How To Respond To Privacy Act 2020 Access Requests In New Zealand

If you run a small business, chances are you’re collecting personal information every day - customer contact details, delivery addresses, staff records, CCTV footage, emails, enquiry forms, and more.

Under the Privacy Act 2020, people generally have the right to ask for access to their personal information. These requests are commonly called “access requests” (and you might also hear them described as “subject access requests”).

Handling Privacy Act 2020 access requests properly isn’t just about avoiding problems - it’s about building trust with customers and staff, and showing that your business takes privacy seriously.

Below, we’ll walk you through a practical, business-friendly process for responding to access requests in New Zealand, including timeframes, what you should (and shouldn’t) provide, and the common traps that catch small businesses out.

What Is A Privacy Act 2020 Access Request (And Why Should Small Businesses Care)?

A Privacy Act 2020 access request is when an individual asks your business to provide access to the personal information you hold about them.

In a small business context, that “personal information” could include things like:

• Customer profiles or account records
• Invoices, payment records, or order history (where it identifies the person)
• Email correspondence and customer support tickets
• Job applications, CVs, and interview notes
• Employee records (leave requests, performance records, HR files)
• CCTV footage (where the person is identifiable)
• Call recordings (depending on what you collect and how you operate)

From a practical perspective, access requests matter because:

• They’re common - especially if there’s a dispute, a refund issue, an employment issue, or a breakdown in a customer relationship.
• They have deadlines - and missing them can create avoidable risk.
• They test your systems - if your business data is spread across inboxes, devices, cloud apps and spreadsheets, responding can get messy quickly.

It’s also worth noting that access requests usually sit alongside broader privacy compliance. If you’re collecting personal information from customers online, having a properly drafted Privacy Policy (and following it in practice) makes responding to requests much more straightforward.

Step 1: Confirm You’ve Received An Access Request (And Clarify What They Want)

An access request doesn’t need special wording. You might get it via email, social media, a website form, or even verbally. If someone is asking “what information do you hold about me?” or “can you send me everything you’ve got on me?”, treat that as an access request.

As soon as you receive one, you should:

• Acknowledge receipt promptly (even if you can’t fulfil it immediately).
• Record the date and method of request so you can track timeframes.
• Clarify scope if it’s broad or unclear (this can save you serious time later).

How To Clarify The Scope (Without “Blocking” The Request)

If the request is too broad, it’s usually reasonable to ask follow-up questions like:

• What time period are you asking about?
• Are you looking for a specific document (e.g. the contract, emails, CCTV footage)?
• Which email address / phone number / account did you use with us?

This doesn’t mean you can ignore the request until they reply - but in real life, clarifying early helps you respond accurately and reduces the chance of an argument later.

Step 2: Verify Identity Before You Disclose Anything

From a business owner’s perspective, this is one of the most important steps.

When responding to Privacy Act 2020 access requests, you need to take reasonable steps to ensure you’re giving personal information to the right person. If you accidentally disclose someone’s personal information to the wrong person, that can turn into a privacy breach (and a major trust issue).

What “reasonable steps” looks like depends on the risk and the type of information. Common options include:

• Requesting confirmation from the same email address used for the account
• Asking for identifying details you already hold (e.g. last order number)
• Asking for ID (only if necessary, and only collect what you need)

Be Careful About Collecting Extra Information

It’s easy to create a new privacy problem while trying to solve an old one. For example, if you ask for a full copy of a passport when a simple account verification would do, you might be collecting more personal information than you actually need.

A good identity-check process is often part of your overall privacy documentation and internal practices, such as a Privacy Collection Notice and a clear internal workflow for handling requests.

Step 3: Gather The Personal Information (And Map Where It’s Stored)

Once you know what’s being requested and who you’re dealing with, the next step is locating the personal information.

This is where small businesses often get caught out, because personal information can sit across:

• Accounting software and invoicing tools
• CRM systems and email marketing platforms
• Helpdesk or live chat tools
• Staff inboxes and messaging apps
• Shared drives (Google Drive / OneDrive)
• Phones and laptops (especially where staff use their own devices)
• Hard copy files

Practical Tip: Treat This As A “Data Discovery” Exercise

If you’re dealing with your first Privacy Act 2020 access request, it can be a useful prompt to tighten up your internal data handling. Over time, better data practices make access requests faster, cheaper, and less disruptive.

If your business is using customer or employee monitoring tools (like CCTV), make sure you’re also thinking about workplace privacy and communications practices, including whether call recording is lawful for your situation. This often overlaps with issues discussed in call recording and cameras in the workplace.

