Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business in New Zealand, you’ll probably handle IRD numbers more often than you expect - whether you’re hiring your first employee, onboarding contractors, or setting up payroll and accounting systems.
Because an IRD number is tied to a specific person, it also raises a common compliance question: is an IRD number personal information under the Privacy Act 2020?
Getting this right matters. If you collect, store, or share IRD numbers casually (for example, by email or spreadsheets with broad access), you can create real privacy risk for your business - even if your intentions are good.
Below, we’ll break down what the Privacy Act 2020 says in plain English, how IRD numbers are treated in practice, and what you should do to handle them safely and legally from day one.
Why This Matters For Small Businesses
When you’re busy running a business, it’s easy to treat an IRD number like “just another admin detail”. But IRD numbers are high-value identifiers. If an IRD number is mishandled, it can contribute to:
- Identity theft and fraud risks for the individual (which can quickly become your business problem too).
- Trust issues with staff, contractors, and customers.
- Privacy Act complaints to the Office of the Privacy Commissioner (OPC).
- Operational headaches if you have to respond to an access request, investigation, or data breach.
From a practical standpoint, a good privacy approach isn’t about creating red tape. It’s about building a sensible system so you’re not relying on memory or ad hoc processes when things get busy (or when something goes wrong).
Is An IRD Number Personal Information Under The Privacy Act 2020?
In most cases, yes - an IRD number will be personal information under the Privacy Act 2020.
Under the Privacy Act, personal information is broadly information about an identifiable individual. If an IRD number can identify someone (either on its own, or together with other information you hold), it will generally fall within that definition.
Why An IRD Number Is Usually “About An Identifiable Individual”
An IRD number is assigned to a specific person (or entity), and in an employment or contractor context it’s typically linked with other details you hold, such as:
- full name
- date of birth
- address
- bank account details
- tax code or withholding information
- payroll and pay history
Once an IRD number is in that mix, it becomes part of the bundle of information that can clearly identify someone. That makes it personal information, and your handling of it needs to follow the Privacy Act’s information privacy principles (IPPs).
IRD Numbers And “Unique Identifiers”
IRD numbers are also commonly treated as a type of unique identifier - meaning a number assigned to an individual to uniquely identify them for an official purpose (like tax administration).
In New Zealand, the Privacy Act 2020 has an information privacy principle specifically about unique identifiers (IPP 13). In practical terms, it restricts when organisations can assign a unique identifier, and when they can require someone to disclose a unique identifier that has been assigned by another agency (like the IRD number issued by Inland Revenue).
In plain terms: you generally shouldn’t treat an IRD number like a customer reference number you can demand whenever it’s convenient. You should only collect and use it where you have a clear and lawful reason to do so.
Is An IRD Number “Sensitive Personal Information”?
The Privacy Act 2020 doesn’t use one single category called “sensitive information” in the same way some overseas laws do - but in practice, an IRD number is high-risk personal information because it’s a government identifier that could be used for fraud if exposed.
That means you should apply stronger security and tighter access controls than you might for lower-risk information (like a general enquiry email address).
If you want your policies to reflect this properly, it’s usually worth getting tailored Privacy Advice so your business processes match what you actually do day-to-day.
When Can Your Business Collect And Use An IRD Number?
Even though an IRD number is personal information, your business can still collect and use it - but you should do so in a controlled, transparent way.
A good rule of thumb is: only collect an IRD number when you genuinely need it for a specific, lawful purpose, and only use it for that purpose (unless you have another lawful basis to use it).
Common Legitimate Reasons Small Businesses Need IRD Numbers
Most small businesses will collect IRD numbers in scenarios like:
- Employees: setting up PAYE, KiwiSaver deductions, payroll, and required reporting.
- Contractors: where withholding tax rules apply, or where your internal records need to match tax invoices and payments.
- Shareholder-employees: where payroll is still being run through the business.
- Some supplier arrangements: where tax reporting or withholding obligations exist.
In other words, collecting IRD numbers is often legitimate - but the key compliance piece is making sure your collection and storage method is appropriate and secure.
Important: This article is general information about privacy compliance only and isn’t tax advice. If you need help working out your PAYE, withholding, reporting, or record-keeping obligations, it’s best to speak with Inland Revenue or a qualified accountant or tax adviser.
Situations Where You Should Be Careful
Some businesses accidentally over-collect IRD numbers. For example:
- Collecting customer IRD numbers “just in case” (usually unnecessary unless you’re dealing with specific financial or reporting obligations).
- Putting IRD numbers on invoices where they might be shared widely or stored in multiple inboxes.
- Using IRD numbers as an internal login, reference number, or identifier for convenience.
If you’re ever unsure, step back and ask: “What is the specific purpose? Could we achieve it without collecting the IRD number?” Collecting less is often the easiest way to reduce privacy risk.
Collection Best Practice (What You Should Tell People)
When you ask for an IRD number, it’s good practice to be upfront about:
- why you need it (e.g. payroll and tax reporting)
- who it will be shared with (e.g. payroll provider, accountant, IRD if required)
- how it will be stored and protected
- how long you’ll keep it
This is the kind of “privacy hygiene” that helps you prevent disputes before they start - and it often fits naturally within your onboarding paperwork or HR processes (for example, alongside an Employment Contract and payroll forms).
How Should You Store, Share And Dispose Of IRD Numbers?
If you’re researching whether an IRD number is personal information, this is where the practical compliance really lives. The Privacy Act isn’t just about whether something is personal information - it’s about what you do with it.
Once your business holds IRD numbers, you should manage them like other high-risk personal information: minimise access, secure storage, careful sharing, and safe deletion.
