Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Counts As A “Privacy Act Information Request” For A Small Business?
Step-By-Step: A Practical Process To Meet NZ Response Timeframes
- 1) Log The Request Immediately (And Start The Clock)
- 2) Confirm Identity (But Don’t Over-Collect)
- 3) Clarify The Scope If Needed
- 4) Search All The Places Personal Information Could Live
- 5) Review Before You Release (Redactions, Third Parties, Confidential Info)
- 6) Respond In Writing And Keep A Clear Record
- Key Takeaways
If you run a small business, you’re probably collecting more personal information than you realise - customer enquiries, online orders, staff records, CCTV footage, email lists, and maybe even recorded phone calls.
So when someone asks you for “all the personal information you hold about me”, it can feel stressful (and time-consuming) to figure out what you need to do and when you need to do it by.
In New Zealand, these requests are governed by the Privacy Act 2020. And the deadlines are real - if you miss them or handle the request poorly, you could be dealing with complaints to the Office of the Privacy Commissioner (OPC), an investigation, or disputes that distract you from running your business.
This guide breaks down Privacy Act information request deadlines in plain English, so you can respond confidently, on time, and in a way that protects your business.
What Counts As A “Privacy Act Information Request” For A Small Business?
Under the Privacy Act 2020, people generally have the right to:
- Access their personal information (i.e. the information your business holds about them), and
- Request correction of that information if they think it’s wrong.
In practice, an access request might look like:
- “Can you send me a copy of everything you have on me?”
- “I want a copy of my file / account history / messages.”
- “What information have you shared with third parties?”
- “Please provide the CCTV footage from [date/time] showing me.”
A few important points for business owners:
- It doesn’t need to mention the Privacy Act to count as a request. If someone is asking for their personal information, treat it seriously.
- It can be informal (email, social media message, letter, even verbally). You can ask them to put it in writing to make it easier to manage, but don’t use that to stall.
- “Personal information” is broad - it’s any information about an identifiable individual. That can include images, audio, opinions, notes, metadata, and internal comments (subject to certain limits).
If you’re collecting personal information from customers or users, it’s also a good time to check your Privacy Policy and make sure it reflects what you actually do with that data.
Privacy Act Information Request Deadlines: The Core Timeframes You Need To Know
If you only remember one thing from this article, make it this:
As a general rule, you must respond to a Privacy Act access request as soon as reasonably practicable, and no later than 20 working days after receiving it.
That 20 working day clock is the key piece in most discussions about Privacy Act information request deadlines. But there are a few “supporting” deadlines that matter too.
The 20 Working Day Response Deadline
For most businesses, the standard expectation is:
- Day 0: You receive the request.
- By Day 20 (working days): You must decide whether you will grant the request (in full or in part), and respond (for example, by providing the information, refusing with reasons, or confirming an extension).
Working days is defined in the Privacy Act 2020 and generally means business days (and excludes weekends and public holidays). In practice, it’s safest to treat the day you receive the request as Day 0 and build in buffer time, rather than relying on technicalities.
Transfers: If Another Organisation Should Handle It
Sometimes a request is sent to your business, but you don’t actually hold the information - or another organisation is better placed to respond (for example, a parent company, a separate franchise entity, or a contractor platform provider).
In those cases, the Privacy Act has specific rules about when you can transfer a request and the notices you need to give. As a practical rule, you should treat transfer as urgent and aim to do it as soon as possible. If you do transfer, you should tell the requester who you’ve transferred it to (and when), so they’re not left guessing.
Extensions: You Can Extend, But There Are Rules
Yes - you can extend the time limit, but you can’t just “go quiet” and respond late.
If you need more time, you should:
- Notify the requester within the original 20 working days that you’re extending the time,
- Tell them why (e.g. the request is complex, involves a lot of information, or requires consultation), and
- Give them a new due date (a specific timeframe, not something vague like “when we can”).
From a risk perspective, extensions are often where businesses slip up. A late extension notice is usually treated like a late response.
“As Soon As Reasonably Practicable” Still Matters
Even though the outer limit is typically 20 working days, the Act also expects you to respond as soon as reasonably practicable. That means if it’s a simple request (for example, “Please send me a copy of my invoice history”), you shouldn’t wait until Day 19 just because you can.
Fast, organised responses reduce the risk of complaints and show your business takes privacy seriously.
Step-By-Step: A Practical Process To Meet NZ Response Timeframes
The easiest way to hit Privacy Act information request deadlines is to treat requests like a repeatable internal workflow (not an ad-hoc scramble).
1) Log The Request Immediately (And Start The Clock)
Create a simple register (spreadsheet is fine) with:
- Date received
- Requester name and contact details
- What they asked for
- Due date (20 working days)
- Who is responsible internally
- Status updates
This is also where a simple access request form can help you standardise what you ask for and what you provide (especially if your team receives requests through multiple channels).
2) Confirm Identity (But Don’t Over-Collect)
Before releasing personal information, you need to be comfortable you’re giving it to the right person.
For example, if the request comes from an email address that matches your customer records, that might be enough. If it comes from a different email address or seems suspicious, you may need additional verification.
Key tip: Only ask for what you reasonably need. Collecting unnecessary ID documents can create extra privacy risk for your business.
