Privacy Act 2020: Responding To Personal Information Access Requests In NZ

If you run a small business in New Zealand, you’re probably collecting personal information every day - customer contact details, delivery addresses, staff records, CCTV footage, enquiry forms, website analytics, and more.

At some point, someone may ask: “Can I see the personal information you hold about me?”

That’s where the Privacy Act 2020 comes in. Knowing how to handle access requests properly isn’t just “nice to have” - it’s part of running a business that’s legally protected from day one.

In this guide, we’ll walk you through how personal information access requests work under the Privacy Act 2020 in New Zealand, what you must do as a business, common mistakes to avoid, and how to set up a process that doesn’t derail your week.

What Is A Personal Information Access Request Under The Privacy Act 2020?

An access request is when an individual asks your business for access to the personal information you hold about them.

Under the Privacy Act 2020, individuals generally have a right to:

• Ask whether you hold personal information about them; and
• Request access to that information.

Personal information is broadly defined. In plain terms, it’s any information about an identifiable person. It doesn’t need to be “sensitive” to count.

For small businesses, access requests commonly involve:

• Customer profiles (names, emails, addresses, purchase history)
• Support tickets, complaints, or call notes
• Invoices and account records (where the customer is identifiable)
• CCTV footage or workplace camera recordings
• Email chains where the person is discussed
• HR files (performance notes, disciplinary records, leave records)
• Online account data (logins, saved preferences, IP addresses where linked to a person)

It can feel a bit confronting the first time you receive one - especially if the request is informal (“Hey, send me everything you have on me”) or comes in after a dispute. But a calm, structured process helps you respond appropriately and avoid accidentally creating a bigger problem.

Having the right documentation in place (including a clear Privacy Policy) also makes these requests much easier to manage, because you can point to what you collect, why you collect it, and how people can request access.

Do You Have To Comply With Every Access Request?

In most cases, yes - if you hold personal information about the requester, you generally need to provide access.

But there are exceptions. The Privacy Act 2020 recognises that there are situations where you can refuse access (or provide only partial access). For example, where providing access would:

• Unreasonably disclose someone else’s personal information
• Prejudice the maintenance of the law (for example, where it could interfere with an investigation)
• In some cases, involve the disclosure of trade secrets or other confidential commercial information (depending on the circumstances)
• Be legally privileged (for example, certain communications with your lawyers)
• Create a serious threat to health or safety (in limited circumstances)

In practice, a lot of tricky access requests aren’t a clear “yes” or “no” - they’re a “yes, but we need to redact or withhold parts.”

Example: You have a complaint email thread where the customer is identifiable, but the emails also include staff comments about another customer. You may need to provide the relevant personal information while removing or masking information about other individuals.

If you’re unsure whether a refusal (or withholding/redaction) is justified, it’s worth getting advice before responding. Access requests often pop up when relationships are strained, and a clumsy refusal (or over-disclosure) can quickly escalate into a complaint to the Office of the Privacy Commissioner.

What Is The Timeframe For Responding To An Access Request?

Under the Privacy Act 2020, you generally must respond to an access request as soon as reasonably practicable, and no later than 20 working days after you receive it.

Working days doesn’t include weekends and public holidays. If you’re ever in doubt about counting, keep it simple and aim to respond early.

If you need more time, you may be able to extend the time limit in certain circumstances - but it’s not something you should do casually. Extensions should be:

• Reasonable in the circumstances (for example, the request is very large, you need to consult with others, or you need more time to properly consider whether any withholding grounds apply)
• Communicated to the requester within the original timeframe
• Accompanied by reasons and information about their right to complain

For small businesses, the biggest risk is leaving the request sitting in someone’s inbox because “we’re busy.” A missed deadline can create a compliance issue even if you had good intentions.

One of the best ways to stay on top of timeframes is to use a simple internal workflow: log the request date, confirm identity, allocate an internal owner, and diarise the 20-working-day deadline.

Step-By-Step: How To Handle Personal Information Access Requests (A Small Business Checklist)

If you want a process you can repeat every time (without reinventing the wheel), use the steps below.

