Cost To Respond To An Information Privacy Request In New Zealand

If you run a small business in New Zealand, it’s only a matter of time before someone asks for all the personal information you hold about them. That could be a customer, a subscriber, a job applicant, or even a contractor.

At that point, a very practical question comes up fast: what does it cost to respond to an information privacy request - and can you charge the requester for your time?

In most cases, businesses should treat privacy requests as a normal cost of doing business. Often it’s not appropriate (or practical) to charge anything. But in limited situations, you may be able to charge a reasonable fee for providing access to personal information - as long as you do it properly, you explain it clearly up front, and it doesn’t create unnecessary barriers.

Below, we’ll break down how the Privacy Act 2020 works in practice, what your real costs tend to be, when you might be allowed to charge, and how to handle requests efficiently without creating legal risk.

What Is An Information Privacy Request (And Why Do Businesses Get Them)?

An “information privacy request” usually refers to a request made by an individual to:

• Access the personal information you hold about them; and/or
• Correct personal information you hold about them.

These rights sit at the heart of the Privacy Act 2020 (particularly the Information Privacy Principles dealing with access and correction). In plain English, if you’re collecting and using personal information in your business (names, emails, addresses, CCTV footage, HR files, support tickets, IP addresses, etc), people have a right to ask what you hold and how it’s being used.

Common examples we see for small businesses include:

• A customer requesting their account history and communications.
• A former employee requesting HR records.
• A job applicant asking for interview notes.
• A client asking for copies of signed agreements that contain their personal information.
• A person asking for CCTV footage where they appear.

If you’re already collecting personal information (even just through your website or customer management system), it’s worth having a clear Privacy Policy and an internal process in place so these requests don’t derail your team.

Do You Have To Respond, And What Are The Key Timeframes Under The Privacy Act 2020?

In most cases, yes - you must respond.

As a business, you’re generally an “agency” for Privacy Act purposes, which means you have obligations when you receive a request for personal information.

While every request needs to be handled on its own facts, some practical rules matter in almost every scenario:

1) You Need To Decide And Respond Within 20 Working Days

As a general rule, you must respond to an access/correction request as soon as reasonably practicable and within 20 working days (unless an extension applies).

This response doesn’t always mean you must provide the information within 20 days no matter what. It means you must make a decision and communicate it properly (for example: provide the information, confirm you’re extending time, request clarification, or refuse with reasons if a lawful ground applies).

2) You Can Verify Identity (And You Usually Should)

Before releasing personal information, you can require reasonable proof of identity. This is often essential where the request comes via email, involves sensitive information, or could be made by someone impersonating the individual. The key is to keep identity checks proportionate (for example, don’t demand excessive documents for low-risk information).

3) You Can Ask For Clarification

If someone sends a broad request like “everything you have about me”, you can (and usually should) ask them to narrow it down. This can reduce the work involved and keep the cost of responding to an information privacy request manageable in a way that’s fair to everyone.

4) You May Be Allowed To Extend The Time

Extensions can apply in limited cases - for example, where meeting the time limit would unreasonably interfere with your operations, or where you need more time to consult with another party or locate information.

The key is to document the reasons and tell the requester before the original time limit expires, including the new due date and why you need extra time.

5) You May Not Have To Provide Everything (Refusal/Withholding Grounds Can Apply)

Even where you hold the information, there are recognised grounds under the Privacy Act 2020 to refuse access or to withhold parts of the material (for example, where release would involve another person’s privacy, disclose confidential commercial information, prejudice maintenance of the law, reveal legally privileged communications, or otherwise meet a statutory withholding ground).

In practice, many “refusals” are partial: you provide what you can and redact what you lawfully must withhold, explaining the basis for doing so.

6) You Need A Proper Process (Especially For Staff Handling Requests)

If you have employees who deal with customer data, HR files, or support inboxes, it’s worth putting clear rules in writing so the team knows what to do (and what not to do) the moment a request lands.

Cost To Respond To An Information Privacy Request: What “Costs” Are We Really Talking About?

When business owners ask about the cost to respond to an information privacy request, they usually mean one (or more) of these:

• Staff time to locate records across tools, inboxes, drives, and paper files.
• Manager time to review what can and can’t be released.
• Legal review (especially if there are sensitive allegations, HR issues, disputes, or third parties involved).
• Redaction time to remove third-party info or commercially sensitive material.
• IT and admin costs to export data, pull backups, or retrieve archived files.
• Copying/printing/scanning (less common now, but still comes up).
• CCTV retrieval and editing time (particularly for retail or hospitality).

For many small businesses, the real cost isn’t the photocopying - it’s the disruption. If your data is scattered across systems, responding can take longer than you expect.

That’s why investing early in sensible privacy governance (like clear retention practices, access controls, and consistent record-keeping) often reduces your ongoing compliance costs over time.

Can You Charge A Fee For An Information Privacy Request In NZ?

This is where it gets more nuanced.

Under the Privacy Act 2020, it is sometimes possible to charge for making personal information available (i.e. an access request) - but it’s not a blank cheque to invoice people for your time. In practice, most businesses either:

• Don’t charge at all; or
• Only consider charging in exceptional cases (for example, repetitive requests, very large volumes of data, or where significant labour is required to compile information that isn’t readily retrievable).

Also, as a practical matter, businesses usually don’t charge for correction requests (and charging for correction is far more likely to be challenged as unfair or discouraging).

What A “Reasonable Charge” Usually Means In Practice

Even where charging may be allowed, the fee needs to be reasonable, connected to the actual work of making the information available, and not used to discourage or delay the request. You should be able to justify it with a clear breakdown.

