Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business uses Google Drive to store customer details, employee records, invoices, or even just day-to-day project files, it’s normal to wonder whether Google Drive is Privacy Act compliant in New Zealand.
The tricky part is that Privacy Act compliance isn’t a simple tick-box you can outsource to a platform. In most cases, compliance comes down to how your business uses cloud storage, what settings you turn on (or leave off), what you store there, and what processes you have in place if something goes wrong.
Below, we’ll walk you through what “Privacy Act compliant” really means in practice, how Google Drive fits into that picture, and the practical steps NZ small businesses should take to reduce risk and stay on the right side of the Privacy Act 2020.
What Does “Privacy Act Compliant” Mean For Cloud Storage In NZ?
In New Zealand, the Privacy Act 2020 sets rules around how “agencies” (which includes most businesses) collect, use, store, and share personal information.
When you use cloud storage, you’re still responsible for how personal information is handled. Using a reputable cloud provider can be a big help, but it doesn’t automatically make your business compliant.
Personal Information (And Why It Matters)
Personal information is broadly any information about an identifiable individual. For a small business, this commonly includes:
- customer names, emails, phone numbers and addresses
- order history, invoices and payment records (even if you don’t store card data)
- complaints, support tickets and call notes
- employee records (pay, leave, performance notes, medical certificates)
- photos or videos where people are identifiable
Some personal information is more sensitive and deserves extra care (for example health information). If your business handles this kind of data, it’s worth reading up on sensitive personal information and making sure your storage and access controls are genuinely robust.
Cloud Storage Doesn’t Remove Your Legal Responsibilities
Under the Privacy Act, your business must take reasonable steps to protect personal information from:
- loss
- unauthorised access
- unauthorised use, modification or disclosure
- other misuse
So even if Google Drive has strong security features, you still need to implement them properly (and make sure your team actually follows your processes).
Overseas Storage And Cross-Border Disclosures
Cloud services may store or process data outside New Zealand. That matters because the Privacy Act has specific rules about disclosing personal information overseas (including situations where an overseas service provider is handling personal information for you).
In plain terms: before you disclose personal information to an overseas person or organisation, you need to have a lawful basis to do so. Often, that means taking reasonable steps to check the overseas recipient will protect the information in a way that’s comparable to New Zealand’s protections (for example, through contractual terms or an assessment of their privacy framework), or relying on another basis permitted by the Act.
This doesn’t mean “don’t use overseas cloud providers”. It means you should understand where data may go, what contractual safeguards apply, and what controls you have internally.
Is Google Drive Privacy Act Compliant?
Here’s the most useful way to think about it: Google Drive can support Privacy Act compliance, but your business can still be non-compliant if you use it carelessly.
So when someone asks whether Google Drive is compliant with the Privacy Act, the real answer is usually:
- Google Drive includes security and privacy controls that can help you meet your obligations.
- Compliance depends on your setup, what you store there, who can access it, and whether you’ve put the right policies and procedures in place.
What Google Drive Typically Helps With
Most established cloud platforms (including Google Drive, particularly through Google Workspace) generally offer tools that can support compliance, such as:
- access controls (sharing settings, permissions, restricted folders)
- authentication options (including multi-factor authentication)
- audit logs and activity tracking (depending on your plan and settings)
- encryption (generally in transit and at rest, subject to configuration and service scope)
- admin controls for business accounts
These features can help you take “reasonable steps” to protect personal information. But you need to actually turn them on, configure them, and build your processes around them.
What Google Drive Won’t Do For You
Even with excellent tooling, Google Drive won’t automatically solve common privacy compliance risks like:
- staff sharing documents to the wrong email address
- ex-employees still having access after they leave
- customer data being stored longer than you need it
- unclear rules about what can be uploaded (e.g. identity documents, medical info, bank details)
- no plan for responding to a suspected breach
In other words, cloud storage can be part of a compliant system, but it’s not the whole system.