1. Record The Request And Clarify What They’re Asking For

Access requests don’t need to be in any special format. They can be a casual email or even a verbal request. Your first step is to treat it seriously and record:

• Date received
• Who made the request
• What they asked for (copy/paste their wording)
• Who in your business is responsible for managing it

If the request is broad (“everything you have on me”), you can ask them to clarify or narrow it - but be careful. You should still act promptly and not use “clarification” as a stalling tactic.

2. Confirm Their Identity (But Don’t Over-Collect)

Before you release personal information, you need to be confident you’re giving it to the right person.

Identity checking should be proportionate. For example:

• If the request comes from the same email address you have on file and it’s low-risk information, that may be enough.
• If it involves sensitive information (like medical details, financial data, or HR records), you may need stronger verification.

A common mistake is asking for excessive ID (and then storing it indefinitely). If you do collect ID documents, think carefully about how long you keep them and how you secure them, because that becomes additional personal information you now hold.

3. Search Properly (Including Less Obvious Places)

When people say “send me my information”, they usually mean everything - not just what’s in your CRM.

Make sure your search includes:

• Customer databases / CRM
• Accounting records (where linked to an identifiable person)
• Email inboxes (including shared inboxes)
• Internal chat systems (where used for work decisions)
• Support desk platforms
• File storage (Google Drive, SharePoint, Dropbox, etc.)
• CCTV or other recordings (if you hold them)
• HR systems (for employee requests)

If you have workplace cameras, your obligations don’t disappear just because the data is “video.” If cameras are part of your operations, it’s worth making sure your setup and policies are privacy-compliant in the first place - including thinking through cameras in the workplace and what you tell people about recordings.

4. Review For Third-Party Information And Redact Where Needed

This is where many businesses slip up.

You might locate documents that contain the requester’s personal information, but also include:

• Other customers’ information
• Staff members’ private details
• Confidential references or complaints from third parties
• Internal commentary that reveals another person’s identity

In these cases, you may need to redact parts of the documents before release.

Redaction isn’t just “blacking out a name.” Sometimes removing the name isn’t enough if the person is still identifiable from context (for example, “the only senior receptionist on Monday mornings”).

5. Decide The Format For Providing Access

You can usually provide access in a practical format, such as:

• Emailing PDFs
• Exporting records from your CRM
• Providing screenshots
• Allowing supervised viewing (rare, but sometimes useful for large datasets)

The key is to provide the information in a way that’s usable and secure. If you’re emailing sensitive information, consider encryption or secure file-sharing links.

6. Respond In Writing And Keep A Clear Paper Trail

Even if the request was verbal, it’s a good idea to respond in writing so there’s a clear record of what was provided and when.

Your response should usually include:

• Confirmation of what information you’re providing
• The information itself (attached or linked securely)
• If anything is withheld, a brief explanation (without over-explaining)
• How they can raise concerns (including their right to complain to the Privacy Commissioner)

A simple, professional paper trail is also helpful if the access request later turns into a broader dispute.

Common Tricky Scenarios For Small Businesses (And How To Approach Them)

Not all access requests are straightforward. Here are a few situations where small businesses often need to slow down and handle things carefully.

Access Requests From Employees (Or Former Employees)

Employee access requests can involve HR notes, performance management records, and internal communications. These situations can quickly become high-stakes, especially if there’s an ongoing dispute.

From a business perspective, it helps to be proactive: good employment documentation, consistent performance processes, and clean record-keeping make it far easier to respond lawfully.

If you’re managing employee-related issues, it can also help to have strong foundations in place like an Employment Contract and clear internal policies around privacy and information handling (so staff know what gets recorded and where).

Requests For CCTV Footage

Customers sometimes request CCTV footage after an incident (for example, an alleged theft, injury, or dispute).

With CCTV, the big issues tend to be:

• Other individuals are also visible (third-party privacy)
• Footage may be relevant to a safety incident, insurance claim, or law enforcement enquiries
• You may not be able to easily provide footage in a way that gives access to the requester’s information without also disclosing other people’s information

You may need to consider whether you can provide access while protecting other individuals’ privacy, such as providing a clip limited to the relevant timeframe, using supervised viewing, or editing/blurring where it’s reasonable and technically possible (depending on the circumstances).