3) Clarify The Scope If Needed
Some requests are extremely broad (“everything you have about me”). You can respond faster and more accurately if you clarify:
- The timeframe (e.g. the last 12 months)
- The system or service (e.g. “my online orders”)
- The type of data (e.g. “emails and call recordings”)
Clarifying scope isn’t about delaying - it’s about making sure you’re searching the right places and providing the right material.
4) Search All The Places Personal Information Could Live
In small businesses, personal information often sits across multiple systems. A proper search may involve:
- CRM / booking platforms
- Accounting/invoicing tools
- Email inboxes and archived folders
- Cloud storage (Google Drive, OneDrive, Dropbox)
- Team chat tools
- CCTV systems
- HR folders and payroll systems (for staff requests)
Keep in mind that some categories of information can be particularly sensitive, and mishandling them can cause bigger issues - for example, health information or biometric identifiers.
5) Review Before You Release (Redactions, Third Parties, Confidential Info)
This is where things often get tricky. Even if the information is “about” the requester, you may need to consider:
- Third-party privacy: does the material include personal info about someone else (e.g. staff members, other customers)?
- Commercial sensitivity: does it reveal confidential business processes, pricing strategy, or trade secrets?
- Safety concerns: could releasing it create a risk (e.g. threats, harassment)?
You may be able to provide access with redactions, or you may have grounds to refuse some or all of a request - but refusals should be handled carefully and clearly.
6) Respond In Writing And Keep A Clear Record
When you respond, you should confirm:
- What information you are providing (and in what format)
- What information you are withholding (if any) and why
- Any redactions made
- How the requester can ask questions or raise concerns
Keeping a solid paper trail helps you show you acted within timeframes and took reasonable steps if there’s a complaint later.
When Can You Refuse Or Partially Refuse A Request (And How Does That Affect Deadlines)?
Small businesses sometimes assume they must hand over everything no matter what. That’s not quite right.
The Privacy Act allows organisations to refuse access in certain circumstances, but it’s not a “free pass” - and it doesn’t remove the need to respond within the usual timeframes.
Common Scenarios Where Refusals Or Redactions Come Up
Depending on the situation, you might be looking at partial refusal or redactions where the information includes:
- Personal information about other people (e.g. another customer visible in CCTV footage)
- Confidential references or evaluative material (context matters)
- Information subject to legal privilege (for example, communications with your lawyer)
- Information that would prejudice the maintenance of the law (more common for certain agencies, but can be relevant in specific scenarios)
If you refuse (fully or partially), your response should generally:
- State that you are refusing (or partially refusing)
- Give the reason in plain English (without revealing what you’re withholding)
- Explain any next steps available to the requester (e.g. raising concerns with the OPC)
The main point: you still need to respond within the Privacy Act information request deadlines - refusal is a type of response, not a reason to miss the deadline.
Common Deadline Mistakes Small Businesses Make (And How To Avoid Them)
Most Privacy Act issues we see aren’t caused by bad intentions. They happen because the business is busy, the request is unexpected, and nobody is sure who owns the task.
Mistake 1: Not Recognising A Request
If your staff think it’s “just a complaint” or “just a random email”, the clock can start running without you realising.
Fix: Train your team to escalate anything that looks like: “What info do you have about me?” or “Send me my file.” If you have staff handling customer service, it can also help to set expectations in an internal privacy handbook or workplace policy.
Mistake 2: Waiting To Start The Search
Twenty working days disappears fast when you’re juggling operations, sales, and staffing.
Fix: Start the search immediately, even if you’re still clarifying scope. You can always narrow later, but you can’t get time back.
Mistake 3: Forgetting About Contractors And Cloud Tools
If you use overseas software providers, virtual assistants, marketing contractors, or outsourced IT, information might be held outside your “main” systems.
Fix: Maintain a simple data map: what you collect, where it’s stored, who has access, and who you share it with. This also ties into having the right privacy documents and security practices in place.
Mistake 4: Giving Too Much (Or The Wrong Thing)
Trying to be helpful can backfire if you accidentally disclose another person’s data or confidential internal material.
Fix: Review carefully, redact where needed, and get advice if you’re unsure.
Mistake 5: Not Being Ready For “What If Something Goes Wrong?”
Sometimes an access request comes in right after a suspected privacy incident, or it reveals gaps in your data handling.
Fix: Have a plan ready so your team knows what to do and who is responsible if an access request overlaps with (or triggers) a privacy incident.
Key Takeaways
- The core Privacy Act deadline is usually 20 working days to respond to an access request, and you’re also expected to respond as soon as reasonably practicable.
- Privacy Act information request deadlines start when you receive the request, even if it’s informal or doesn’t mention the Privacy Act.
- You can extend time, but you generally need to notify the requester within the original timeframe, give reasons, and provide a new due date.
- Transfers should be handled quickly if another organisation is better placed to respond, and you should tell the requester who the request has been transferred to.
- Have an internal process: log the request, confirm identity, clarify scope, search systems, review/redact, and respond in writing.
- You may be able to refuse or partially refuse in limited situations, but refusal is still a response - you shouldn’t miss the deadline.
- Strong privacy foundations reduce risk, including clear policies, staff training, and documented incident response steps.
If you’d like help responding to an access request or setting up practical privacy compliance systems, contact Sprintlaw for a free, no-obligations chat.
