Privacy Principle 1 in New Zealand: Collecting Personal Information Lawfully

Alex Solo
byAlex Solo11 min read
Data & PrivacyRegulatory Compliance
Contents

Many New Zealand businesses collect more personal information than they need, ask for it at the wrong time, or never stop to ask why they are collecting it in the first place. That creates risk early, especially when you are setting up customer forms, onboarding staff, taking online orders, or rolling out a new app. Common mistakes include copying a long signup form from another business, collecting ID details "just in case", and asking for sensitive information before you have a clear lawful purpose.

Privacy Principle 1 is the starting point for lawful collection under the Privacy Act 2020. It is the rule that says your business must only collect personal information if the information is for a lawful purpose connected with your functions or activities, and collecting it is necessary for that purpose. That sounds simple, but this is where founders often get caught. Here, we explain what principle 1 means in practice, when it comes up, and how to make better decisions before you launch online, before you sign a supplier or software contract, and before you invest in forms, systems, and customer journeys that collect too much information.

Overview

Principle 1 is about discipline. Your business should know exactly why it is collecting personal information, whether that purpose is lawful, and whether each piece of information is genuinely needed for that purpose.

If you cannot explain why you need a piece of personal information, or your reason is only that it might be useful later, you may be collecting more than the Privacy Act allows.

  • Identify the specific business purpose for collecting the information.
  • Check that the purpose is connected to your business activities or functions.
  • Ask whether each data field is necessary, not just convenient.
  • Review forms, apps, surveys, and onboarding documents for over-collection.
  • Be extra careful with sensitive information such as health details, identity documents, or demographic data.
  • Make sure your privacy policy or privacy statement matches what you actually collect and why.

What Principle 1 Means For New Zealand Businesses

Principle 1 means your business cannot collect personal information on a vague, broad, or speculative basis. You need a lawful business reason, and the information must be necessary for that reason.

Under the Privacy Act 2020, personal information means information about an identifiable individual. That can include obvious details like a name, email address, phone number, delivery address, bank account details, and date of birth. It can also include customer notes, support records, photos, IP-related account information, CVs, and employee emergency contact details if they identify someone.

A lawful purpose connected to your business

Your reason for collecting the information must relate to what your business actually does. A retailer may need a delivery address to ship goods. A software business may need an email address to create an account and send service notices. An employer may need bank details to pay staff.

What usually will not work is collecting information because another company asks for it, because your template includes it, or because you think it may help with marketing one day. A purpose can be commercially useful and still fail principle 1 if it is too loose or disconnected from your real operations.

Lawful purpose matters too. If the business activity itself is misleading, unfair, or otherwise unlawful, collecting data for that activity will not become acceptable just because you mention it in a privacy policy.

Necessary, not merely handy

This is the part many businesses miss. Principle 1 does not ask whether information would be helpful. It asks whether collecting it is necessary for the purpose you have identified.

Necessary does not always mean absolutely essential in the narrowest sense, but it does require a real and rational connection. If there is a less intrusive way to achieve the same purpose, your current approach may be hard to justify.

For example, if you sell downloadable products, you may need an email address to deliver access, but not a residential address. If you run a competition, you may need a name and contact details to contact the winner, but not a full date of birth unless there is a clear age-based requirement. If you hire contractors for short project work, you may need identification and payment details at a certain point, but not necessarily at the first expression-of-interest stage.

Principle 1 applies across the business lifecycle

This principle is not just for big companies with data teams. It affects everyday founder decisions, including:

  • website enquiry forms
  • checkout pages and account creation
  • newsletter signups
  • customer support requests
  • job application forms
  • staff onboarding packs
  • promotional campaigns and giveaways
  • CRM and marketing automation setup
  • security and visitor records
  • franchise, supplier, and partner onboarding

If you are a startup or SME, principle 1 should shape your systems before you spend money on setup. It is much easier to remove unnecessary data fields before you launch than to fix poor collection practices after complaints, customer distrust, or internal confusion.

Principle 1 works with the other privacy principles

Principle 1 is only one part of the privacy framework, but it affects the rest. If you should not have collected information in the first place, later compliance steps become harder to defend. Storage, security, access rights, correction rights, retention, and disclosure all start from the question of whether the collection itself was justified.

That is why businesses should not treat privacy as a notice-writing exercise only. A polished privacy policy will not solve over-collection. The main risk is the mismatch between what your forms ask for and what your business truly needs.

When This Issue Comes Up

Principle 1 usually becomes a real issue when a business is building processes quickly and using standard forms without legal review. The risk often appears before you notice it, especially when new software or teams add extra fields by default.

