Is Dropbox Privacy Act 2020 Compliant for NZ Businesses?

Alex Solo
byAlex Solo10 min read
Data & Privacy
Contents

If you run a small business in New Zealand, there’s a good chance you’re using cloud storage to keep things moving - client files, HR records, invoices, contracts, marketing assets and everything in between.

It’s normal to wonder whether using Dropbox is “Privacy Act 2020 compliant”, and what that actually means in practice. The good news is: compliance usually isn’t about whether a particular tool is “legal” or “illegal”. It’s about whether your business is handling personal information in a way that meets your obligations under New Zealand’s Privacy Act 2020.

In this guide, we’ll walk you through what Dropbox Privacy Act 2020 compliance looks like for NZ businesses, where the risk points are, and the practical steps you can take to protect your business (and your customers) from day one.

What Does “Dropbox Privacy Act 2020 Compliance” Actually Mean?

Let’s start with a reality check: the Privacy Act 2020 doesn’t “certify” software platforms as compliant or non-compliant.

Instead, the Act applies to agencies (which includes most NZ businesses) that collect, use, store or share personal information. If your business uses Dropbox to store or share personal information, your privacy obligations still sit with you.

So when people ask about Dropbox and Privacy Act 2020 compliance, what they’re really asking is:

  • Can I legally store personal information in Dropbox?
  • What safeguards do I need to put in place to meet my obligations?
  • What happens if something goes wrong (like a data breach)?

In practical terms, “Dropbox Privacy Act 2020 compliance” is about whether you have:

  • a lawful and transparent reason for collecting and storing the information;
  • appropriate security safeguards in place;
  • controls around who can access it (including staff and contractors);
  • clear processes for access/correction requests and retention/deletion;
  • a plan for handling and notifying privacy breaches when required.

That’s why good privacy compliance is a mix of:

  • legal documentation (like a Privacy Policy),
  • contracts (to manage third-party data handling), and
  • day-to-day business processes (how your team actually uses Dropbox).

When Does The Privacy Act 2020 Apply To Files In Dropbox?

It applies whenever your business uses Dropbox to store personal information.

“Personal information” under the Privacy Act 2020 is broadly any information about an identifiable individual. For a small business, this can include:

  • customer names, email addresses and phone numbers;
  • client intake forms and case notes;
  • copies of IDs (e.g. driver licences) collected for verification;
  • health information (which is usually more sensitive and higher risk);
  • employee records, payroll details, and performance documents;
  • complaints, dispute records, or incident reports;
  • CCTV stills or images if you store them in cloud folders.

Even if you’re “just storing files”, you’re still handling personal information - and the Privacy Act is designed to regulate the full lifecycle: collection, storage, access, use, disclosure, and deletion.

This matters because Dropbox is typically not just a “filing cabinet”. In many workplaces, it’s also:

  • a sharing tool (links, shared folders);
  • a collaboration platform (comments, version history);
  • a sync tool (copies stored on multiple devices); and
  • sometimes, an unofficial “shadow IT” system where staff store files outside approved channels.

That’s where privacy risk tends to creep in - not because cloud storage is inherently non-compliant, but because it becomes easy to lose control over who can access what.

Key Privacy Act 2020 Obligations To Think About When Using Cloud Storage

The Privacy Act 2020 is built around privacy principles. You don’t need to memorise them, but you do need systems that reflect them.

1) You Must Take Reasonable Steps To Protect Personal Information

This is the big one for cloud storage.

In simple terms, you must protect personal information against:

  • loss (e.g. accidental deletion);
  • unauthorised access (e.g. staff accessing folders they shouldn’t);
  • unauthorised use or disclosure (e.g. sharing links publicly); and
  • other misuse (e.g. leaving synced files on a stolen laptop).

“Reasonable steps” depends on your business, the sensitivity of the information, and the harm that could result if it leaked. For example, storing basic contact details has a different risk profile than storing health records or employee disciplinary documents.

2) Be Careful With Overseas Storage And Overseas Access

Cloud storage often involves overseas infrastructure, overseas support teams, and global subcontractors (even if you’re a NZ business serving NZ customers).

From a practical compliance perspective, it’s worth treating overseas hosting and overseas access as a potential cross-border privacy risk and doing your due diligence. Questions to ask include:

  • Where is the data hosted (or where can it be hosted)?
  • Who can access it (including vendor staff and subcontractors)?
  • What security measures are available (e.g. MFA, encryption, access logs)?
  • What does the provider contract say about data processing and breach notifications?

If your business works with offshore team members or contractors who access Dropbox, you should also make sure your internal permissions and policies are doing the heavy lifting - because overseas access can, depending on the circumstances, involve sharing or making personal information available outside New Zealand.