Depending on your situation, charges might relate to things like:

• Actual and reasonable cost of copying or supplying the information (for example, secure USB, printing, courier).
• Actual and reasonable labour involved in collating information (particularly where it’s extensive and not easily retrievable).

But in many cases, the best approach is still to treat requests as part of your compliance overhead, because charging can create friction and complaints (and the complaint process can cost far more than the request itself).

When Charging Is More Likely To Cause Problems

Charging can be risky if:

• The request is straightforward and the fee looks like a deterrent.
• The requester is vulnerable (for example, health-related situations).
• You haven’t explained the fee upfront and obtained agreement before doing the work.
• You don’t have a consistent internal policy (meaning you charge some people but not others).

A good rule of thumb: if you’re thinking of charging, slow down and sanity-check the decision. This is often a good moment to get tailored privacy advice so you don’t unintentionally breach the Act while trying to recover costs.

Best Practice If You Intend To Charge

If you decide a fee may be appropriate, you should usually:

• Tell the requester early (ideally as soon as you identify the likely cost).
• Explain what the fee covers (e.g. retrieval time, copying, secure transfer).
• Give an estimate and offer a chance to narrow the scope to reduce cost.
• Document your reasoning in case the fee is challenged.

Remember: even if charging is permitted, your overall process still needs to be fair, timely, and transparent.

How To Reduce Your Information Privacy Request Cost (Without Cutting Corners)

If you want to reduce the cost to respond to an information privacy request, the biggest wins come from preparation - not from trying to move faster once the request arrives.

1) Centralise Where You Store Personal Information

If personal information is spread across individual staff inboxes, DMs, personal devices, and scattered folders, retrieving it becomes slow and expensive.

Even simple practices help, like:

• Using one shared support inbox or ticketing tool.
• Storing key customer records in one CRM.
• Having consistent file naming for HR records.

2) Have A Simple “Triaging” Process

When a request comes in, you want to quickly answer:

• Is this an access request, a correction request, or both?
• Do we need to verify identity?
• What systems likely contain the relevant information?
• Is there third-party information that will need redaction?
• Do we need to extend time?

Many businesses handle this using a basic internal checklist and a standard form to capture key details up front (like the date range, relevant accounts, and preferred format for delivery).

3) Train Your Team Not To Create “Extra” Records Accidentally

A common hidden cost comes from internal commentary that wasn’t written with privacy in mind (for example: messy notes, subjective comments, or irrelevant speculation in customer files).

That doesn’t mean your team can’t record important observations - it just means staff should assume that what they write may be requested later, and keep it factual and necessary.

4) Use Clear Retention And Deletion Practices

If you keep everything forever “just in case”, privacy requests can balloon. A sensible retention approach can lower retrieval workload and reduce risk.

Just be careful: deleting information because a request is made (or appears likely) can create serious legal issues. If you’re unsure, get legal advice before deleting anything.

5) Use Security And Redaction Tools Properly

If you often handle requests involving third parties (for example, CCTV, complaint files, or HR matters), redaction can be one of the most time-consuming parts.

Having a standard redaction process reduces mistakes like accidentally disclosing someone else’s personal information.

Common Tricky Situations (And How They Affect Cost And Risk)

Some information privacy requests are quick. Others become complex fast - and that’s usually when your costs (and legal risk) increase.

CCTV Footage Requests

CCTV is a classic example where a request can be legitimate but still expensive to handle.

You may need to:

• Locate footage across multiple cameras and timeframes.
• Confirm the requester’s identity and the relevant date/time.
• Blur or redact other individuals.
• Export footage in a secure format.

If you’re a retail, hospitality, or service business using CCTV, your privacy settings and customer notices should align with your actual practices.

Employee Or Ex-Employee Requests

HR files often include personal information about multiple people, including managers and coworkers. This can increase redaction time and increase the need for legal review.

Also, if there is an ongoing dispute, the stakes can be higher, because the requested information might later appear in Employment Relations Authority processes or negotiations.

Requests During A Customer Dispute

If a customer is unhappy, they may use a privacy request to gather information about internal decision-making.

This doesn’t automatically make the request invalid. But it does mean you should handle it carefully, check whether any lawful withholding grounds apply, and make sure you don’t accidentally disclose confidential commercial material or third-party information.

High Volume Or Repetitive Requests

Sometimes the scope is genuinely huge - months of emails, chat logs, and call records.

In these cases, it’s usually best to:

• Ask the requester to narrow the scope.
• Consider staged production (providing the most relevant info first).
• Consider whether a reasonable charge is appropriate (with proper notice and an opportunity to refine the request).

When you’re facing a complex request, getting advice early can be far cheaper than dealing with a complaint later.

Key Takeaways

• The cost to respond to an information privacy request for small businesses is usually driven by staff time, retrieval across systems, and redactions - not just admin expenses.
• Under the Privacy Act 2020, individuals generally have rights to access and correct their personal information, and you usually must respond within 20 working days (unless an extension applies).
• You may be able to charge a reasonable fee in limited circumstances for access requests, but charging can create risk if it looks like a deterrent or isn’t handled transparently.
• You can reduce costs significantly by centralising records, using a clear request process, training staff, and maintaining good data governance and security practices.
• Complex requests (CCTV, HR files, disputes, or large volumes of data) often justify getting tailored advice early to avoid accidental non-compliance.

If you’d like help setting up a practical privacy process (or responding to an access request you’ve already received), we’re happy to help. You can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.