer Information Transport Business Means For New Zealand Businesses

Collecting customer information in a transport business means taking responsibility for personal information at every stage of the customer journey, not just at the point of payment.

Under the Privacy Act 2020, personal information is broadly any information about an identifiable individual. In transport, that can cover obvious details like names, phone numbers and email addresses, but it can also include travel routes, pick up and drop off locations, delivery preferences, vehicle tracking linked to a customer, CCTV footage, account histories, complaints, and special assistance requests.

For many transport businesses, privacy obligations are not a side issue. They sit inside ordinary operations. If you run a courier service, a moving business, a taxi or rideshare support company, a shuttle service, a freight broker, a school transport provider, or a tourism transport operator, your systems probably collect customer information every day.

What the law generally expects

The core expectation is simple: collect information for a lawful purpose connected with your business, and only where that collection is necessary for that purpose.

That means you should be able to explain, in plain language, why you need each category of information. For example:

  • A mobile number may be needed to coordinate pickup changes or delivery timing.
  • A destination address may be needed to complete a job.
  • Payment details may be needed to process charges and refunds.
  • Accessibility information may be needed to provide a suitable vehicle or support service.

What usually causes trouble is collecting extra data just because a form allows it, an app records it automatically, or someone thinks it may be useful later.

Transparency matters

Customers should generally know that you are collecting their information, what you will use it for, who will receive it, and what happens if they do not provide it. This is often handled through a privacy policy, collection notice, app wording, booking form notice, customer terms, or a combination of these.

For a transport business, transparency should cover practical situations such as:

  • whether live location tracking is used during a booking,
  • whether customer details are shared with drivers, dispatchers or subcontractors,
  • whether CCTV or dashcam footage may capture passengers or delivery recipients,
  • whether support calls are recorded,
  • whether data is stored on overseas software platforms.

If your business also sells online, takes bookings through an app, or uses automated dispatch software, your digital processes should match what you tell customers. A polished privacy statement is not enough if your actual workflow does something different.

Use and disclosure need boundaries

You cannot treat customer information as a general business asset to use however you like. The main rule is that information collected for one purpose should usually only be used or disclosed for that purpose, unless another permitted reason applies.

That matters in everyday founder decisions. For instance, a passenger database collected for airport transfers should not automatically become a marketing list for unrelated partner offers. A customer’s delivery address should not be casually shared with another operator unless there is a proper service reason. Internal convenience is not always enough.

Accuracy, access and correction

Transport businesses also need to take reasonable steps to ensure information is accurate, up to date, complete, relevant and not misleading before using it. In practice, this matters when dispatching vehicles, confirming authorised recipients, or relying on customer notes about access instructions.

Customers may also ask for access to their personal information, or request corrections. If your systems are messy, or data sits across phones, email inboxes, spreadsheets and third-party apps, handling these requests becomes difficult quickly.

For startups and SMEs, this is one reason to sort your systems early, before you spend money on setup that is hard to unwind later.

When This Issue Comes Up

Privacy issues usually appear in ordinary operational moments, not during a formal legal review.

Most transport business owners start thinking about privacy after a complaint, a lost phone, a staff mistake, or a customer asking what information has been kept. It is much better to deal with it before you sign software contracts, onboard subcontractors, or roll out new booking tools.

At booking and account setup

The first privacy touchpoint is often your booking form, website checkout, app registration flow, or phone booking script. This is where businesses often over-collect.

Common examples include asking for date of birth when it is not needed, requiring account creation for a one-off service, collecting detailed notes that are unrelated to the job, or bundling marketing consent into compulsory booking terms.

During dispatch and service delivery

This stage often involves live location data, messaging, route history and sharing customer details with drivers or third parties. The legal issue is usually not whether information can be used at all, but whether the use is proportionate and properly explained.

If subcontractors or independent operators are involved, your contracts should make clear who can access customer information, how it may be used, what security steps apply, and what happens when the service ends.

After the trip, delivery or job

Many privacy problems arise after the service is complete. Businesses keep old customer lists, archived route records, footage, complaints and support logs far longer than they need to.

Retention should reflect real business reasons, such as handling disputes, service records, insurance requirements or legal obligations. “We might need it one day” is not a strong basis for a data retention policy.

When using apps, platforms and overseas providers

Transport businesses often rely on booking platforms, cloud dispatch tools, payment gateways, telematics, CCTV systems and customer service software. Those tools may store or process information outside New Zealand.

This does not automatically mean you cannot use them, but it does mean you should understand where data goes, what the provider does with it, and whether your customer-facing privacy wording reflects that arrangement.

When incidents happen

A privacy breach can happen through a lost device, misdirected message, unauthorised staff access, exposed route data, insecure file sharing, or accidental disclosure to the wrong recipient.

New Zealand law requires agencies to notify the Privacy Commissioner and affected individuals in some cases where a privacy breach has caused, or is likely to cause, serious harm. A transport business should not be working this out for the first time after the incident happens.

Practical Steps And Common Mistakes

The best privacy protection for a transport business is a simple system that matches what your staff and software actually do.

You do not need a complicated paper trail for its own sake. You do need clear collection points, sensible internal rules, and documents that line up with daily operations. Here’s what to sort out first.

Map the information you collect

Start with a practical audit. Look at every place customer data enters the business.

