Privacy Act 2020 In New Zealand: The 13 Information Privacy Principles

If you’re running a small business in New Zealand, chances are you’re collecting personal information every day - customer names, emails, delivery addresses, staff records, CCTV footage, loyalty programme data, or even recorded phone calls.

That’s where the Privacy Act 2020 principles come in. They’re the practical rules (called the Information Privacy Principles, or IPPs) that tell you how you’re allowed to collect, use, store and share personal information.

The good news is: you don’t need to be a privacy expert to follow them. But you do need to understand what they require, because privacy compliance is one of those “from day one” foundations that can save you a lot of stress later - especially if you have a data breach, a complaint, or a customer asks to see what you hold about them.

Below, we break down the privacy act principles in plain English, with practical examples for small businesses.

What Are The Privacy Act 2020 Principles (And Why Do They Matter)?

The Privacy Act 2020 is New Zealand’s main privacy law. It applies to most organisations that collect or hold “personal information” (which is broadly any information about an identifiable individual).

The “privacy act 2020 principles nz” that people usually refer to are the 13 Information Privacy Principles. These principles set the rules for:

• when you can collect personal information,
• how you should collect it (and what you need to tell people),
• what you can do with it once you have it,
• how long you should keep it,
• how you must keep it secure, and
• what rights people have to access and correct their information.

Even if you’re a small team, following the IPPs matters because privacy issues can directly affect your brand and customer trust - and because the Office of the Privacy Commissioner can become involved when complaints are made.

As a practical starting point, most businesses collecting personal information online should have a Privacy Policy and a clear “why we collect this” explanation at the point of collection (for example, in your checkout, contact form, or onboarding process).

Information Privacy Principles 1–4: Collect Personal Information Fairly And Only When You Need It

The first four information privacy principles in NZ are all about collection - what you collect, why you collect it, and how you go about it.

IPP 1: Purpose Of Collection

You should only collect personal information if you genuinely need it for a lawful purpose connected with what your business does.

• Example: An ecommerce store can collect a delivery address to ship goods.
• Risk to watch for: Asking for a customer’s date of birth “just because” (without a real need) is a red flag.

IPP 2: Source Of Personal Information

As a general rule, you should collect personal information directly from the individual concerned.

There are exceptions (for example, if the person authorises it, or if collecting directly would undermine the purpose), but for small businesses, the safest default is: collect it from the person themselves.

IPP 3: Collection From The Individual (Tell Them What’s Going On)

If you collect personal information from someone, you should take reasonable steps to make sure they know key details, like:

• that you’re collecting the information (and the fact you’re collecting it),
• the purpose of collection,
• who will receive it (if anyone), and
• their rights to access and correct it.

This is where a Privacy Policy and clear collection notices matter. A privacy policy on its own isn’t always enough - you also need the right “just-in-time” explanation where the collection happens (for example, “We’ll use your email to send order updates and receipts”).

IPP 4: Manner Of Collection (Be Fair And Not Unreasonably Intrusive)

You must not collect personal information by unlawful means, or by means that are unfair or unreasonably intrusive in the circumstances.

• Example: Installing CCTV is often lawful, but covert surveillance can create real risk unless there’s a strong lawful basis and you’ve taken advice.

If your business uses cameras, make sure you think through privacy and employment obligations together - especially in workplaces. In many cases, having clear policies and signage is critical. If this is relevant to your setup, it’s worth reading up on whether cameras are legal in the workplace.

Information Privacy Principles 5–7: Store It Securely And Use It Only For The Right Reasons

Once you’ve collected personal information, the next set of privacy act NZ principles focuses on how you hold and use it.

IPP 5: Storage And Security

You must ensure personal information is protected by reasonable security safeguards against loss, unauthorised access, use, modification, disclosure, and other misuse.

“Reasonable” depends on your business size, the sensitivity of the data, and how you store it. In practice, small businesses should usually consider:

• limiting admin access (not everyone needs full access to your CRM),
• strong passwords and multi-factor authentication,
• secure device practices (especially for remote work),
• staff training (human error is a big cause of breaches), and
• vendor risk (what third-party tools are you using?).

