Privacy Act 2020 Information Requests: NZ Business Response Timeframes

Alex Solo
byAlex Solo10 min read
Data & Privacy
Contents

If you run a small business in New Zealand, you’re probably collecting personal information every day - customer details, enquiries, online orders, marketing sign-ups, CCTV footage, employee records, supplier contacts, and more.

That also means you may receive a “Privacy Act request” (often called an information request or access request), where someone asks to see the personal information you hold about them.

These requests can feel stressful when you’re busy, but the good news is the Privacy Act 2020 sets out clear rules and timeframes. Once you understand the key deadlines (and what to do when things get tricky), you can respond confidently and reduce your risk of complaints to the Privacy Commissioner.

Below, we’ll walk you through the practical side of Privacy Act 2020 information request timeframes, including what counts as a request, when the clock starts, what you can (and can’t) do if you need more time, and how to set your business up to handle requests smoothly.

What Is An “Information Request” Under The Privacy Act 2020?

Under the Privacy Act 2020, individuals have a right to request access to their personal information held by an “agency” (which includes most businesses, not just government departments).

In plain terms: if you hold information about someone, they can ask for a copy.

For small businesses, common examples of personal information include:

  • Customer names, phone numbers, email addresses and delivery addresses
  • Account notes, service history and support tickets
  • In-store CCTV footage where the individual is identifiable
  • Audio recordings of customer calls (if you record calls)
  • Online order history and payment-related records (even if processed via a provider)
  • Employee records, performance documentation, rosters and payroll information

An information request doesn’t have to use special wording. Someone might email: “Can you send me everything you have about me?” or “I want a copy of my file.” If they’re asking for their personal information, treat it as a Privacy Act request.

If you’re collecting and storing personal data, it’s also worth having a Privacy Policy in place so customers (and your team) understand how you handle requests and what people can expect.

Privacy Act 2020 Information Request Timeframes: The Core Deadline

The key rule most businesses need to remember is this:

You must respond to an access request as soon as reasonably practicable, and no later than 20 working days after receiving it.

This is the central compliance point for Privacy Act 2020 information request timeframes.

What Does “Respond” Mean?

Within the 20 working days, you need to communicate your decision and take the appropriate next step. In practice, that means doing one of the following within time:

  • Provide access to the information (for example, by sending a copy); or
  • Confirm you are granting access and provide the information (or make it available) without undue delay - if you can’t provide it within the original timeframe, you should only take longer if you’ve validly extended the deadline; or
  • Refuse the request (in full or in part), explaining why and letting the requester know they can complain to the Privacy Commissioner; or
  • Extend the timeframe (only if the Act allows it - more on that below).

In practice, for many small business requests, the simplest approach is to acknowledge the request quickly (even the same day), then aim to provide the information well before day 20 where possible.

What Counts As “20 Working Days”?

“Working days” generally means business days, excluding weekends and public holidays. If you have a request that comes in right before a holiday period, your due date may land later than you expect - but don’t rely on guesswork. Track the deadline carefully.

Tip: set a calendar reminder for day 10 and day 18. That way, if you hit complications (like verifying identity or locating archived data), you still have time to manage it properly.

When Does The 20-Working-Day Clock Start (And What If The Request Is Unclear)?

The timeframe generally starts when you receive the request. For most businesses, that will be when it lands in your inbox, your contact form, or is received by a staff member acting on behalf of the business.

This is why internal processes matter. If a request sits with a team member for a week before reaching the person who can action it, your business still wears the risk if you go over the 20 working days.

If The Request Is Too Broad Or Vague

Sometimes a requester asks for “everything” you hold, but doesn’t explain what they actually need, or they’re unclear about which account or time period they mean.

You can (and should) ask them to clarify or narrow the scope - but be careful here:

  • Asking for clarification is usually a good idea to avoid misunderstandings and reduce unnecessary work.
  • But you still need to respond within the Privacy Act timeframe. You shouldn’t use “clarification” as a way to stall.

A practical approach is to reply quickly with:

  • a confirmation you’ve received the request,
  • what you understand they’re asking for, and
  • specific questions to help you locate the right records.

If the request is genuinely unclear and you can’t reasonably action it without more detail, get legal advice early so you don’t accidentally miss the deadline while waiting.

If You Need To Verify Identity

If someone is asking for personal information, you need to be confident you’re releasing it to the right person. In some situations (especially where the information is sensitive), it’s reasonable to request proof of identity.

