Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you’re running a small business in New Zealand, chances are you collect some kind of personal information - customer names, emails, delivery addresses, staff bank details, CVs, even CCTV footage.
And if you’ve ever googled “privacy act 1993”, you’re not alone. It’s a common search term because the Privacy Act 1993 sat at the heart of New Zealand privacy compliance for years, and plenty of older policies, templates, and business processes still refer to it.
But here’s the key point: the Privacy Act 1993 has been replaced by the Privacy Act 2020.
So what does that mean for your business today? In this guide, we’ll explain (in plain English) what the Privacy Act 1993 used to require, what the Privacy Act 2020 expects now, and the practical steps you should take to protect your business from day one.
Why “Privacy Act 1993” Still Matters (Even Though The Law Has Changed)
When people search for “privacy act 1993”, they’re usually trying to understand their obligations around:
- collecting customer data (like emails, phone numbers, addresses)
- storing staff records securely
- marketing and email lists
- sharing information with suppliers, couriers, accountants, software providers, or contractors
- what to do if there’s a data breach
Those privacy issues didn’t disappear when the Privacy Act 1993 was repealed - if anything, they became more important. The Privacy Act 2020 updated and strengthened the privacy framework to reflect how modern businesses actually operate (cloud software, online sales, remote teams, outsourced providers, etc.).
In practice, understanding the Privacy Act 1993 is still useful because:
- Many privacy policies and internal documents still reference it, especially if they haven’t been updated in a while.
- The core concepts (like the privacy principles) stayed broadly consistent, so older explanations can still help you understand the “why”.
- Search intent is often really about current privacy compliance - even if the phrase being searched is “privacy act 1993 nz”.
Bottom line: if your business is relying on a document or process that still says “Privacy Act 1993”, it’s a good sign you should review and update your privacy settings, policies, and contracts.
What The Privacy Act 1993 Required (In Plain English)
The Privacy Act 1993 was built around information privacy principles (often called “IPPs”). These principles guided how organisations should collect, use, store, disclose, and manage personal information.
Even though we’re now under the Privacy Act 2020, it’s helpful to understand the Privacy Act 1993 framework because it shaped the compliance mindset many New Zealand businesses still use today.
1. Only Collect What You Need
Under the Privacy Act 1993 approach, you were expected to collect personal information only if it was necessary for a lawful purpose connected with your business.
Small business example: if you run an online store, you’ll need a customer’s delivery address. You probably don’t need their date of birth (unless you’re selling age-restricted products).
2. Be Transparent About Collection
Businesses were generally expected to tell people:
- what you’re collecting
- why you’re collecting it
- who will receive it (if you disclose it to anyone else)
- what happens if they don’t provide it
This is one reason modern businesses commonly publish a Privacy Policy - it’s a practical way to cover these points clearly and consistently.
3. Store It Securely
The Privacy Act 1993 expected organisations to take reasonable security safeguards to protect personal information. That included things like:
- password protection and access controls
- secure storage for paper records
- limiting who in your team can access sensitive data
- having internal procedures for handling information
4. Use It Only For The Purpose You Collected It For
A key idea under the Privacy Act 1993 was purpose limitation: don’t collect information for one reason and then use it for a completely different reason (unless an exception applies or you have consent).
Example: if someone gives you their email for an invoice, that doesn’t automatically mean you can sign them up to promotional emails (unless you’ve handled consent properly).
5. Allow People To Access And Correct Their Information
Individuals generally had the right to request access to personal information you hold about them and to request corrections if it’s wrong.
This matters for customer accounts, subscription databases, and staff records - if you hold it, you should be able to find it and respond appropriately.
What Changed Under The Privacy Act 2020 (And Why Businesses Should Care)
While the Privacy Act 1993 laid the groundwork, the Privacy Act 2020 modernised the rules and introduced stronger expectations around accountability.
You don’t need to memorise the legislation, but you do need systems that reflect what the law expects in the real world.
Mandatory Data Breach Notification (In Some Cases)
One of the most practical changes is that businesses may need to notify the Privacy Commissioner and affected individuals if there’s a privacy breach that has caused, or is likely to cause, serious harm (often called a “notifiable privacy breach”).
This makes it important to have a plan before anything goes wrong - even if you’re a small team. A Data Breach Response Plan helps you respond quickly, contain the issue, and make consistent decisions under pressure.
Stronger Cross-Border Disclosure Controls
If you use offshore tools or service providers (think cloud storage, email platforms, CRMs, helpdesk software, outsourced admin), the Privacy Act 2020 requires extra care when disclosing personal information overseas.
For many small businesses, this doesn’t mean “you can’t use overseas tools” - it means you should be confident that there are appropriate protections and that you’re being transparent with customers and staff.
More Focus On Proactive Privacy Practices
The Privacy Act 2020 doesn’t use the phrase “privacy by design” as a strict legal test, but in practice the expectations have moved towards building privacy into your processes early (so you’re not scrambling after a complaint or breach).
That could mean:
- defaulting to collecting the minimum data you need
- setting access levels in your systems (so not everyone can see everything)
- having clear retention/deletion practices
- using privacy-friendly settings when you roll out new tools
What It Means For Your Business Day-To-Day (A Practical Compliance Checklist)
Privacy compliance can feel like a “big business” problem - but in reality, small businesses often have more risk because they’re moving fast, using lots of software, and don’t always have dedicated compliance staff.