Key Privacy Act 2020 Obligations When Using Google Drive
To stay compliant, it helps to map your Google Drive use back to your key Privacy Act obligations. Here are the big ones we see small businesses overlook.
1) Only Collect And Keep What You Need
A common cloud storage trap is collecting “just in case” information and keeping it forever because storage is cheap.
From a privacy perspective, you should aim to:
- only collect personal information you genuinely need for your business purpose
- store it in a structured way (so it doesn’t sprawl across random folders)
- set retention rules (so you delete or de-identify what you no longer need)
This is also practical risk management: you can’t lose data you don’t keep.
2) Use And Disclose Information For The Right Purpose
If you collect personal information for one purpose (for example, fulfilling an order), you generally shouldn’t use it for another unrelated purpose (for example, marketing) unless you’ve got the right basis to do so.
This is where strong internal rules matter. Even if Google Drive is “secure”, using the data incorrectly can still be a breach of privacy obligations.
3) Keep Information Secure (Access Controls Are Everything)
Security is a major part of whether your use of Google Drive is compliant with the Privacy Act.
For many small businesses, the highest-risk issues aren’t hackers-they’re misconfigurations and oversharing. For example:
- links set to “Anyone with the link can view”
- folders shared to personal Gmail accounts rather than business accounts
- no multi-factor authentication
- no restriction on downloads or external sharing (where available)
Make sure access is based on “need to know”, not convenience.
4) Be Ready For Access Requests And Corrections
Individuals generally have rights to request access to their personal information and request corrections.
If you’ve scattered information across random Google Drive folders, it becomes much harder to respond within a reasonable timeframe.
Practically, you should know:
- where you store different categories of personal information
- who is responsible for responding to privacy requests
- how you will search, export, and provide information safely
Having a clear privacy process (and not relying on “we’ll figure it out later”) can save you a lot of stress.
5) Have A Data Breach Plan (And Know When To Notify)
Under the Privacy Act, some privacy breaches are notifiable, meaning you must notify the Privacy Commissioner (and affected individuals) if the breach is likely to cause serious harm.
If you store personal information in Google Drive, your breach risks could include:
- a compromised account (phishing, weak password, no MFA)
- accidental sharing to the wrong person
- a staff member downloading data onto an unsecured device
- an ex-contractor retaining access to shared folders
It’s much easier to respond calmly if you’ve already prepared your steps and decision-makers. Many businesses formalise this with a data breach response plan and, where needed, support around data breach notification.
A Practical Checklist For NZ Businesses Using Google Drive
If you want a practical way to reduce privacy risk quickly, here’s a checklist you can work through. You don’t need to tackle everything in one day, but you should aim to get your legal foundations right early-especially before your business scales.
Step 1: Work Out What You Store In Google Drive
Start with a quick audit. Identify what categories of information you store, such as:
- customer records
- employee files
- supplier contracts
- ID verification documents
- health information (e.g. medical certificates)
Once you know what’s in there, you can apply the right controls to the highest-risk folders first.
Step 2: Limit Access By Role (Not By Convenience)
As a rule of thumb:
- finance folders should be restricted to finance roles
- HR/people folders should be restricted to HR/leadership
- customer support folders should be restricted to the support team
- only nominated admins should be able to change sharing settings across the business
This also helps if you ever need to show you took “reasonable steps” to protect data.
Step 3: Lock Down Sharing Settings
Overly open sharing is one of the most common cloud storage issues we see.
Depending on your Google Drive setup, consider steps like:
- restricting external sharing by default (and allowing it only when needed)
- stopping “anyone with the link” sharing for sensitive folders
- requiring approval for sharing outside your domain
- setting expiry dates on external access (where possible)
If you need to share documents externally (for example, with clients or contractors), set up a consistent method that your team follows every time.