If you use contractors or service providers (for example, overseas developers, marketing agencies, or outsourced admin), you should be clear about who can access what, and what they’re allowed to do with it. That often comes down to good contracts and clear boundaries - similar to what you’d consider when engaging overseas contractors.

IPP 6: Access To Personal Information

Individuals generally have the right to request access to their personal information.

For your business, that means you need a process for receiving and responding to access requests - and for finding the information across your systems (email, CRM, accounting platform, booking software, etc.).

If you operate in health-adjacent industries (like counselling, allied health, wellness clinics, or medical services), access requests can be especially common and sensitive. A useful way to think about this is that people often want to get their medical records, and you need to know what you can share, how, and when.

IPP 7: Correction Of Personal Information

Individuals generally have the right to request correction of their personal information if it’s inaccurate.

If you don’t agree to change it, you may still need to take steps like attaching a statement of correction to the information (so your records show the person disputes it).

From a business perspective, accurate records also protect you - for example, ensuring you’re delivering to the right address, invoicing the right entity, and contacting the right person.

Information Privacy Principles 8–11: Keep It Accurate, Don’t Keep It Forever, And Be Careful When Sharing

This is the part of the information privacy principles that often trips businesses up, because it’s where privacy intersects with everyday operations: marketing, customer service, disputes, and vendor relationships.

IPP 8: Accuracy Before Use Or Disclosure

Before you use or disclose personal information, you should take reasonable steps to ensure it’s accurate, up to date, complete, relevant, and not misleading.

• Example: If you’re sending a default notice or escalating a debt to a collection provider, you should be confident you have the right person and the right details.

IPP 9: Retention (Don’t Keep It Longer Than Necessary)

You shouldn’t keep personal information for longer than you need it for the purpose it was collected.

This is a big one for small businesses, because it’s easy to accumulate data “just in case”. In practice, you should:

• set retention periods (even a simple internal rule helps),
• delete or anonymise old customer records where appropriate, and
• have a plan for archiving and disposal of employee records.

Retention also intersects with other obligations, like contracts and tax or record-keeping requirements. You may need to keep certain records for a minimum period - it’s worth checking with your accountant or tax adviser what applies to your business. The key is to separate what you must retain from what you’re keeping without a clear reason.

IPP 10: Limits On Use

You should generally only use personal information for the purpose you collected it for.

There are exceptions (for example, if the individual consents, or if another exception applies), but as a practical business rule: avoid “purpose creep”.

• Example: If someone gives you their email to receive an invoice, using that email to subscribe them to marketing without proper consent creates risk (and can annoy customers).

If you do email marketing, it’s smart to keep privacy and marketing compliance aligned. A clear consent process, unsubscribe mechanisms, and transparent messaging are all part of good practice. It can also help to understand email marketing laws generally, so your systems don’t work against you.

IPP 11: Limits On Disclosure

You shouldn’t disclose personal information unless the disclosure is connected to the purpose it was collected for, the individual consents, or another permitted basis applies.

For small businesses, common disclosure scenarios include:

• sharing customer details with couriers or delivery drivers,
• sharing customer data with booking or payment providers,
• sharing information with your accountant or payroll provider,
• sharing CCTV footage with police (where appropriate), and
• sharing employee details with a third-party benefits or HR platform.

A practical tip is to map “who we share data with” and ensure your privacy policy and contracts match reality. If you’re unsure whether a proposed disclosure is safe, it’s worth getting advice before you do it - it’s much easier to manage upfront than after a complaint is made.

Information Privacy Principles 12–13: Cross-Border Disclosures And Unique Identifiers

The last two privacy act principles often come up when you’re growing, scaling, or using modern software tools (which commonly store data overseas).

IPP 12: Disclosure Outside New Zealand

If you disclose personal information to an overseas person or organisation, you need to take extra care. The Privacy Act sets specific rules for “cross-border disclosures”, and what you need to do can depend on how the overseas recipient will handle the information and the legal basis you’re relying on (for example, whether the individual is informed and authorises the disclosure, or whether contractual protections are in place).

This matters for small businesses because overseas disclosure can happen more easily than you think, for example when you use:

• cloud storage services hosted offshore,
• email and CRM systems with offshore servers,
• overseas virtual assistants or support teams, or
• international analytics and marketing platforms.