Customer signups and online sales

Before you launch online, check every field in your signup, enquiry, checkout, and account creation flow. Businesses often collect phone numbers, dates of birth, and detailed preferences where an email address and delivery details would do.

This is also common when businesses start selling through a new platform. The platform may allow many optional fields, but optional in the software does not mean justified under principle 1.

Marketing and lead generation

Lead forms are a common pressure point. A business wants better qualification data, so the form expands to include job title, company size, budget, location, and personal contact details before any real relationship exists.

Some of that may be reasonable in a B2B setting, but you still need to ask whether each field is necessary at that stage. If a short enquiry form is enough to start the conversation, collecting more may be hard to justify.

Recruitment and hiring

Recruitment is another area where businesses often overreach. You may need enough information to assess suitability, communicate with candidates, and carry out checks at the right stage. You usually do not need every detail on day one.

For example, collecting referees, identity documents, or detailed health information too early can create unnecessary privacy risk. Employers should tie each request to a genuine hiring purpose and timing need.

Staff and contractor onboarding

Once someone is engaged, your information needs may expand. You may need bank details, tax-related forms handled with professional advice, emergency contacts, and right-to-work or qualification evidence where relevant. But timing still matters.

Before you sign a contract, think about what needs to be collected to evaluate the person and what should wait until the role is confirmed. Collecting everything upfront can be excessive.

Apps, software products, and analytics

Product teams often collect personal data because a plugin, analytics tool, or user profile setting makes it easy. This is where founders often get caught. If a field, tracker, or profile question does not support a real product function, billing need, fraud prevention measure, or other justified purpose, it may not belong in the system.

Extra caution is needed if the information is sensitive or if user expectations are likely to differ from what the product is doing behind the scenes.

Identity checks and security requirements

Some businesses need to verify identity for fraud prevention, safety, or legal compliance reasons. That can be valid, but it still does not give unlimited permission to collect and keep copies of identity documents.

Ask whether a full copy is necessary, whether a sight-and-record method could work, how long the information should be retained under a data retention policy, and whether less intrusive verification options are available.

Practical Steps And Common Mistakes

The best way to comply with principle 1 is to audit collection points one by one and remove anything you cannot justify. Most fixes are practical, not theoretical.

Map each collection point

List every place where your business asks for or receives personal information. Do not limit this to public forms. Include internal spreadsheets, sales call notes, customer support tools, onboarding documents, chat functions, and third party software.

Your map should cover:

  • what information is collected
  • where it is collected
  • who collects it
  • why it is collected
  • when in the customer or worker journey it is collected
  • whether the same purpose could be met with less information

This exercise often exposes duplicate fields and "just in case" questions that nobody can explain.

Write down the purpose in plain English

If a founder or manager cannot explain the purpose in one clear sentence, the collection point probably needs work. Good examples sound practical and specific.

  • We collect delivery addresses to ship physical products customers order.
  • We collect email addresses to create user accounts and send service notices.
  • We collect bank details from staff after hiring so we can process payroll.
  • We collect limited health information only where needed to provide a requested service safely.

Weak examples are much broader:

  • for business purposes
  • for customer experience
  • for future opportunities
  • to understand our users better

Broad wording can hide over-collection. Principle 1 requires more discipline than that.

Test necessity field by field

Review each data field separately. A form may have one legitimate purpose overall, but still include unnecessary questions.

Useful questions to ask include:

  • What decision or action does this field support?
  • Would the transaction or service fail without it?
  • Could we collect it later if needed?
  • Could we make the field optional?
  • Is there a less sensitive way to get the same result?

Founders often discover that half of a form is based on preference rather than need.

Be careful with sensitive information

Health details, biometric information, copies of passports or driver licences, ethnicity data, criminal history information, and children’s information can create higher risk. Principle 1 still applies in the same basic way, but the justification should be stronger and more specific.

Before you collect sensitive information, ask:

  • What exact purpose makes this necessary?
  • Why is less sensitive information not enough?
  • Do we need the full document or only confirmation of a fact?
  • Who will access it?
  • How long will we keep it?

If you cannot answer those questions clearly, pause before you build the field into your process.

Match practice to your privacy notice

Your privacy statement should reflect actual collection practices. If your form asks for information your privacy notice does not mention, or the notice claims broad purposes that your team cannot explain, that is a warning sign.

Principle 1 is about whether collection is justified, but transparency still matters. A mismatch between real practice and written statements can increase complaint risk and weaken trust.

Watch for software defaults and copied templates

Many privacy issues start with software, not legal strategy. CRM tools, ecommerce platforms, booking systems, and HR products often include default fields that are convenient for the vendor, not necessarily necessary for your business.

Copied website templates create the same problem. Before you register a domain or print packaging that points customers to a form, check whether the form is actually tailored to your business model.

