Personally Identifiable Information (PII) Under New Zealand’s Privacy Act 2020

Alex Solo
byAlex Solo10 min read
Data & Privacy
Contents

If you run a small business, you’re probably collecting more customer and staff information than you realise. It might be as simple as a name and email address for a newsletter, or as sensitive as identity documents, health information, or payment details.

That information can be incredibly valuable for your business - but it also comes with legal responsibilities. In New Zealand, those responsibilities mostly sit under the Privacy Act 2020, which sets the rules for how you collect, use, store, share, and dispose of personal information.

In this guide, we’ll break down what personally identifiable information (PII) New Zealand businesses should be watching out for, how PII connects to “personal information” under NZ privacy law, and practical steps you can take to stay compliant (without turning your business into a legal project).

What Counts As Personally Identifiable Information (PII) In New Zealand?

“Personally identifiable information” (PII) is a commonly used term (especially in tech and security). It generally means information that can identify a person - either on its own, or when combined with other information.

In New Zealand, the key legal concept is usually “personal information” under the Privacy Act 2020. In practice, PII and “personal information” overlap heavily - so if you’re thinking about PII compliance in New Zealand, it’s smart to treat PII as a privacy law issue.

Common Examples Of PII (And “Personal Information”) For Small Businesses

PII can include obvious details, but also less obvious data points. Here are common examples in small business settings:

  • Contact details: names, email addresses, phone numbers, delivery addresses
  • Account identifiers: customer numbers, membership numbers, login usernames
  • Government-issued identifiers: passport numbers, driver licence details, IRD numbers
  • Financial information: bank account numbers, billing details (and sometimes payment metadata)
  • Online identifiers: IP addresses, device identifiers, cookie IDs (where linked to an individual)
  • Employment-related information: payroll info, performance notes, leave records
  • Health and wellbeing information: medical information, injury reports, accommodations (generally “sensitive”)

A simple rule of thumb: if you can reasonably connect the information back to a real person, treat it as PII/personal information and handle it carefully.

What About Business Contact Details?

Business contact information can still be personal information. For example, “Sam Taylor, sam@business.co.nz” is still about an identifiable individual, even if it’s used for work purposes.

This matters because many small businesses think privacy law is only about consumers - but it also applies to suppliers, contractors, and staff.

Why PII Compliance Matters For Small Businesses (It’s Not Just A Big Corporate Problem)

It’s easy to assume privacy compliance is something only large companies need to worry about. But for small businesses, privacy mistakes can hit harder because you usually don’t have a dedicated IT/security team - and the trust relationship with customers is often more personal.

Handling personally identifiable information the right way helps you:

  • Build customer trust (people are more likely to buy when they feel safe)
  • Reduce data breach risk (and the disruption that follows)
  • Avoid complaints and investigations through the Office of the Privacy Commissioner
  • Prevent costly contract disputes if you’re sharing data with vendors or service providers

It also makes day-to-day business easier. When your processes are clear, your team knows what they can and can’t do with customer information - and you’ll spend less time scrambling when someone asks, “Are we allowed to store this?”

If you collect personal information online, having a clear Privacy Policy is often a practical starting point because it forces you to map what you collect and why.

How The Privacy Act 2020 Applies To PII In New Zealand

The Privacy Act 2020 doesn’t use the term “PII” as the main legal label. Instead, it regulates personal information and sets a framework (through the Information Privacy Principles) for how organisations must handle it.

From a business owner’s perspective, the big idea is simple: collect only what you need, use it for the purpose you told people about, protect it, and don’t keep it forever.

Key Privacy Act Compliance Obligations (In Plain English)

While the Privacy Act includes detailed principles, most small businesses can stay on track by focusing on these practical compliance themes:

  • Be transparent: tell people what you’re collecting, why, and who it may be shared with
  • Collect fairly: don’t collect information in a misleading or overly intrusive way
  • Use and disclose carefully: stick to the purpose you collected it for (unless another lawful basis applies)
  • Keep it secure: take reasonable steps to prevent loss, unauthorised access, or misuse
  • Let people access/correct their info: individuals can generally request access and correction
  • Don’t keep it longer than necessary: have retention and disposal practices

If you’re building processes around these themes, you’re already doing a lot of the heavy lifting.