Requests That Overlap With Complaints Or Legal Disputes

Sometimes an access request is made as part of a wider conflict - for example, a customer dispute, a contract issue, or a threatened claim.

It’s still an access request, and you still need to treat it as such, but you should be cautious about:

• Accidentally disclosing privileged legal advice
• Disclosing internal strategy notes you don’t need to share
• Rushing a refusal without proper legal grounds

If you suspect the request is part of a larger legal issue, getting tailored advice early can protect you. A small error in disclosure can be difficult to undo.

Requests From Customers When You Use Contractors Or Overseas Systems

If your business uses contractors (including overseas contractors) or cloud software providers, personal information might be stored or processed outside New Zealand.

From an access request perspective, the practical challenge is making sure you can actually retrieve and produce the information within the deadline.

This is why it’s smart to think about privacy compliance when you engage third parties - including having contracts that clearly allocate responsibilities. If you regularly engage third parties to handle personal information, a properly drafted Data Processing Agreement can help set expectations around access, security, and cooperation.

And if you’re onboarding contractors (particularly overseas), you’ll also want your engagement terms to deal with confidentiality, data handling, and IP in a clear way, which is often addressed in a tailored Contractor Agreement.

How To Set Up A Simple Access Request Process (So You’re Protected From Day One)

The easiest way to reduce stress around access requests is to prepare before the first one lands.

Here are a few practical systems that work well for small businesses.

Create A Clear Internal Policy And Assign Responsibility

Even if you don’t have a big team, you should know:

• Who receives privacy requests (a shared inbox is often a good idea)
• Who is authorised to approve disclosures
• Who can access systems to retrieve the relevant information

If multiple people in your business handle customer communications, set simple rules so requests don’t get lost (for example: “Any privacy request must be forwarded to [privacy@yourbusiness.co.nz] the same day”).

Use A Privacy Collection Notice For Forms And Sign-Ups

If you collect personal information through online forms, booking systems, subscriptions, or sign-ups, it’s good practice to include a short statement explaining what you’re collecting and why.

This is where a Privacy Collection Notice can be really useful - it helps set expectations upfront and can reduce misunderstandings later (including access and correction requests).

Keep Your Records Organised (And Avoid Recording “Off The Cuff” Comments)

Access requests often reveal a business’s record-keeping habits.

It’s worth training your team to assume that anything written about a person could potentially be requested later. That doesn’t mean you can’t keep internal notes - it just means they should be:

• Relevant
• Professional
• Accurate
• Stored in the right place

This is particularly important for HR records and customer complaints.

Think About Retention: Don’t Keep Personal Information Longer Than You Need

The longer you keep personal information, the more you have to search, review, and potentially disclose when a request comes in.

Retention is also linked to data breach risk - if you keep unnecessary data and it gets exposed, you’ve increased your potential liability for no real business benefit.

A simple retention policy (even a basic one) can make a big difference. For higher-risk businesses, it can be worth building privacy compliance into your broader risk management and operational documents.

Have A Plan For When Things Go Wrong

Sometimes access requests come in at the same time as a suspected privacy incident (for example, someone believes their details were shared incorrectly).

In those situations, you may need to manage both your access response and your incident response in parallel. A documented plan like a Data Breach Response Plan can help you act quickly and consistently - without scrambling under pressure.

Key Takeaways

• Under the Privacy Act 2020, individuals generally have the right to request access to the personal information your business holds about them.
• You should respond to access requests as soon as reasonably practicable and usually within 20 working days, so it’s important to have a simple internal process.
• Before releasing information, take proportionate steps to verify identity and make sure you’re not disclosing personal information about other people.
• Many access requests require careful review and redaction, especially where records contain third-party details, workplace notes, or CCTV footage.
• Good privacy foundations (like a Privacy Policy and collection notices) reduce confusion, make compliance easier, and help protect your business from day one.
• If an access request is linked to a dispute, employment issue, or sensitive information, getting tailored advice early can help you avoid accidental over-disclosure or an improper refusal.

If you’d like help setting up your privacy compliance processes or responding to an access request, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.