This matters for startups especially. When you start a business in New Zealand, legal setup often focuses on company setup, registration, contracts, branding, trade mark planning, and selling online. Privacy should sit beside those workstreams, not after them.

Train staff to stop over-collecting informally

Even if your formal forms are clean, staff can still collect unnecessary personal information through emails, call notes, messaging apps, and ad hoc spreadsheets. Sales and support teams should know what the business needs and what should not be requested casually.

Simple internal rules help, such as:

  • do not ask for identity documents unless the process specifically requires them
  • do not record personal details in free-text notes unless relevant to the service
  • do not request health or family information unless there is a clear need
  • escalate unusual requests before collecting extra information

Common mistakes businesses make

The same problems show up repeatedly across SMEs and startups.

  • Collecting full dates of birth where age confirmation would be enough.
  • Requiring phone numbers for digital products or low-risk enquiries.
  • Keeping copies of identity documents without a clear reason.
  • Asking job applicants for excessive background details too early.
  • Using one long form for every customer type, even when needs differ.
  • Collecting sensitive information because a software platform includes the field.
  • Assuming a privacy policy makes unnecessary collection acceptable.

If any of those sound familiar, principle 1 is a good place to review your privacy position.

FAQs

Does principle 1 mean we can only collect the bare minimum?

Not exactly. You can collect information that is reasonably necessary for a lawful business purpose. The issue is whether you can justify each item, not whether you have reduced everything to the absolute lowest level possible.

Can we collect information now in case we need it later?

Usually, that is risky. A future possibility on its own is often too weak. If the information is only needed at a later stage, collect it at that later stage.

Do optional fields solve the problem?

Not always. Optional fields can help, but the business should still have a valid reason for asking. If a question has no real lawful purpose connected to your activities, making it optional does not fully fix the issue.

Does principle 1 apply to employee and contractor information?

Yes. It applies whenever your business collects personal information, including during recruitment, onboarding, and day-to-day management. Employment context does not remove the need for lawful purpose and necessity.

What if our software provider stores fields we do not use?

You should configure systems to avoid unnecessary collection where possible. If a platform creates default fields, review what is actually activated, displayed, required, and retained. Convenience from a vendor does not decide compliance for your business.

Key Takeaways

  • Principle 1 requires your business to collect personal information only for a lawful purpose connected to its activities, and only where the collection is necessary for that purpose.
  • The main question is not whether information could be useful, but whether you genuinely need it at that point in the process.
  • Over-collection often appears in customer forms, marketing funnels, recruitment documents, onboarding packs, and software defaults.
  • Sensitive information needs closer scrutiny, clearer justification, and tighter process design.
  • Your privacy notice should match your real collection practices, but a notice alone does not make unnecessary collection lawful.
  • Review forms and systems before you launch online, before you sign a vendor contract, and before you invest in workflows that may collect too much information.

If your business is dealing with principle 1 and wants help with privacy audits, collection notices, customer and staff forms, and software data collection reviews, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Using Drones Over Private Property in New Zealand: Legal Issues for Businesses

Using Drones Over Private Property in New Zealand: Legal Issues for Businesses

Using drones over private property can create privacy, consent, and compliance issues for New Zealand businesses. This guide explains the key legal risks

13 Jun 2026
Read more
Returns and Exchanges Policies for NZ Online Businesses

Returns and Exchanges Policies for NZ Online Businesses

A returns and exchanges policy can reduce disputes for NZ online businesses, but it needs to work with consumer law, fair trading rules, and privacy

13 Jun 2026
Read more
Privacy Disclosures for New Zealand Businesses: When and What to Disclose

Privacy Disclosures for New Zealand Businesses: When and What to Disclose

Privacy disclosures are not just a website footer issue. If your New Zealand business collects personal information through forms, apps, CCTV

11 Jun 2026
Read more
Recording Conversations in NZ: Legal Requirements for Businesses

Recording Conversations in NZ: Legal Requirements for Businesses

If you run a small business in New Zealand, you’ve probably had moments where you’ve wished you could “just hit record” on an important phone call or meeting. Maybe you’re dealing with...

10 Jun 2026
Read more
Marketplace Data Processing Addendums in New Zealand: Key Privacy Issues to Check

Marketplace Data Processing Addendums in New Zealand: Key Privacy Issues to Check

A marketplace data processing addendum can quietly decide who carries privacy risk when your business sells through a platform. This guide explains the

8 Jun 2026
Read more
Marketplace Privacy Policies in New Zealand: What Online Platforms Should Include

Marketplace Privacy Policies in New Zealand: What Online Platforms Should Include

Running an online marketplace in New Zealand means handling personal information from buyers, sellers and service providers, often across multiple tools

8 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call