How Businesses Should Handle Right Of Access Requests Under NZ Privacy Act

If you run a small business in New Zealand, chances are you collect personal information every day - customer contact details, delivery addresses, CCTV footage, staff records, enquiry forms, website analytics, and more.

When someone asks you for a copy of their personal information, it can feel a bit daunting. What do you have to give them? How quickly do you need to respond? What if the request is vague, or the information is mixed up with someone else’s data?

The good news is that once you understand how the right of access works under the New Zealand Privacy Act (and put a simple internal process in place), handling access requests becomes much more manageable - and it can actually build trust with your customers and staff.

This article explains the right of access under the Privacy Act 2020 in plain English, from a business owner’s perspective, including practical steps, common mistakes to avoid, and when you may be allowed to refuse (or limit) a request.

What Is The “Right Of Access” Under The New Zealand Privacy Act?

The “right of access” is the rule that generally allows an individual to ask an agency (including most businesses) for confirmation of whether you hold personal information about them, and to request access to that information.

Under the Privacy Act 2020, this is commonly referred to as an individual’s “access request” and it largely sits under Information Privacy Principle 6 (IPP6).

In practical terms, the right of access under the New Zealand Privacy Act means that if a customer, client, patient, subscriber, employee, contractor, or member of the public asks for their personal info, you need to:

• take the request seriously (even if it’s informal or comes through email/social media),
• respond within the required timeframe (usually 20 working days), and
• provide access unless a lawful reason to withhold applies.

This is not just a “big corporate” issue. Small businesses often hold lots of personal information across everyday tools like:

• Gmail/Outlook inboxes and sent email folders
• booking systems and CRMs
• accounting platforms and invoices
• staff rosters and HR files
• CCTV systems and security logs
• Slack/Teams messages (yes, these can contain personal information)
• cloud storage like Google Drive, Dropbox, SharePoint

If you’re collecting personal information from customers or staff, having a clear Privacy Policy is a good starting point, but it won’t replace the need to handle access requests correctly when they come in.

Does The Right Of Access Apply To Your Business?

In New Zealand, the Privacy Act applies to “agencies”, which includes most private sector businesses - not just government departments.

So if you’re a small business collecting personal information as part of your operations, you should assume the right of access applies to you.

Common examples where access requests come up for small businesses include:

• Customers asking for a copy of their order history, support tickets, or complaints record
• Clients asking for notes you made during meetings, assessments, or service delivery
• Employees asking for copies of HR files, performance notes, emails about them, or investigation materials
• Website users asking what data you’ve collected about them through forms, newsletters, or accounts
• People recorded on CCTV asking for footage (especially in retail, hospitality, gyms, and service premises)

Even if you think you’re “too small” to have a formal privacy program, the Privacy Act still expects you to respond properly. This is where it helps to have a simple internal privacy framework (and if you want to formalise it, an Employee Privacy Handbook can be a practical part of your staff-facing privacy approach).

How Quickly Do You Need To Respond, And What Counts As An “Access Request”?

One of the biggest risk areas for businesses is not recognising an access request when it happens.

An access request doesn’t need to use the words “Privacy Act” or “IPP6”. If someone says something like:

• “Can you send me everything you have on file about me?”
• “What information do you have about my complaint?”
• “Can I get a copy of my employment file?”
• “Please provide the CCTV footage of me from last Friday.”

…that can be an access request.

What Is The Time Limit?

In general, you must respond to an access request as soon as reasonably practicable and no later than 20 working days after receiving it.

“Respond” doesn’t always mean you must provide the information within 20 working days (though often you should). It means you must take action - for example:

• provide the information, or
• refuse the request (with reasons), or
• extend the timeframe (where permitted), or
• seek clarification, if the request is too broad or unclear.

Can You Extend The Time?

Yes, in some cases you can extend the response time - for example, if:

• the request is complex or involves a large volume of information, or
• consultations are needed to make a proper decision (for example, you need to assess third-party privacy issues).

If you extend time, you should do it early and communicate clearly. A “silent delay” is where businesses get into trouble, because it can lead to complaints to the Privacy Commissioner.