PII And The “Privacy By Design” Mindset

A good way to reduce risk (and make compliance easier) is to think about privacy early - before you launch a new system, marketing campaign, or customer onboarding process.

For example, if you’re setting up email marketing, it’s worth checking your collection notices and making sure you have an appropriate lawful basis for marketing (which may include consent in some cases). It can also help to pair this with a clear email marketing laws approach so your marketing and privacy obligations align.

How To Handle PII Safely: Collection, Storage, Access, And Disposal

Compliance isn’t just having the right policy on your website. It’s also about what happens operationally inside your business - the everyday steps where privacy issues usually pop up.

1) Collect Only What You Need (And Explain Why)

Before adding a new field to a form or asking for extra ID, ask:

  • Do we actually need this information to provide the product or service?
  • What risk does it create if we store it?
  • Have we clearly explained why we’re collecting it?

Small businesses sometimes over-collect “just in case”. That can backfire, because the more PII you hold, the more you have to protect - and the greater the impact if something goes wrong.

2) Store PII Securely (Reasonable Steps, Not Perfect Steps)

The Privacy Act expects you to take reasonable steps to protect personal information. What’s “reasonable” depends on your business size, the sensitivity of the data, and how it’s stored.

Practical security measures often include:

  • Access controls: only staff who need the data can access it
  • Strong passwords and MFA: especially for email and cloud tools
  • Device security: screen locks, encryption, secure backups
  • Staff training: privacy issues are often human error, not hacking
  • Supplier checks: if a service provider stores PII, you should know their security posture

If you’re sharing PII with contractors (for example, a virtual assistant, IT provider, or offshore support team), it’s worth documenting expectations clearly - including confidentiality and security. Depending on the arrangement, a tailored Service Agreement can help set the ground rules.

3) Control Internal Access (Especially For Staff)

Staff access is a common risk area. Even in a trusted team, you should avoid “everyone can see everything” systems unless you genuinely need them.

Where staff handle customer data, your onboarding should include clear expectations around privacy and confidentiality. A well-drafted Employment Contract often works alongside internal policies to make those expectations enforceable.

4) Set Retention And Disposal Rules

Keeping PII “forever” is rarely a good idea.

Instead, set retention timeframes based on your actual business needs (and any other laws that require record keeping), then securely dispose of information when it’s no longer required. Disposal might include secure deletion, shredding hard copies, and removing access from old tools.

This is one of those areas where small businesses often don’t have a plan - until they’re asked for information they shouldn’t still have. Setting a simple retention approach early is an easy win.

Data Breaches And PII: What To Do If Something Goes Wrong

Even careful businesses can have a bad day - an email sent to the wrong person, a stolen laptop, or a compromised password.

Under the Privacy Act 2020, certain privacy breaches can trigger mandatory notification obligations (in other words, you may need to notify the Office of the Privacy Commissioner and affected individuals).

What Is A Notifiable Privacy Breach?

A breach is more likely to be “notifiable” if it has caused (or is likely to cause) serious harm to individuals. The seriousness depends on factors like:

  • what kind of information was involved (basic contact details vs sensitive health or ID information)
  • how many people are affected
  • who has gained access (trusted provider vs unknown third party)
  • whether the information was protected (encryption, password protection, etc.)

If you’re not sure, it’s worth getting advice quickly - delays can make the situation harder to manage.

Your Practical Data Breach Response Checklist

If you suspect a breach, you’ll usually want to:

  1. Contain it: secure accounts, reset passwords, disable access, recover devices
  2. Assess it: identify what happened, what information is involved, who is affected, and the likely harm
  3. Notify if required: contact affected individuals and the Privacy Commissioner where the breach is notifiable
  4. Prevent recurrence: update processes, training, and security controls

Having a plan in place before anything happens makes a big difference. Many businesses build a response plan into broader privacy documentation, alongside a data breach response plan so everyone knows who does what under pressure.

What Documents Should Your Business Have If You Collect PII?

If you want to be protected from day one, you’ll usually need more than “good intentions”. The right legal documents help you set clear expectations with customers, suppliers, and staff - and they also act as evidence that you take privacy seriously.

A Privacy Policy (For Customers, Users, And Website Visitors)

If your business collects personal information through your website, online store, booking system, enquiry forms, or marketing tools, you should strongly consider having a clear Privacy Policy.