From a risk perspective, it’s better to take a bit of time to verify identity than to release personal information to the wrong person (which could create a privacy breach). Still, you should handle identity checks promptly and keep the requester updated so the process doesn’t drift.

Can You Extend The Privacy Act Timeframe?

Yes - but only in specific circumstances.

The Privacy Act allows an extension where:

  • the request is for a large quantity of information and meeting the 20-working-day deadline would unreasonably interfere with your operations; or
  • consultations are needed to make a decision on the request (for example, you need to consult a third party whose privacy may be affected).

What You Need To Do If You Extend

If you extend the timeframe, you should notify the requester:

  • within the original 20 working days (don’t wait until after the deadline),
  • that you are extending the time,
  • the period of the extension (or the new due date), and
  • the reasons for the extension, and
  • that they can complain to the Privacy Commissioner.

From a practical business point of view, extensions are best treated as the exception, not the default. If you regularly need extensions, it’s usually a sign you need better systems for storing and retrieving personal information, or clearer internal responsibility for privacy requests.

If your business handles a lot of personal information, a tailored privacy setup (including policies and processes) can save a lot of time. This is also where getting targeted Privacy Advice can be a smart investment, especially before you’re dealing with a complaint.

When Can You Refuse An Information Request (And Do Timeframes Still Apply)?

Sometimes you can’t (or shouldn’t) provide everything requested - and the Privacy Act recognises that.

There are grounds to refuse access in certain situations, such as where disclosure would:

  • unreasonably disclose someone else’s personal information,
  • prejudice the maintenance of the law (in certain contexts),
  • reveal trade secrets or commercially sensitive information (depending on the circumstances), or
  • be otherwise permitted to be withheld under the Act.

Refusals can be full or partial. In real life, many “refusals” are actually partial releases - for example, providing a document but redacting names or details of other individuals.

Your Refusal Still Needs To Be Within The Timeframe

Even if you’re refusing, the 20-working-day timeframe still matters. You need to communicate your decision within time, and your response should usually include:

  • what you are refusing (and what you are providing, if partial),
  • the reason (in plain language), and
  • that the requester can complain to the Privacy Commissioner.

If you’re unsure whether you can refuse, or how to redact properly (especially for CCTV footage or internal emails), it’s worth getting advice before responding. A rushed refusal can be just as risky as no response at all.

How To Handle Privacy Act Requests In A Small Business (Step-By-Step)

Knowing the law is one thing. Having a repeatable process is what will actually keep you compliant (and sane) when requests come in.

1. Centralise Where Requests Go

Decide where privacy requests should be sent and who owns them. This could be a shared inbox like privacy@yourbusiness.co.nz or a designated manager.

If you have a team, consider training them on what to do if a request arrives by phone, social media, or in person - because it still counts.

2. Confirm Receipt Quickly

You don’t need to have all the answers on day one, but you should acknowledge the request quickly and confirm:

  • you’ve received it,
  • what you understand the person is requesting, and
  • what the next steps are (including any ID verification needed).

3. Calculate The Due Date Immediately

Work out the 20-working-day deadline and diary it. If you think an extension might be required, set an earlier “decision date” (for example, day 12) so you have time to extend properly if needed.

4. Locate The Data (And Don’t Forget Third Parties)

Personal information might be spread across:

  • your CRM or booking system
  • email inboxes
  • accounting platforms
  • cloud storage (Google Drive/SharePoint)
  • chat tools
  • CCTV or door access logs
  • your marketing list provider

If overseas providers are involved, it’s still your responsibility to manage the request properly. (This can be a good prompt to review your supplier contracts and privacy obligations.)

5. Review For Third-Party Privacy And Sensitive Content

Before you send anything out, check whether the documents include:

  • another person’s personal information (staff, other customers, suppliers)
  • confidential business information that shouldn’t be disclosed
  • internal notes that might need careful handling

This is where businesses often get caught out. It’s not uncommon for a small business to have casual internal emails or notes that were never written with the expectation they’d be disclosed.

If you have employees handling customer data (or you’re collecting staff data yourself), it’s worth having clear internal rules in place and making sure your workplace documents and policies align with how your business actually handles personal information.

6. Respond Within Time (Provide, Refuse, Or Extend)

Make sure your response is clear and practical. If you’re providing information, explain what you’re providing and in what format. If you’re withholding or redacting information, explain why in simple terms.

7. Record What You Did

Keep a record of:

  • the date you received the request
  • the due date
  • any ID verification steps
  • what you provided/refused/redacted
  • when you responded

If there’s ever a dispute, your notes can help demonstrate you acted reasonably and within the rules.