Step 4: Check Whether You Can Withhold Anything (And Don’t Over-Share)

One of the biggest mistakes businesses make with Privacy Act 2020 access requests is assuming they must disclose absolutely everything, exactly as stored, with no review.

In reality, there are situations where you may be able (or required) to withhold certain information. This isn’t about being difficult - it’s about balancing the requester’s rights with other legal obligations and third-party privacy rights.

Common examples where issues come up include:

• Third-party information: If the documents contain personal information about someone else (e.g. another customer, another employee).
• Confidential business information: Some internal notes may include commercially sensitive content (depending on context).
• Legally privileged communications: For example, communications seeking legal advice can be protected.
• Safety or harassment risks: In some situations, releasing information could create a safety risk (this needs careful handling).

Redaction Is Often The Middle Ground

Sometimes the best practical approach is to provide the document but redact (black out) parts that relate to other people or protected content. This lets you comply without disclosing information you shouldn’t.

Because withholding and redaction decisions can be very fact-specific, it’s usually worth getting tailored advice before you refuse access or provide heavily redacted files - especially if the requester is already in conflict with your business (for example, in an employment context where an Employment Contract dispute is brewing).

Step 5: Respond Within The Required Timeframes (And Keep A Paper Trail)

Privacy Act 2020 access requests come with timing requirements. As a general rule, you should respond as soon as reasonably practicable, and no later than 20 working days after receiving the request (unless an extension applies).

In practice, good request management looks like:

• Logging the request and deadline in a central register
• Assigning a responsible person internally (even if you’re a one-person business)
• Keeping copies of communications with the requester
• Keeping a record of what you searched, what you found, and what you disclosed

When Can You Extend Time?

In some situations, you may be able to extend the timeframe (for example, if the request is for a large volume of information or consultations are needed to make a decision). If you extend, you should let the requester know within the original timeframe, explain why you need more time, and give a new due date.

What Should Your Response Include?

Your response should generally:

• Confirm you are providing access under the Privacy Act 2020
• Provide the personal information in a usable format (e.g. PDF copies, export from system)
• Explain any information withheld and the reason (in a clear, non-argumentative way)
• Explain next steps if they have questions or want corrections

Remember: it’s not just what you provide - it’s how you provide it. If you’re sending sensitive personal information, consider secure delivery methods (password-protected files, secure portals, or verified email delivery).

Common Mistakes Businesses Make With Privacy Act 2020 Access Requests

Even well-run businesses can stumble here, especially if they’re responding under pressure. These are the issues we commonly see:

1. Treating The Request Like A Customer Service Complaint

Sometimes access requests arrive alongside a complaint or dispute. It’s tempting to respond defensively, but privacy rights operate independently of whether you agree with the person or not.

2. Missing “Hidden” Personal Information In Emails And Notes

Personal information isn’t just what’s in your CRM. Emails, internal notes, chat logs and attachments often contain personal information too.

3. Accidentally Disclosing Third-Party Information

This is particularly common with email chains and staff communications. Before sending, check whether the documents identify other people, and redact where needed.

4. Not Having A Clear Process (So Everything Takes Too Long)

If your business doesn’t have an internal workflow, it’s easy for requests to sit in an inbox unanswered. Setting up a clear privacy process (and training staff on it) is one of the best ways to reduce risk.

5. Taking An “All Or Nothing” Approach

Businesses sometimes refuse access entirely because part of the material is sensitive. Often, there’s a workable middle option - like providing partial access, redacting third-party information, or providing a summary in addition to documents.

If your business is growing and you’re formalising policies across the board, it can help to treat privacy compliance as part of your wider risk management. Depending on what you do, that may include having strong Service Agreement terms that explain how customer data is handled, and clear internal confidentiality expectations (especially if staff or contractors handle customer information).

Key Takeaways

• Privacy Act 2020 access requests (subject access requests) are a common part of doing business in New Zealand, especially if you hold customer or employee personal information.
• Responding properly starts with acknowledging the request, clarifying the scope, and recording key dates so you don’t miss deadlines.
• Always verify identity before you disclose personal information - the quickest way to create a privacy breach is sending information to the wrong person.
• Gather information carefully across all systems (email, cloud storage, apps, CCTV, and hard copy files), not just your “main” database.
• You may be able to withhold or redact certain information (such as third-party personal information or privileged communications), but it’s important to handle refusals, redactions, and extensions carefully.
• Keeping a clear audit trail - what you searched, what you disclosed, and why - will protect your business if the request is challenged later.

Note: This article is general information only and isn’t legal advice. If you need help applying the Privacy Act 2020 to your situation, consider getting tailored advice.

If you’d like help putting the right privacy processes in place, responding to Privacy Act 2020 access requests, or reviewing your privacy documentation, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.