A well-drafted privacy policy typically covers:

  • what personal information you collect
  • how you collect it (forms, cookies, signups, etc.)
  • why you collect it and how you use it
  • who you share it with (for example, delivery providers or IT tools)
  • how people can request access or correction
  • how you protect information and how long you keep it

The key is that it should match what you actually do. A generic template can leave gaps or make promises you don’t follow - and that’s where legal risk starts creeping in.

Website Terms (Where You Run An Online Platform Or Collect Data Online)

If you’re operating online, your website terms help set boundaries around how users interact with your platform and can support your privacy settings (for example, prohibited use, account behaviour, and limitations).

Depending on your business model, you might use Website Terms and Conditions or a broader terms document that fits your online offering.

Contracts With Suppliers Who Process PII

Many small businesses share personal information with third parties as part of normal operations - for example:

  • IT support providers
  • cloud storage providers
  • CRM and marketing tools
  • bookkeepers or payroll providers
  • delivery and logistics providers

You’ll want to make sure those relationships are documented so there’s clarity about confidentiality, security measures, and what happens if there’s a breach. This is especially important where suppliers are offshore, because cross-border handling can complicate things.

Internal Policies And Training (So Your Team Doesn’t Accidentally Create Risk)

Policies aren’t just for corporate workplaces. Even a small team needs clear guidance - especially if staff handle customer data, take payments, manage bookings, or have backend access to systems.

Many businesses create a simple privacy playbook and pair it with proper employment documentation. If your team uses tools like AI, it’s also wise to set boundaries early with something like a Generative AI Use Policy, because copying customer info into AI tools can raise privacy and confidentiality concerns.

Key Takeaways

  • Personally identifiable information (PII) in New Zealand usually overlaps with “personal information” under the Privacy Act 2020, so treat PII handling as a privacy compliance issue.
  • PII can include more than names - online identifiers, business contact details, customer IDs, and staff records can all be personal information if they identify an individual.
  • To comply with the Privacy Act 2020, focus on practical habits: collect only what you need, explain why you’re collecting it, keep it secure, limit access, and dispose of it when you no longer need it.
  • If a data breach is likely to cause serious harm, you may have mandatory notification obligations, so it’s worth having a response plan ready before anything happens.
  • A tailored Privacy Policy, clear online terms, and well-drafted supplier/staff documentation can help protect your business from day one (and make privacy compliance easier to manage as you grow).
  • Don’t rely on generic templates for privacy compliance - your documents and practices need to match what your business actually does with personal information.

If you’d like help setting up privacy compliance for your business - including a Privacy Policy, website terms, or contracts that deal with customer data - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Sent An Email To The Wrong Person? Legal Steps In NZ

Sent An Email To The Wrong Person? Legal Steps In NZ

You’re moving fast, juggling customers, suppliers, and your team - and then it happens: you’ve sent an email to the wrong person. Maybe it’s an attachment with a client’s details, a supplier...

15 Jun 2026
Read more
Website Terms and Privacy Requirements for Clinic Management Software Businesses

Website Terms and Privacy Requirements for Clinic Management Software Businesses

Clinic management software websites often collect sensitive information well before a full customer contract is signed. This guide explains the website

15 Jun 2026
Read more
Does a Software Reseller Need a Privacy Policy in New Zealand?

Does a Software Reseller Need a Privacy Policy in New Zealand?

If you resell software in New Zealand, a privacy policy is often needed in practice because your business usually collects personal information through

15 Jun 2026
Read more
Using Drones Over Private Property in New Zealand: Legal Issues for Businesses

Using Drones Over Private Property in New Zealand: Legal Issues for Businesses

Using drones over private property can create privacy, consent, and compliance issues for New Zealand businesses. This guide explains the key legal risks

13 Jun 2026
Read more
Privacy Principle 1 in New Zealand: Collecting Personal Information Lawfully

Privacy Principle 1 in New Zealand: Collecting Personal Information Lawfully

Privacy Principle 1 under New Zealand’s Privacy Act 2020 sets the ground rules for collecting personal information lawfully. This guide explains what

13 Jun 2026
Read more
Returns and Exchanges Policies for NZ Online Businesses

Returns and Exchanges Policies for NZ Online Businesses

A returns and exchanges policy can reduce disputes for NZ online businesses, but it needs to work with consumer law, fair trading rules, and privacy

13 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call