Common Mistakes Businesses Make With Privacy Act Timeframes (And How To Avoid Them)

Most Privacy Act issues we see aren’t caused by bad intentions - they’re caused by busy businesses without a process.

Mistake 1: Thinking The Request Has To Be “Formal”

If someone messages your business page asking for their data, it can still be an access request. Train your team to recognise requests, and route them quickly.

Mistake 2: Missing The Deadline Because “We Were Investigating”

You can take time to locate information and make a decision, but you must still respond within 20 working days, unless you’ve extended lawfully. Don’t wait until day 19 to start looking.

Mistake 3: Providing Too Much (Especially About Other People)

Over-disclosure can create a privacy breach. For example, sending unredacted emails that include another customer’s details, or providing CCTV footage that shows other identifiable people without considering whether it’s appropriate.

Mistake 4: Not Having A Clear Privacy Framework

When you’re starting out, privacy can feel like “later” work. But as soon as you’re collecting personal data (even via a simple website enquiry form), you’re in privacy territory.

Having the right documents and processes upfront can help. Depending on how you operate, that might include:

  • a Privacy Policy that explains what you collect and how requests are handled
  • website terms that reflect how you run your online platforms (for example, Website Terms Of Use)
  • contracts with service providers who handle personal information
  • a plan for what you’ll do if something goes wrong (many businesses formalise this as part of a broader privacy program, including a Data Breach Response Plan)

Even if you only have a small team, putting these foundations in place early can prevent a lot of confusion later - especially when you’re growing and handling more requests.

Key Takeaways

  • The Privacy Act 2020 gives individuals the right to request access to their personal information, and most NZ businesses will need a process to handle these requests.
  • The key rule on timeframes is that you must respond as soon as reasonably practicable and within 20 working days of receiving the request.
  • Your response within 20 working days can be providing the information, refusing (in full or part), or extending the timeframe (but only where the Act allows it, and you must notify the requester within the original timeframe).
  • Small businesses should centralise requests, calculate due dates immediately, verify identity where appropriate, and review documents carefully for third-party privacy before sending anything out.
  • Common pitfalls include missing informal requests, waiting too long to act, and accidentally disclosing other people’s personal information.
  • Strong privacy foundations (like a Privacy Policy, clear internal processes, and the right contracts and policies) make compliance much easier as your business grows.

If you’d like help setting up privacy processes or responding to an information request under the Privacy Act 2020, you can contact Sprintlaw for advice.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

CCTV Privacy Policies in New Zealand: What Businesses Need to Cover

CCTV Privacy Policies in New Zealand: What Businesses Need to Cover

Using CCTV in your business is not just a security decision. This guide explains what New Zealand businesses should cover in a CCTV privacy policy

8 Jun 2026
Read more
Privacy Breaches In New Zealand: Employer Compliance Guide

Privacy Breaches In New Zealand: Employer Compliance Guide

Running a small business usually means you’re wearing a few hats at once - owner, manager, HR, finance, and (whether you like it or not) “the person responsible for data”. That’s why...

7 Jun 2026
Read more
Privacy Act 1993 In New Zealand: What It Means For Businesses

Privacy Act 1993 In New Zealand: What It Means For Businesses

If you’re running a small business in New Zealand, chances are you collect some kind of personal information - customer names, emails, delivery addresses, staff bank details, CVs, even CCTV footage. And...

6 Jun 2026
Read more
Privacy Breach Examples for New Zealand Businesses

Privacy Breach Examples for New Zealand Businesses

If you run a small business in New Zealand, you’re probably collecting more personal information than you realise. Customer enquiries, online orders, email newsletters, staff records, CCTV footage, delivery addresses, and even...

6 Jun 2026
Read more
Privacy Act Information Request Deadlines In NZ: Response Timeframes

Privacy Act Information Request Deadlines In NZ: Response Timeframes

If you run a small business, you’re probably collecting more personal information than you realise - customer enquiries, online orders, staff records, CCTV footage, email lists, and maybe even recorded phone calls....

6 Jun 2026
Read more
Privacy Act 2020: Responding To Personal Information Access Requests In NZ

Privacy Act 2020: Responding To Personal Information Access Requests In NZ

If you run a small business in New Zealand, you’re probably collecting personal information every day - customer contact details, delivery addresses, staff records, CCTV footage, enquiry forms, website analytics, and more....

6 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call