Step 4: Implement Strong Account Security
At a minimum, you’ll usually want:
- multi-factor authentication (MFA) for all accounts
- strong password policies and password manager use
- device security rules (especially for laptops used remotely)
- a clean offboarding process (disable access immediately when someone leaves)
These controls matter just as much as the platform itself when assessing whether your use of Google Drive is compliant with the Privacy Act.
Step 5: Set Retention And Deletion Rules
Ask: how long do you actually need to keep different types of personal information?
For example:
- Do you delete CVs and interview notes after a set period?
- Do you keep customer identification documents longer than necessary?
- Do you have a process for deleting old client files?
Having a retention policy reduces risk and helps with compliance. It also makes responding to requests and disputes easier because your records are more organised.
What Policies And Legal Documents Should You Have In Place?
Strong technical settings are only one side of the equation. If you’re storing personal information in cloud systems, you should also support that with clear documentation and internal rules.
A Privacy Policy That Matches What You Actually Do
If you collect personal information from customers (even via a simple contact form), you’ll usually want a Privacy Policy that explains:
- what personal information you collect and why
- how you store and protect it
- whether you disclose it to service providers (including cloud storage providers)
- how customers can request access or correction
- how to contact you with privacy concerns
The key is that it should reflect your real practices. A copy-pasted template that doesn’t match your systems can create risk (especially if a complaint arises).
Internal Rules For Staff (So Your Settings Don’t Get Undone)
Even the best security setup can be undermined if your team doesn’t know the rules.
Depending on your business, it may be useful to have documents that cover things like:
- what staff can upload to Drive (and what they must never upload)
- how files should be named and stored (to avoid “mystery folders”)
- how external sharing works (and who can approve it)
- what to do if someone thinks they’ve shared the wrong document
If you have a broader policy suite, an Acceptable Use Policy can be a practical way to set expectations around business systems, accounts, and data handling.
Contracts With Suppliers And Service Providers
If other providers or contractors access your Drive folders (for example, outsourced admin, marketing, bookkeeping, IT support), you’ll want the right contractual protections in place.
At a minimum, think about:
- confidentiality obligations
- limits on how they can use your data
- security standards they must follow
- what happens when the engagement ends (returning/deleting data)
In some cases, a data processing agreement is a sensible way to document privacy and security obligations where another party is handling personal information on your behalf.
Privacy Advice When You’re Not Sure If You’re “Crossing The Line”
Cloud storage issues often pop up when you’re growing quickly-new staff, more contractors, more customer data, more systems.
If you’re unsure whether your Google Drive setup is appropriate for the type of information you handle, getting privacy advice can help you identify the biggest risks early (before they turn into a complaint or notifiable breach).
Be Careful With Deletion Requests And The “Right To Be Forgotten” Concept
Businesses sometimes assume that if a customer asks you to delete everything, you must immediately wipe all records. In reality, privacy obligations can be more nuanced-sometimes you may need to retain certain information for legal, tax, or dispute reasons.
If this comes up for your business, it helps to understand the idea behind the right to be forgotten (and how it interacts with New Zealand privacy law in practice).
Key Takeaways
- “Is Google Drive Privacy Act compliant?” is usually the wrong framing-Google Drive can support compliance, but your business is still responsible for how personal information is stored, accessed, used, and shared.
- The Privacy Act 2020 requires you to take reasonable steps to protect personal information, including controlling access, preventing unauthorised disclosure, and having a plan for breaches.
- If personal information may be stored or processed overseas, you should consider cross-border disclosure obligations and what safeguards apply.
- Common risks aren’t just cyberattacks-they include oversharing links, weak account security, no offboarding process, and inconsistent storage practices.
- A practical compliance approach includes auditing what you store, limiting access by role, locking down sharing settings, implementing MFA, and setting retention/deletion rules.
- Support your technical setup with the right documentation, including a Privacy Policy, internal usage rules, and (where appropriate) contracts or a data processing agreement.
This article is general information only and not legal advice. If you’d like help reviewing your privacy practices, setting up the right documents, or working through whether your use of cloud storage supports Privacy Act compliance for your particular business, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