If you want a more structured way to handle these requests, using an Access Request Form can help you collect key details upfront (like identity verification, the scope of the request, and preferred delivery method) - without turning the process into unnecessary red tape.

A Step-By-Step Process For Handling Access Requests (Without Disrupting Your Business)

When an access request arrives, your goal is to respond efficiently while still meeting your legal obligations. Here’s a practical approach most small businesses can adopt.

1) Log The Request Immediately

Create a simple register (even a spreadsheet is fine) and record:

• date received
• who made the request
• how it was received (email, in person, website form)
• what they asked for
• who in your business is responsible for handling it
• your due date (20 working days)

This is a simple habit that helps you avoid missed deadlines - and if a complaint arises, your records show you acted reasonably.

2) Confirm Identity (But Keep It Proportionate)

You’re allowed (and expected) to take reasonable steps to make sure you’re providing personal information to the right person. But “reasonable” is the key word.

For example:

• If the request comes from the customer’s usual email address on file, that may be enough.
• If the request is sensitive (like health info, financial info, or detailed HR files), you may need stronger verification (photo ID, security questions, or an in-person check).

Be careful not to over-collect extra personal information just to verify identity. Your verification process should match the risk.

3) Clarify The Scope If Needed

Some requests are extremely broad - “everything you have about me, ever” can be huge if you’ve dealt with the person for years.

It’s usually better to respond quickly asking them to narrow it, for example:

• a time period (e.g. the last 12 months)
• a category (e.g. invoices and customer support emails only)
• a specific event (e.g. the incident report from a particular date)

This isn’t about avoiding your obligations. It’s about delivering a useful response without burning weeks of staff time and still meeting Privacy Act expectations around access.

4) Search Systematically (Not Just The Obvious Places)

Access requests often require more than exporting a CRM record. You may need to search:

• inboxes (including archived mail and shared mailboxes)
• attachments (PDFs, photos, scanned forms)
• internal notes fields in your systems
• paper files (if you still keep any)
• CCTV or access control logs
• messages where the person is discussed (where those messages are “about” them)

It helps to decide early who will do the searches, and to keep a list of systems you checked.

5) Review Before You Release

Before you hand anything over, review the documents for:

• third-party information (e.g. other customers, other employees)
• confidential business information mixed into the record
• legally privileged material (for example, communications with your lawyer)

In many cases, the right approach isn’t “release or refuse” - it’s redact (remove) parts that shouldn’t be disclosed, while still giving access to the individual’s information.

6) Provide The Information Securely

How you provide access matters. Think about security and practicality:

• password-protected PDFs
• secure links with expiry dates
• encrypted email where appropriate
• in-person inspection for particularly sensitive records

You should also keep a record of what you disclosed and when.

When Can You Refuse An Access Request (Or Withhold Parts Of It)?

The right of access is strong, but it isn’t unlimited. The Privacy Act includes circumstances where you can refuse access or withhold certain information.

This is one of those areas where getting tailored advice is often worth it, because an incorrect refusal can lead to a complaint - but an incorrect release can create a privacy breach (and potentially expose you to disputes with third parties).

Common Reasons A Business May Withhold Information

Depending on the circumstances (and the specific withholding grounds that apply), you may be able to withhold information if, for example:

• it would involve an unwarranted disclosure of another person’s personal information (third-party privacy)
• it would prejudice the maintenance of the law (for example, if the information relates to an investigation)
• it would reveal confidential commercial information (in some cases, and subject to the Act’s limits)
• the information is subject to legal professional privilege (e.g. advice from your lawyer)
• the request is frivolous or vexatious, or the information can’t be made available without substantial collation or research (where those grounds apply)

Often, the safest approach is to provide partial access with redactions, rather than refusing everything.

CCTV Footage: A Common Small Business Pain Point

CCTV requests are increasingly common in retail, hospitality, gyms, and service businesses.

Here’s the challenge: CCTV footage often includes other identifiable people (customers or staff), which raises third-party privacy issues. Depending on what’s reasonable and feasible, you may need to:

• blur faces (if feasible),
• provide still images rather than full video (depending on the situation),
• allow supervised viewing on-site, or
• withhold parts that identify others.