3) Only Give Access To People Who Actually Need It

One of the most common privacy mistakes we see in small businesses is “everyone can see everything”. It’s convenient, but it’s risky.

Practical steps to reduce this risk:

  • Use role-based folders (e.g. “HR” restricted to specific staff).
  • Use separate accounts for each team member (avoid shared logins).
  • Remove access immediately when someone leaves.
  • Regularly audit shared folders and external collaborators.

This is also where having clear workplace rules helps. Many businesses formalise this in an Acceptable Use Policy so your team understands what is (and isn’t) okay when handling customer and employee data.

4) Have A Process For Access And Correction Requests

Individuals generally have rights to request access to their personal information and request corrections (with some exceptions).

If your data is spread across multiple Dropbox folders, shared links, and staff devices, it becomes harder to respond confidently and on time.

Even as a small business, it’s worth creating a simple internal process such as:

  • Who receives privacy requests?
  • Where is the data likely to be stored?
  • How do you confirm the requester’s identity?
  • Who has authority to release the information?
  • How do you record what you provided and when?

For some businesses, using a standard form can help keep it consistent - for example, an Access Request Form that ensures you collect the right information before you start searching across systems.

5) Data Minimisation And Retention Matter (Even In Cloud Storage)

A common assumption is: “Storage is cheap, so we’ll keep everything forever.”

From a privacy compliance perspective, that can create unnecessary risk. The longer you hold personal information, the more damage it can cause if there’s a breach - and the harder it is to keep access controls tidy as your business grows.

Good practice usually includes:

  • only collecting what you need;
  • having a retention policy (how long you keep certain categories of data); and
  • secure deletion processes when information is no longer needed.

Practical Steps To Make Dropbox Use More Privacy Act 2020 Compliant

Here’s a practical checklist you can work through. You don’t have to do everything overnight - but putting these foundations in place early can save you a lot of stress later.

Step 1: Map What Personal Information You Store In Dropbox

Start with a simple data inventory. Ask:

  • What types of personal information do we store?
  • Which folders contain sensitive information (e.g. health, ID documents, HR)?
  • Who has access to those folders?
  • Do we share any of these folders externally?

This step is crucial because it tells you where your highest risks are, and where you should tighten security first.

Step 2: Tighten Access Controls And Authentication

For most small businesses, the “quick wins” are security settings and access hygiene. Consider:

  • enabling multi-factor authentication (MFA) for all users;
  • ensuring each person has their own user login (no shared passwords);
  • locking down link sharing (especially “anyone with the link” settings);
  • reviewing third-party integrations connected to your storage account; and
  • setting a schedule to review who has access (e.g. quarterly).

If your team accesses files on mobile devices or personal laptops, it’s also worth thinking about device security (screen locks, encryption, remote wipe where possible).

Step 3: Put The Right Privacy Documents In Place

Strong privacy compliance isn’t just about IT settings - it’s also about being transparent and setting expectations.

For many NZ businesses, that means having a clear Privacy Policy that explains (in plain language):

  • what information you collect and why;
  • how you store it (including that you use cloud service providers);
  • who you share it with (including overseas service providers, if relevant);
  • how people can request access or corrections; and
  • how you handle complaints.

If you collect personal information online (through a website form, online checkout, or booking system), you may also need a Privacy Collection Notice so customers see the key points at the time you collect the information (not hidden away later).

Step 4: Make Sure Your Contracts Cover Data Handling

If third parties handle personal information for your business (IT providers, virtual assistants, offshore admin support, marketing agencies, or software vendors), your contracts should clearly set out privacy and security expectations.

Depending on your setup, that could include a Data Processing Agreement to cover things like:

  • what personal information is being processed and why;
  • security requirements;
  • restrictions on sub-processing and overseas disclosures;
  • timeframes and responsibilities for data breach notifications; and
  • what happens when the relationship ends (return/deletion of data).

This becomes especially important if you’re sharing Dropbox folders with external collaborators, because you may effectively be “disclosing” personal information to them.

Step 5: Train Your Team (And Make It Easy To Do The Right Thing)

Most privacy incidents in small businesses aren’t caused by hackers - they’re caused by everyday mistakes like:

  • sharing the wrong folder with the wrong person;
  • sending a link that anyone can access;
  • uploading personal information into a general “team” folder;
  • not removing access for former staff; or
  • syncing sensitive folders onto unsecured personal devices.

Clear written rules and a short onboarding training session can make a big difference. Again, an Acceptable Use Policy is a common way to formalise expectations and reduce “we didn’t know” problems later.

What If There’s A Data Breach In Dropbox?

Even with strong security, breaches can happen - through phishing, compromised passwords, human error, or misconfigured sharing settings.