1. Limit Who Can Access IRD Numbers
Access should be on a “need to know” basis. For a small business, that might mean only:
- the business owner
- the payroll/finance manager
- an external accountant or payroll provider
If everyone on the team can open a folder and see staff IRD numbers, that’s a red flag. Even if nothing goes wrong, it’s hard to justify that level of access as “necessary”.
2. Store IRD Numbers Securely (Not In Random Places)
Common risky storage habits we see include:
- saving onboarding forms to desktops
- email threads with IRD numbers sitting in inboxes indefinitely
- shared spreadsheets with broad access
- unsecured cloud drives without proper permissions
Instead, aim for:
- secured HR/payroll software with user permissions
- encrypted storage (where appropriate)
- restricted folders with audit logs (if possible)
- clear internal rules about where IRD numbers can and can’t be saved
Many businesses formalise this in an Information Security Policy so your team isn’t guessing what “secure” means.
3. Be Careful When Sharing IRD Numbers
Sharing is where businesses can accidentally lose control of data. If you need to share an IRD number (for example, with your accountant or payroll provider), think about:
- the method: avoid plain email where possible; use secure portals or encrypted files
- the recipient: confirm the correct email address and contact
- the minimum necessary: share only what’s required for that task
- the contract: ensure your supplier relationship covers confidentiality and proper handling of personal information
If you use software vendors or outsourced providers, it’s also worth checking whether you need a broader privacy and data handling framework across the business, not just a one-off fix.
4. Have A Clear Retention And Disposal Process
Keeping IRD numbers forever “just in case” increases your exposure. Under the IPPs, you should not keep personal information for longer than you need it for the purpose it was collected, although other laws (including tax and employment record-keeping requirements) may require you to keep certain records for a period of time.
For example, if someone leaves your business, you may need to keep certain payroll and tax records for a period - but that doesn’t mean their details should remain in easily accessible shared folders indefinitely.
A sensible approach is to:
- archive employee/contractor records with restricted access
- delete duplicates (e.g. remove from email threads or shared downloads)
- use secure destruction for paper records
5. Plan For What You’ll Do If There’s A Privacy Breach
Even careful businesses can have incidents - a misaddressed email, a lost laptop, a compromised password, or an accidental file share.
What matters is having a plan. Depending on the situation, you may have obligations to assess whether the breach is likely to cause serious harm and whether it needs to be notified.
Having a Data Breach Response Plan helps you respond quickly, reduce harm, and show that you took reasonable steps.
What To Put In Your Privacy Documentation And Processes
Privacy compliance is much easier when it’s built into your documentation and onboarding workflows (instead of living in someone’s head).
If your business collects IRD numbers, here are the documents and processes that usually matter most.
A Privacy Policy That Matches Your Real Practices
If you collect personal information (including staff and contractor information), you’ll usually want a Privacy Policy that explains:
- what personal information you collect (including identifiers like IRD numbers where relevant)
- why you collect it and how you use it
- who you disclose it to (e.g. payroll providers, accountants, IRD where required)
- how you store it and protect it
- how people can request access/correction
This is especially important if you are collecting information through online forms, HR platforms, or contractor onboarding processes.
Clear HR/Team Rules About Handling Staff Data
Many small businesses start off with informal systems, then grow quickly - and suddenly multiple people are touching payroll, onboarding, and records.
That’s where an Employee Privacy Handbook can be useful, because it translates privacy obligations into day-to-day rules your team can actually follow (for example, what can be emailed, what must be stored in the HR system, and what can’t be shared internally).
A Process For Access And Correction Requests
Individuals generally have the right to request access to personal information you hold about them and to request corrections.
As a small business, you don’t want to be scrambling if a current (or former) employee asks for a copy of all information you hold - especially if data is scattered across inboxes and shared drives.
Some businesses use an Access Request Form as part of a simple workflow to make sure requests are tracked and responded to on time.
Contracts With Providers Who Handle IRD Numbers
If your accountant, bookkeeper, payroll provider, or HR software provider handles IRD numbers on your behalf, you should make sure your agreement covers things like confidentiality, permitted use, and appropriate security.
This is one of those areas where DIY templates can fall short - because you want the contract to match how data is actually flowing through your business.
Practical “Do’s And Don’ts” For Everyday Operations
To keep things simple, here’s a baseline set of habits that usually makes a big difference:
- Do collect IRD numbers only when required for payroll/tax administration.
- Do keep IRD numbers out of general shared folders and broad-access spreadsheets.
- Do restrict access to HR/payroll information to the people who genuinely need it.
- Do double-check recipients before sending any file containing IRD numbers.
- Don’t use IRD numbers as a general internal identifier or reference number.
- Don’t leave IRD numbers sitting in email inboxes longer than necessary.
- Don’t assume “small business” means the Privacy Act won’t apply to you - it usually still does.
Handled properly, treating an IRD number as personal information can become a quiet strength of your business: less risk, fewer messy admin issues, and more trust with your people.
Key Takeaways
- An IRD number will usually be personal information under New Zealand’s Privacy Act 2020 because it relates to an identifiable individual.
- IRD numbers are commonly treated as unique identifiers, and IPP 13 places limits on when you can require or use them - so you should only collect and use them when there’s a clear, lawful need (for example, payroll administration and required reporting).
- Small businesses should handle IRD numbers as high-risk personal information, using strong security, limited access, and careful sharing practices.
- Good compliance is practical: minimise collection, store securely, restrict access, and delete/archive information properly when it’s no longer needed (subject to other legal record-keeping obligations).
- If there’s a breach involving IRD numbers, you should be ready to respond quickly, assess harm, and meet any notification obligations.
- Strong privacy documentation and processes (like a Privacy Policy and internal guidance) help you stay consistent as your business grows.
If you’d like help putting privacy systems in place - or checking whether your business is handling IRD numbers appropriately under the Privacy Act 2020 - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