A practical way to reduce risk is to check where your key providers host data, read their privacy and security terms, and make sure your own customer-facing terms are clear.

IPP 13: Unique Identifiers

A “unique identifier” is an identifying number or code assigned to an individual for the purpose of uniquely identifying them (for example, employee numbers, customer IDs, and other reference numbers used inside your systems).

Under IPP 13, you should only assign unique identifiers where necessary, and you should not adopt someone else’s unique identifier (like a government-issued number) unless it’s necessary for your business and permitted.

• Example: Creating a customer ID in your CRM is usually fine if it helps you manage accounts.
• Watch out for: Collecting government identifiers without a clear reason (and without strong security controls) creates unnecessary risk.

How Do You Apply The Privacy Act 2020 Principles In Day-To-Day Business?

Reading the 13 principles is one thing. Applying them in real life is another - especially when you’re juggling sales, staff, customers, and cashflow.

Here’s a practical way to turn the Privacy Act 2020 principles into a workable compliance plan.

1) Do A Quick “Personal Information Map”

Write down:

• what personal information you collect (customers, employees, contractors, website visitors),
• where you collect it (website, phone, email, in-store, CCTV),
• where you store it (laptop, Google Drive, cloud CRM, POS system),
• who has access to it, and
• who you share it with.

This helps you spot gaps quickly (for example, “we’re collecting phone numbers but we don’t actually need them”).

2) Get Your Privacy Documents And Notices In Place

For many businesses, the basics include:

• a clear Privacy Policy (especially if you collect info online),
• collection notices at key points (checkout, enquiry forms, onboarding), and
• internal procedures for access/correction requests.

If you operate a website, app, or online platform, your privacy approach should also align with your wider customer-facing terms. Depending on your setup, that might mean having Website Terms and Conditions that match how you actually operate (including how you handle accounts, user content, and service delivery).

3) Set Clear Rules For Staff (And Put Them In Writing)

Your team can’t follow privacy rules they don’t know about. Having workplace policies that cover privacy, confidentiality, device use, and incident reporting can make a huge difference - particularly as you hire and grow.

Many businesses handle this through a broader staff policy suite such as a Staff Handbook, backed by properly drafted employment documents like an Employment Contract.

4) Build A Plan For Data Breaches

The Privacy Act 2020 includes mandatory privacy breach notification in certain situations (for “notifiable privacy breaches”).

You don’t need to panic - but you do need a plan, because when a breach happens, time and clarity matter. Having a written Data Breach Response Plan can help you respond quickly and consistently, and show that you’re taking reasonable steps.

A good breach plan typically covers:

• how to identify and contain the breach,
• how to assess the likely harm,
• when to notify affected individuals,
• when to notify the Privacy Commissioner, and
• how to prevent the same issue happening again.

5) Review Your Third-Party Tools And Providers

Even if you’re doing everything right internally, your privacy risk can increase if your suppliers (like booking systems, CRMs, cloud storage, payment providers, or marketing platforms) aren’t up to scratch.

At a minimum, you should check:

• where data is hosted (especially for IPP 12),
• what security measures are offered,
• who owns the data, and
• what happens if you leave the platform.

Where possible, make sure your commercial arrangements reflect your privacy commitments - and if you’re dealing with sensitive information or higher-risk industries, consider getting legal advice on the right contractual protections.

Key Takeaways

• The Privacy Act 2020 principles (the 13 Information Privacy Principles) set the ground rules for how your business collects, uses, stores and shares personal information in New Zealand.
• Principles 1–4 focus on collecting only what you need, being transparent about why you’re collecting it, and collecting it fairly.
• Principles 5–7 require you to secure information and have processes to respond to access and correction requests.
• Principles 8–11 cover accuracy, retention, use and disclosure - meaning you should keep data up to date, not hold it longer than necessary, and avoid using or sharing it outside the original purpose without a proper basis.
• Principles 12–13 become especially important if you use overseas service providers or assign unique identifiers to customers or staff.
• Practical compliance usually includes having a Privacy Policy, clear collection notices, staff training and policies, secure systems, and a plan for data breaches.

If you’d like help getting your privacy compliance set up properly - whether that’s your Privacy Policy, internal processes, or a Data Breach Response Plan - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.