There isn’t a one-size-fits-all answer, which is why it’s important to assess the request carefully before releasing footage.

If You Refuse, You Still Need To Respond Properly

If you refuse access (or withhold part of the information), you generally need to:

• tell the requester your decision,
• explain the reason (in plain language), and
• let them know they can complain to the Privacy Commissioner.

Even where you can legally refuse, the way you communicate it matters. A clear, calm response tends to reduce escalation.

Can You Charge For Access Requests, And What Other Practical Traps Should You Watch For?

Small businesses often ask: “Do we have to do this for free?”

You may be able to charge for providing access in some situations, but only if the charge is permitted under the Privacy Act and is reasonable. In practice, whether you can charge (and how much) can be fact-specific, so it’s best not to treat charging as the default or use it as a barrier.

If you’re considering charging, it’s wise to get advice first - especially if it’s a sensitive request or likely to be disputed.

Practical Mistakes We See Businesses Make

To keep your privacy compliance on track, watch out for these common issues:

• Missing the 20 working day deadline because no one “owned” the request internally.
• Releasing information too quickly without checking for third-party data (especially in emails, CCTV, and complaint files).
• Not searching broadly enough (for example, ignoring internal notes or staff messages that are “about” the person).
• Over-collecting ID documents during verification, creating unnecessary privacy risk.
• Accidentally creating a data breach by emailing personal info to the wrong address or attaching the wrong file.

If an access request triggers a wider concern (for example, you discover information has been disclosed incorrectly, or your systems were compromised), having a Data Breach Response Plan in place can make the next steps much clearer and reduce the chance of a rushed, messy response.

What If The Request Is Really A Dispute In Disguise?

Sometimes an access request is a genuine privacy request. Other times, it’s the first step in a broader dispute (like an employment issue, a customer complaint, or a contractual disagreement).

That doesn’t mean you can ignore it - but it does mean you should:

• keep communications factual and professional,
• avoid informal commentary in writing, and
• consider getting legal guidance before releasing borderline material.

If you’re not sure what you can safely provide, getting Privacy Advice early can prevent a small issue turning into a bigger one.

How To Set Your Business Up To Handle Access Requests Confidently

The best way to deal with access requests is to prepare before you receive one. You don’t need a complicated compliance program - but you do need a plan.

Create An Internal “Access Request” Playbook

At a minimum, your internal process should cover:

• who in your business receives and logs requests
• who is responsible for responding
• how you verify identity
• what systems you search (and who has access)
• how you review/redact information
• how you deliver the information securely
• how you record the outcome

Train Staff On What To Do If A Request Comes In

In a small business, requests often land with whoever is on the front desk, managing the inbox, or responding to DMs.

Make sure your team knows:

• what an access request looks like,
• they shouldn’t ignore it, and
• who to escalate it to.

This is especially important if you hold employee information. If you have staff and you’re formalising your people processes, a well-drafted Employment Contract and privacy-aligned workplace policies will help you manage information appropriately from day one.

Keep Your Data House In Order

Access requests are much easier when your records are organised. Practical tips include:

• set retention periods (don’t keep data forever “just because”)
• limit who can access sensitive folders
• avoid storing personal information across lots of unstructured channels
• use consistent naming and filing conventions for customer and HR documents

As your business grows, good privacy practices don’t just reduce legal risk - they save time and reduce operational friction.

Key Takeaways

• The right of access under the New Zealand Privacy Act generally requires your business to provide individuals with access to their personal information, unless a lawful reason to withhold applies.
• An access request can be informal - it doesn’t need to mention “Privacy Act” to trigger your obligations.
• You usually need to respond within 20 working days, and you should log requests and assign responsibility internally to avoid missed deadlines.
• Before disclosing information, review for third-party privacy, privilege, and sensitive content - redaction is often the practical solution.
• CCTV, staff records, and complaint files are common high-risk areas where businesses need to balance access rights with the privacy of others.
• Having a clear process (and training your staff on it) makes compliance easier and reduces the risk of privacy complaints or accidental breaches.

If you’d like help setting up a practical process for privacy compliance or responding to an access request, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.