Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
A privacy complaint can land in your inbox at the worst possible time: after a customer questions how you used their details, when a former employee asks what information you still hold, or after a marketing mistake exposes personal data more widely than intended. Many businesses make the same avoidable errors. They reply informally without a process, they treat the complaint as a customer service issue instead of a legal one, or they delay so long that the concern escalates to the Office of the Privacy Commissioner.
A clear privacy complaint handling procedure helps you respond calmly, lawfully and consistently. It also shows customers, staff and business partners that you take personal information seriously. The right process is not just about resolving disputes after something goes wrong. It also helps you spot weak collection practices, poor internal access controls and unclear privacy communications before they create bigger problems.
This guide explains what a privacy complaint handling procedure should cover for a New Zealand business, when you are likely to need one, the practical steps to put in place, and the mistakes founders and managers commonly make.
Overview
A privacy complaint handling procedure is a documented process for receiving, assessing, investigating and responding to concerns about how your business collects, stores, uses, shares or discloses personal information. In New Zealand, it should align with your obligations under the Privacy Act 2020 and fit the way your business actually operates day to day.
A useful procedure should help your team identify urgent issues quickly, respond within a reasonable timeframe and keep a proper record of what happened and how it was resolved.
- Decide who receives and manages privacy complaints
- Set out how complaints can be made, including email, online forms, phone calls and written correspondence
- Record the complaint details and preserve relevant evidence straight away
- Check whether the issue involves access, correction, disclosure, security or direct marketing concerns
- Assess whether the complaint may also amount to a notifiable privacy breach
- Respond clearly, respectfully and within a defined internal timeframe
- Keep records of outcomes, remedial steps and recurring patterns
- Review your privacy policy, customer terms, contracts, systems and staff training after each serious complaint
What Privacy Complaint Handling Procedure Means For New Zealand Businesses
For a New Zealand business, a privacy complaint handling procedure means having an internal system that turns a sensitive issue into a managed process instead of an improvised reaction.
The Privacy Act 2020 governs how agencies, including most businesses, collect, hold, use and disclose personal information. If someone believes your business has mishandled their information, they may raise that with you directly before taking the matter further. Your response can affect whether the issue is resolved quickly or turns into a regulatory problem, a customer loss issue or a reputational headache.
What counts as a privacy complaint?
A privacy complaint can cover a wide range of business situations. It is not limited to a dramatic data breach.
Common examples include:
- a customer says you collected more information than necessary
- a website user complains they were not told clearly how their data would be used
- a former employee asks why payroll or HR records were disclosed internally or externally
- a client says your marketing emails continued after they unsubscribed
- a patient, student or member asks for access to their personal information and believes your response was incomplete
- a supplier claims you sent their contact details to another party without consent or lawful basis
- someone reports that their records were sent to the wrong recipient
Why a written procedure matters
A written procedure makes your response more consistent and less personal. That matters because privacy complaints often arrive when a customer-facing staff member is under pressure and wants to fix things quickly without checking the legal position.
Without a procedure, businesses often:
- admit fault too early without understanding the facts
- ignore the complaint because it seems minor
- give access to information to the wrong person
- delete or alter records before the issue is investigated
- miss signs that the event may need breach assessment or notification
- answer in a way that conflicts with the privacy policy or internal practice
A proper procedure also helps you meet wider commercial expectations. If you are selling online, dealing with service contracts, entering supply arrangements or tendering for work, privacy governance often becomes part of due diligence. Businesses want to know that the parties they work with can handle personal information safely and respond to complaints sensibly.
Who should own the process?
One person should be clearly responsible for coordinating privacy complaints, even if several teams are involved. In a smaller business, that may be a founder, general manager or operations lead. In a larger business, it may sit with a privacy officer, legal function, risk team or senior HR manager, depending on the complaint type.
The main point is clarity. Frontline staff need to know where to send a complaint straight away, before they promise an outcome or start discussing personal data internally.
How this fits with your other documents
Your privacy complaint handling procedure should not sit in isolation. It should line up with the documents and systems your business already uses, including:
- your privacy policy
- staff privacy and confidentiality policies
- employment agreements and workplace policies
- customer terms and service contracts
- IT security, data retention procedures and breach response plans
- incident response and breach escalation processes
This is where founders often get caught. They publish a privacy policy for customers, but there is no internal process behind it. When a complaint arrives, the business cannot actually deliver what the policy says.