That usually includes:

  • website forms,
  • online booking tools,
  • apps,
  • phone bookings,
  • email enquiries,
  • payment systems,
  • driver or dispatcher notes,
  • CCTV and dashcams,
  • customer support tools,
  • marketing lists.

For each category, ask three questions:

  • What are we collecting?
  • Why do we need it?
  • Who can access it?

This exercise often reveals duplicate collection, inconsistent records, and information nobody has a good reason to keep.

Write a privacy policy that reflects reality

Your privacy policy should describe your actual business practices, not a generic template downloaded years ago.

For a New Zealand transport business, it will often need to cover:

  • the types of personal information collected,
  • how information is collected, including through bookings, calls, apps, tracking or cameras,
  • why the information is collected and used,
  • who information may be shared with, such as drivers, subcontractors, software providers or payment processors,
  • whether information may be stored or processed overseas,
  • how customers can request access or correction,
  • how to make a privacy complaint.

If you use customer terms and conditions, make sure those terms do not contradict the privacy wording. Contracts, policies and on-screen notices should all point in the same direction.

Collect less, not more

The simplest way to reduce privacy risk is to avoid collecting unnecessary data in the first place.

Founders often assume that more information gives better operational visibility. Sometimes it just creates more liability. Before you add a field to a form or enable a new tracking feature, decide whether the information is genuinely needed for service delivery, safety, customer support, fraud prevention, or another legitimate business purpose.

This point matters before you launch online, because app and software settings often default to broad collection.

Control access inside the business

Not every staff member needs access to every customer record.

Access controls should reflect roles. Dispatch staff may need live job information. Marketing staff may not need route histories. Drivers may need customer contact details for a current job, but not a searchable history of all customers. Former workers and contractors should lose access promptly when they leave.

This is one of the most common weak points in small businesses, especially where shared logins or personal devices are used.

Use contracts with service providers and subcontractors

If others help you deliver transport services, privacy should be covered in your commercial arrangements.

That may include agreements with:

  • owner-drivers,
  • freight partners,
  • dispatch software providers,
  • call centre providers,
  • customer support contractors,
  • CCTV or telematics vendors.

The contract should deal with confidentiality, permitted uses of data, security expectations, breach reporting, return or deletion of information, and what happens at the end of the arrangement. This is especially important before you sign a supplier agreement with a technology provider that will sit at the centre of your operations.

Set retention and deletion rules

Customer information should not live forever by default.

Create a schedule for different kinds of information. Some records may need to be kept longer for operational, insurance or legal reasons. Others can be deleted or anonymised sooner. The key is to make a deliberate decision and apply it consistently.

If you are unsure how long a particular category should be retained, get legal advice and, where relevant, speak with your accountant or tax adviser on record-keeping issues.

Prepare for privacy requests and breaches

Every transport business should know who handles access requests, correction requests and privacy incidents.

Your internal process should cover:

  • who receives the request or report,
  • where the relevant information is stored,
  • how identity is verified before release,
  • when escalation is required,
  • how incidents are assessed for possible serious harm,
  • who communicates with affected customers.

A short internal procedure is much better than no plan at all.

Common mistakes to avoid

The patterns are usually predictable. Transport businesses often run into trouble when they:

  • copy a generic privacy policy that does not mention tracking, CCTV or subcontractors,
  • store customer details in personal phones or unsecured messaging apps,
  • keep old booking records indefinitely without a retention reason,
  • share customer details too broadly across contractors,
  • collect emergency or sensitive information without explaining why,
  • treat marketing consent as automatic,
  • forget that dashcam or CCTV footage can also contain personal information,
  • lack a process for customer access requests or privacy complaints.

These mistakes are fixable, but they are cheaper to sort out before customer trust is damaged.

FAQs

Do transport businesses in New Zealand need a privacy policy?

In most cases, yes. If your business collects personal information from customers, a clear privacy policy is one of the simplest ways to explain what you collect, why you collect it, and how customers can exercise their rights.

Can we track customer or vehicle location during a job?

Often yes, if the tracking is connected to a legitimate business purpose such as dispatch, safety or service delivery, and customers are told about it. The scope and retention of location data should still be reasonable.

Can we share customer details with subcontracted drivers or delivery partners?

Usually you can share information needed to perform the service, but the sharing should be limited to what is necessary and reflected in your privacy wording and contracts. Broad, informal sharing creates unnecessary risk.

What happens if a staff member sends customer information to the wrong person?

That may be a privacy breach. You should assess what was disclosed, who received it, whether serious harm is likely, and whether notification is required. A documented response process helps you act quickly.

Can customers ask for a copy of the information we hold about them?

Yes, in many cases they can request access to their personal information, and they may also request correction. Your business should know where records are stored so these requests can be handled properly.

Key Takeaways

  • Collecting customer information in a New Zealand transport business is allowed, but it must be tied to a clear and necessary business purpose.
  • Your privacy documents and customer-facing notices should match what your booking systems, drivers, apps and subcontractors actually do.
  • Location data, CCTV footage, support records and delivery details can all be personal information and should be handled carefully.
  • Strong privacy practice usually means collecting less, limiting access, securing records, using proper contracts and deleting data when it is no longer needed.
  • Privacy issues often surface during booking setup, subcontracting, software rollouts and after incidents, so it pays to sort them out early.

If your business is dealing with collecting customer information transport business and wants help with privacy policies, customer terms, subcontractor agreements, data breach response planning, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.