Here’s a practical checklist to help you get your legal foundations right.
1. Map What Personal Information You Collect
Start simple. List what you collect, where it comes from, and where it’s stored. For example:
- website enquiry forms
- online store checkout
- customer invoices and delivery details
- mailing list sign-ups
- employee records (payroll, leave, performance notes)
- contractor details
This helps you spot “hidden” privacy risk (for example, old spreadsheets, shared inboxes, or staff saving files locally).
2. Put The Right Privacy Documents In Place
Most businesses that collect personal information online should have a clear, up-to-date Privacy Policy.
Depending on your business model, you may also need supporting documents and internal procedures - especially if you handle higher-risk information like health details, identity documents, or financial information.
If you collect or store sensitive personal information, it’s worth getting tailored legal advice, because the risk (and expected safeguards) are higher.
3. Control Access Internally (Especially For Staff Data)
Privacy isn’t just about customers. If you employ staff, you’re likely collecting significant personal data (IDs, contracts, bank details, performance notes, medical certificates).
A practical step many businesses overlook is setting expectations and boundaries internally - including what’s appropriate to collect, who can access it, and how it should be used. An Employee Privacy Handbook can help formalise this in a way that fits your workplace.
4. Be Careful With Marketing And Mailing Lists
Privacy law overlaps with marketing rules in a few ways - especially when you’re collecting emails and sending promotional material.
As a general rule, you should make sure your marketing approach is consistent with:
- what you told customers when you collected their details
- what your privacy policy says
- how people can opt out (and whether you actually action opt-outs promptly)
If you’re building your business and trying to grow quickly, it’s tempting to treat your mailing list as a free-for-all. But privacy compliance is one of those areas where getting it wrong can damage trust (and lead to complaints).
5. Plan For A Data Breach Before It Happens
A data breach isn’t always a hacker in a hoodie. For small businesses, it’s often:
- an email sent to the wrong recipient
- a lost laptop or phone
- a staff member accidentally sharing access credentials
- customer information exposed via a misconfigured cloud folder
Having a Data Breach Response Plan means you’re not trying to work it out on the fly when you’re already under pressure.
Common Privacy Scenarios For Small Businesses (And How To Handle Them)
The real value in understanding “privacy act 1993 nz” style obligations is being able to apply privacy principles to everyday business situations.
Here are some of the scenarios we see most often.
CCTV And Workplace Monitoring
If you use CCTV in your shop, office, warehouse, or other premises, you need to think about privacy from the start - not after you’ve installed cameras everywhere.
Key questions include:
- What’s the legitimate purpose (security, safety, incident investigation)?
- Are you collecting more than you need (e.g. filming break rooms or bathrooms - which is generally not appropriate)?
- Are people clearly notified?
- How long is footage stored, and who can access it?
This overlaps with employment expectations too. If you’re unsure, it’s worth reading up on cameras in the workplace so you can set boundaries and policies that are fair and legally sensible.
Call Recording With Customers Or Clients
If your business records calls (for training, quality assurance, or dispute resolution), you should be careful about consent and notification - especially because customers may share personal information on calls.
It’s a good idea to check the legal and practical considerations around business call recording laws before you roll this out or rely on a generic phone system default setting.
Handling Health And Medical Information
Some businesses handle health information more often than they realise - for example:
- a gym collecting medical conditions in onboarding forms
- a wellness provider storing consultation notes
- an employer collecting medical certificates
- a service provider dealing with injury reports
Health information is usually treated as sensitive, so you should be extra careful about collection, storage, and disclosure. In many cases, you may need a tailored Privacy Policy designed for health service providers.
Using Contractors And Overseas Service Providers
Small businesses commonly use:
- outsourced customer service
- IT contractors
- marketing agencies
- virtual assistants
- overseas software tools
If those people or platforms can access personal information (customer data, staff records, mailing lists), you should think carefully about:
- who has access and why
- what the contractor/service provider is allowed to do with the data
- whether you’ve told your customers or staff about the disclosure
- what happens if something goes wrong
This is where “getting your legals right from day one” really matters - privacy risk often shows up through relationships and systems, not just your own intentions.
Key Takeaways
- The phrase “privacy act 1993” is still commonly searched, but it has been replaced by the Privacy Act 2020 - your business should comply with the current law.
- The Privacy Act 1993 principles still help explain the basics: collect only what you need, be transparent, store it securely, and use it fairly.
- Under the Privacy Act 2020, businesses need to take data breaches seriously - including potential notification requirements where serious harm is likely - so having a response plan in place is a smart move.
- A clear, up-to-date Privacy Policy and internal privacy processes help you stay consistent, reduce complaints, and build trust with customers and staff.
- High-risk areas for small businesses include CCTV, call recordings, staff records, marketing lists, and sensitive personal information - these are worth getting right early.
- Privacy compliance is much easier (and cheaper) when it’s built into your systems from the start, rather than patched after something goes wrong.
Note: This article is general information only and isn’t legal advice. If you want advice tailored to your situation, you should speak with a lawyer.
If you’d like help getting your privacy compliance set up properly - whether that’s a Privacy Policy, a Data Breach Response Plan, or workplace privacy documents - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