When This Issue Comes Up
This issue usually comes up as soon as your business starts collecting identifiable information from customers, staff, contractors or users.
You do not need to be a large tech company for privacy complaints to become relevant. A small retailer selling online, a healthcare practice, a recruitment business, a SaaS startup, a childcare provider or a tradie using customer databases can all face the same core problem: someone wants an explanation for how their information has been handled.
Common founder and manager moments
A privacy complaint handling procedure becomes especially important in moments like these:
- before you launch online and begin collecting customer names, emails, addresses and payment-related data
- before you install a CRM, booking system, payroll platform or HR software that stores personal details
- before you outsource support, marketing, cloud storage or admin functions to service providers
- before you sign a contract with a corporate client that asks about your privacy practices
- before you spend money on setup for a new app, member platform or data-driven product feature
- after a customer asks for access to their records
- after an employee raises concerns about monitoring, HR files or internal sharing of information
- after an email goes to the wrong list, attachment or recipient
Growth makes complaints more likely
Complaints often increase when a business scales faster than its internal systems. A founder may know exactly how customer information is used when there are 30 clients. At 3,000 users, that informal knowledge is no longer enough.
Expansion can create pressure points such as:
- new sales channels and online ordering systems
- larger marketing databases and ad campaigns
- more staff with access to customer or employee records
- multiple spreadsheets and disconnected tools
- cross-team sharing without clear access permissions
- third party service providers handling information on your behalf
Complaints are not always external
Many business owners think privacy complaints only come from customers. In practice, current and former workers, contractors, job applicants, members and business contacts can all raise them.
That is why your procedure should be broad enough to cover different kinds of personal information and different relationships. A process built only around customer service complaints may fail badly when the issue concerns recruitment records, CCTV footage, internal notes or sensitive staff information.
Practical Steps And Common Mistakes
The best privacy complaint handling procedure is simple enough for staff to use under pressure, but detailed enough to produce a legally sound response.
1. Create a clear intake process
People should be able to make a privacy complaint without guessing where to send it. Your business should define the accepted complaint channels and make sure staff know how to recognise a privacy issue, even if the person does not use legal terms.
Your intake process should include:
- the contact point for privacy complaints
- what details to request, such as the complainant's name, contact information, dates, affected records and summary of concern
- how staff should escalate verbal complaints received by phone or in person
- how to verify identity before discussing or releasing personal information
- how to acknowledge receipt promptly
One common mistake is insisting the complainant fill out a particular form before you do anything. A form can help, but it should not become a barrier to dealing with the issue.
2. Triage the complaint early
Not every complaint has the same urgency. Some involve a straightforward correction request. Others suggest unauthorised disclosure, access problems or a security incident that may need immediate containment.
Early triage should look at:
- what type of personal information is involved
- whether the person may suffer harm if the issue is not addressed quickly
- whether there is an ongoing security risk
- whether information has been disclosed to the wrong person
- whether the complaint overlaps with a data breach response plan
- whether another internal team, such as HR or IT, needs to be involved
The main risk is delay. A complaint about an incorrect mailing list setting may be inconvenient. A complaint about medical information emailed to the wrong recipient may need immediate escalation.
3. Preserve records and investigate properly
You need the facts before you respond. That means preserving relevant emails, system logs, settings, forms, screenshots and staff accounts of what happened.
Your investigation does not need to be formalistic, but it should be organised. Record:
- what information was collected or held
- how it was used or disclosed
- who had access to it
- what your privacy policy and internal procedures said at the time
- whether staff followed those procedures
- what practical harm or inconvenience may have resulted
A frequent mistake is focusing only on whether the business intended to do anything wrong. Intent is not the only issue. A careless process, weak permissions or poor training can still create a valid complaint.
4. Decide on the response path
Once you understand the issue, decide what kind of response is needed. Some complaints can be resolved with an explanation, correction or apology. Others require system changes, staff retraining, document updates or breach assessment.
Your response path may include:
- explaining why information was collected or used
- providing access to personal information where required
- correcting inaccurate records
- confirming deletion or de-identification where appropriate and lawful
- stopping a marketing practice or adjusting consent settings
- recovering or securing misdirected information
- considering whether notification obligations arise for a notifiable privacy breach
Be careful not to promise outcomes before you have checked what the law allows and what records must be retained. For example, a person may ask you to delete all information immediately, but your business may need to keep some records for legitimate legal or operational reasons.
