Contents
As a small business owner, it is vital that you and your business comply with New Zealand privacy laws. The main thing you need to be aware of is the New Zealand Privacy Principles, a set of 13 guidelines that form the foundation of our privacy framework here in New Zealand.
Understanding the New Zealand Privacy Principles can feel a bit overwhelming at first, so we’ve put together a straightforward guide to help you and your business stay compliant in 2025. Our approach is both clear and practical, with a focus on protecting personal information and ensuring transparency.
Read on to learn more about your obligations and the steps you can take today.
Does Your Business Come Under The Privacy Act 2020?
First, you must determine if your business is covered by the Privacy Act 2020. While not every small business falls under this legislation, many do if they handle personal information.
In practice, the Office of the Privacy Commissioner (OPC) stipulates that any business that deals with personal information must comply with the Privacy Act. This requirement covers more than just the size of your enterprise; it is about the nature of the information you handle.
For the purposes of the Privacy Act, dealing with personal information includes activities such as:
- Collecting
- Using
- Disclosing
Furthermore, the OPC clarifies that, regardless of size, the Privacy Act applies to any business that is involved in activities such as:
- A health service provider
- Trading in personal information
- A contractor providing services under a contract
- Operating a residential tenancy database
- A credit reporting agency
- A reporting entity for the purposes of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009
- Employee associations registered or recognised under the Employment Relations Act 2000
- A business that conducts protection action ballots
- A business accredited under the Consumer Data Right system
- A business that is related to an entity already covered by the Privacy Act
- A business prescribed by the Privacy Act regulations
- A business that has opted in to be covered by the Privacy Act
The OPC also provides a handy privacy checklist for small businesses to help you determine whether your business falls under this legislation. You can find the checklist here.
If the Privacy Act does indeed apply to your business, it is crucial to familiarise yourself with your obligations under the New Zealand Privacy Principles, ensuring your business practices are up to date as we progress further into 2025.
Complying With The New Zealand Privacy Principles
If your business is covered by the Privacy Act, you must adhere to 13 New Zealand Privacy Principles (NZPP) that outline how personal information should be managed at every stage.
Understanding each NZPP is key to ensuring that your business practices remain compliant. In today’s fast-evolving digital landscape, staying informed about these principles is more important than ever.
Let’s review each NZPP to help you better understand your business’s obligations.
NZPP 1: Purpose of Collection of Personal Information
Your business must collect personal information only for a lawful purpose connected with a function or activity of your organisation, and such collection should be necessary for that purpose.
Personal information is defined as information about an identifiable individual. This remains true regardless of whether the information is entirely accurate or recorded in a physical or digital form.
Establishing a clear purpose for the collection can be achieved by implementing transparent procedures when gathering personal information, and by ensuring that employees are trained on these processes.
For businesses that must comply with the New Zealand Privacy Principles, having a clear and up-to-date Privacy Policy is a critical requirement under the Privacy Act. We also recommend reviewing our guide on when you need a Privacy Policy to ensure you are fully covered.
Making your Privacy Policy easily accessible – for instance, by displaying it prominently on your website – is an excellent way to demonstrate that the purpose of collecting personal information is both clear and compliant with current regulations.
In addition, as we move through 2025, it is essential to keep abreast of any amendments in privacy legislation. Recent updates have reinforced the importance of proactive data protection measures. For further insights into safeguarding your business, you might explore our comprehensive legal guides for small businesses.
If you need any further help, feel free to reach out to our team for a free, no-obligation chat at [email protected] or call us on 0800 002 184. We’re here to assist you in navigating these legal requirements and to ensure your business remains compliant in an ever-changing regulatory environment.
Get in touch now!
We'll get back to you within 1 business day.
Top 3 Legal Mistakes
Book in a free consultation with us to discuss your legal needs.