Under the Privacy Act 2020, some privacy breaches are notifiable. In other words, if a breach creates (or is likely to create) serious harm, you may need to notify:

  • the Office of the Privacy Commissioner, and
  • the affected individuals.

For small businesses, the biggest challenge is often not the notification itself - it’s knowing what happened, what data was involved, and acting quickly enough to limit harm.

That’s why it’s worth having a plan before anything goes wrong, including:

  • how you identify and contain the breach (e.g. revoke links, reset passwords, suspend access);
  • who is responsible internally for decision-making;
  • how you assess whether “serious harm” is likely;
  • how and when you notify; and
  • how you document what happened and what you changed afterwards.

Many businesses put this into a simple Data Breach Response Plan so there’s no scrambling when time really matters.

If you’re unsure whether your incident is notifiable, it’s a good idea to get legal advice early. The way you respond (and what you say to customers) can affect your risk and reputation.

Common Mistakes NZ Businesses Make With Cloud Storage Compliance

If you want to improve your Dropbox Privacy Act 2020 compliance, it helps to know where businesses typically trip up.

Using Personal Accounts For Business Files

If staff store customer or employee information in personal accounts, it’s harder to control access, retrieve data when someone leaves, or ensure consistent security settings.

Over-Sharing By Default

Team-wide folders are convenient, but if those folders contain HR records, identity documents, or sensitive customer information, you’re increasing risk without meaning to.

Link sharing is often the easiest way to collaborate, but it can also be the easiest way to accidentally disclose information to someone who shouldn’t have it - particularly if a link is forwarded or posted in the wrong place.

No Clear Retention/Deletion Practice

Keeping everything forever can feel safe, but it often increases your exposure. If you don’t need a document anymore, deleting it securely is usually the lower-risk option.

Not Thinking About Contractors And Offshore Teams

If contractors have access to Dropbox folders, that access should be intentional, limited, and documented. This is where contracts and permissions should align.

Key Takeaways

  • “Dropbox Privacy Act 2020 compliance” is less about the platform itself and more about whether your business has reasonable privacy and security safeguards in place when storing and sharing personal information.
  • The Privacy Act 2020 can apply to a wide range of files stored in cloud storage, including customer contact details, ID documents, health information, and employee records.
  • Practical compliance steps include mapping what data you store, limiting access, using strong authentication, controlling link sharing, and training staff on safe handling practices.
  • If you use third parties (including contractors) who can access personal information in your cloud storage, strong contracts and clear obligations can reduce your risk.
  • Some privacy breaches are notifiable in New Zealand, so having a data breach response plan in place can help you act quickly and confidently if an incident occurs.
  • Having the right privacy documents (like a Privacy Policy and privacy collection notice) helps you meet transparency obligations and set expectations with customers.

If you’d like help reviewing your privacy compliance setup (including cloud storage practices, privacy policies, and data processing contracts), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Legal Compliance And Ethics In Data Collection For NZ Businesses

Legal Compliance And Ethics In Data Collection For NZ Businesses

If you run a small business in New Zealand, chances are you’re collecting data every day - customer enquiries, online orders, email sign-ups, CCTV footage, loyalty program details, and even staff records....

14 May 2026
Read more
AI Model and Data Licence Agreements: Common Mistakes for New Zealand Businesses

AI Model and Data Licence Agreements: Common Mistakes for New Zealand Businesses

Signing an ai model and data licence without checking ownership, training rights, privacy terms and liability can create real commercial risk. This guide

13 May 2026
Read more
Health Data Sharing Agreements in New Zealand: Privacy Issues for Businesses

Health Data Sharing Agreements in New Zealand: Privacy Issues for Businesses

A health data sharing agreement can expose New Zealand businesses to serious privacy risk if the contract does not match how health information is

11 May 2026
Read more
Cross-border Data Transfer Addendums: Privacy Issues for New Zealand Businesses

Cross-border Data Transfer Addendums: Privacy Issues for New Zealand Businesses

Using overseas software or service providers can expose New Zealand businesses to privacy risk if personal information is transferred offshore without the

9 May 2026
Read more
Is It Legal To Record Or Photograph A Child Without Consent In NZ?

Is It Legal To Record Or Photograph A Child Without Consent In NZ?

If you run a small business, there’s a good chance you’ll come across situations where children appear in photos or recordings. Maybe you’re filming content for social media, running a school holiday...

9 May 2026
Read more
Is It Legal To Record Conversations In New Zealand?

Is It Legal To Record Conversations In New Zealand?

If you run a small business, there’s a good chance you’ve thought about recording conversations at some point. Maybe you want to record customer service calls for training, keep a clear record...

9 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call