5. Respond clearly and respectfully
Your written response should answer the complaint directly. Avoid defensive language, vague statements or corporate jargon. The person raising the issue usually wants to know what happened, what it means for them and what you are doing next.
A good response usually covers:
- a summary of the complaint
- the steps you took to investigate
- your findings
- any action taken or proposed
- any remaining rights or next steps available to the complainant
- a contact point for follow-up questions
Businesses often create extra friction by sending short replies that do not really answer the point. That can make a manageable issue feel dismissive, which increases the chance of escalation.
6. Keep an internal complaints register
A complaints register helps you track patterns and prove that you are managing issues consistently. It also makes annual reviews and compliance discussions much easier.
Your register can record:
- the date received
- the complainant type, such as customer, employee or applicant
- the category of issue
- who handled it
- the outcome
- whether remediation or policy changes followed
- whether the issue was linked to a breach or regulator contact
If several complaints point to the same weak spot, such as unclear consent wording, over-broad staff access or poor unsubscribe controls, treat that as a business process problem, not a one-off annoyance.
7. Train staff and test the process
A procedure on paper is not enough. Staff need to know what a privacy complaint sounds like and what to do first.
Training should cover:
- how to spot a privacy issue
- what not to say before the facts are known
- who to escalate to
- how to protect confidentiality during the investigation
- how privacy complaints interact with customer service, HR and IT issues
Small businesses often assume common sense will be enough. It rarely is, especially when staff are new, busy or trying to be helpful in the moment.
Common mistakes New Zealand businesses make
The most common mistakes are practical rather than technical.
- No one is clearly responsible for privacy complaints
- The business has a privacy policy but no internal handling procedure
- Staff respond through ordinary customer support channels without escalation
- Identity is not checked before information is discussed or released
- The business confuses a complaint with a routine service issue and misses a potential breach
- There is no record of what was investigated or decided
- Terms with software providers or contractors do not clearly deal with personal information handling
- Lessons from one complaint are not reflected in updated policies, contracts or workflows
If your business is still setting up systems, this is worth sorting out early, alongside your privacy policy, customer terms, employment documents, supplier contracts and internal access controls. It is much easier to build a sensible process before a complaint arrives than after one has already escalated.
FAQs
Does every New Zealand business need a privacy complaint handling procedure?
If your business collects or uses personal information, having a documented procedure is a sensible step. The more customer, employee or online user data you handle, the more important it becomes.
How quickly should we respond to a privacy complaint?
You should acknowledge it promptly and investigate without unnecessary delay. The right timeframe depends on the issue, but serious complaints, especially those involving possible unauthorised disclosure or harm, should be escalated immediately.
Is a privacy complaint the same as a data breach?
No. A complaint may relate to collection, access, correction, marketing or transparency issues without any security incident. But some complaints reveal a breach, so your procedure should include a step to assess that possibility.
Who should handle privacy complaints in a small business?
Usually a founder, general manager or another clearly nominated senior person should coordinate the response. The key is that staff know exactly who owns the process and when to escalate.
Should our contracts mention privacy complaint handling?
Often yes. If third party providers store, process or access personal information for your business, your contracts should set clear expectations around privacy, security, incident reporting and cooperation if a complaint arises.
Key Takeaways
- A privacy complaint handling procedure gives your business a clear process for receiving, investigating and resolving concerns about personal information.
- In New Zealand, the procedure should align with the Privacy Act 2020 and fit your actual collection, storage, marketing and disclosure practices.
- Your process should cover intake, identity checks, triage, investigation, response timeframes, record-keeping and escalation of possible privacy breaches.
- Common mistakes include treating the issue as ordinary customer service, failing to preserve records, missing breach indicators and leaving staff without clear escalation steps.
- The procedure should work alongside your privacy policy, staff policies, customer terms, employment documents and third party contracts.
- Regular review matters, especially after growth, new systems, outsourcing arrangements or repeated complaints.
If your business is dealing with privacy complaint handling procedure and wants help with privacy policies, customer terms, supplier contracts, and internal complaint processes, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.








