Handling Subject Access Requests Under New Zealand's Privacy Act

Alex Solo
byAlex Solo10 min read
Data & Privacy
Contents

If you run a small business in New Zealand, you’ve probably got personal information sitting in a few places at once - your CRM, your inbox, your booking system, your payroll platform, your website forms, and maybe even a shared drive.

That’s why an access request (often called a subject access request) can feel a bit stressful. A customer (or employee, contractor, or supplier) asks for “all information you hold about me”, and suddenly you’re not just running your business - you’re trying to work out what you’re legally required to find, collate, redact, and send.

With a clear process (and a bit of planning), these requests are very manageable - and getting them right helps you build trust and avoid privacy complaints under the Privacy Act 2020.

What Is A Subject Access Request (And Who Can Make One)?

A subject access request is a request by an individual for access to personal information an organisation holds about them (in New Zealand, this is usually referred to as an access request under the Privacy Act).

In New Zealand, the right to request access to personal information comes from the Privacy Act 2020 (and specifically the privacy principles about access and correction). In plain terms, if you hold personal information about someone, they can generally ask for it.

Who can make a subject access request? It can be:

  • a customer or client;
  • a patient (if you’re in health or wellness services);
  • a subscriber or website user;
  • an employee (current or former);
  • a contractor or job applicant;
  • a member (if you run a membership-based business); or
  • any other person whose personal information you hold.

What counts as “personal information”? It’s information about an identifiable individual. Common examples for small businesses include:

  • name, address, phone number, and email;
  • purchase history, invoices, and payment details (noting you’ll often need to protect banking/card details carefully);
  • support tickets, complaints, and correspondence;
  • notes made by staff about interactions with the person;
  • CCTV footage where a person is identifiable;
  • call recordings;
  • HR files, performance notes, and payroll information (for employees); and
  • IP address and other online identifiers (depending on the context).

If you’re collecting personal information online, it’s usually a good idea to set expectations upfront with a clear Privacy Policy, because it helps you explain what you collect, why, and how people can access it.

What Makes A Subject Access Request “Valid” Under The Privacy Act 2020?

One of the most common myths we see is that an access request has to be in a particular format (for example, a signed form, a lawyer’s letter, or a specific heading like “SAR”). In most cases, that’s not true.

A request is generally valid if it’s clear that the person is asking for access to their personal information.

It doesn’t need to:

  • use legal language;
  • mention the Privacy Act 2020;
  • call itself a “subject access request”;
  • be made via any specific channel (it might come through email, a web form, social media, or even verbally).

It does need to:

  • be made by the person the information is about (or someone properly authorised to act for them); and
  • be clear enough that you can identify what information is being requested.

From a practical business perspective, you can (and often should) ask follow-up questions if the request is broad. For example:

  • “Are you requesting your full account history, or only communications from the last 12 months?”
  • “Do you want CCTV footage from a particular date/time?”
  • “Are you seeking notes from your appointment records, or just invoices?”

This isn’t about blocking access - it’s about making sure you’re responding efficiently and accurately.

Do You Need To Verify Identity?

Yes - identity checking is a key part of responding safely. Before you disclose personal information, you should be confident you’re dealing with the right person (or their authorised representative).

How you verify identity depends on your business and the sensitivity of the information. It might include:

  • confirming details you already hold (for low-risk requests);
  • asking for photo ID (for higher-risk requests);
  • confirming the request from an email address already linked to their account; or
  • if someone is acting on their behalf, requesting proof of authority (for example, a signed authority).

Be careful not to collect excessive ID information you don’t actually need. If you do request ID, think about secure handling and deletion afterwards as part of your privacy practices.

How Should Your Business Respond To A Subject Access Request?

A good response process is all about being organised. When you treat an access request like a repeatable workflow (rather than a one-off panic), you’ll save time and reduce risk.

Step 1: Log The Request (And Don’t Ignore It)

As soon as a request comes in, record:

  • the date and time received;
  • who made the request and how they contacted you;
  • what they asked for (copy/paste their wording);
  • who in your business is responsible for responding; and
  • any identity verification steps you’ve taken.

This creates a paper trail if you later need to show you handled the request properly.

Step 2: Clarify The Scope (If Needed)

If the request is broad (“everything you have”), it’s reasonable to clarify what they actually need. You can also confirm practical details such as:

  • preferred format (PDF copies, spreadsheets, screenshots, audio files);
  • delivery method (encrypted email, secure portal, physical collection); and
  • time period relevant to the request.

Step 3: Search All Places Personal Information Might Live

This is where small businesses can get caught out. Personal information can exist outside your main system, including:

  • email accounts and archived mailboxes;
  • staff chat tools;
  • shared drives and documents;
  • accounting platforms;
  • booking systems;
  • support desk tools;
  • paper files; and
  • security systems (like CCTV).

If you use monitoring tools at work (for example, CCTV), you’ll also want to ensure your workplace approach is compliant and transparent - including whether cameras are legal in the workplace and what notices and policies you should have in place.

Step 4: Review, Redact, And Prepare The Release

Before sending anything, review the information carefully. Your obligations aren’t just about disclosure - they’re also about protecting other people’s privacy and your business’s legitimate interests.

Common practical steps include:

  • removing or redacting information about other individuals (for example, another customer’s details in an email thread);
  • redacting confidential commercial information where appropriate;
  • withholding certain content where a lawful ground applies (more on that below); and
  • preparing an index or summary so the person can understand what they’re receiving.

If you collect and store sensitive personal information, it’s also worth having internal processes for incidents and leakage - a Data Breach Response Plan can make a big difference if anything goes wrong during handling or transmission.

Step 5: Provide The Information Securely

When you deliver the response, think about security. Depending on what’s being disclosed, you might use:

  • password-protected PDFs;
  • encrypted email;
  • a secure file transfer link;
  • in-person collection with ID; or
  • registered post (if physical copies are requested).

Secure delivery is especially important where the information includes financial details, health-related information, or employment records.

When Can You Refuse A Subject Access Request (Or Provide Limited Access)?

As a business, you generally need to provide access to personal information when someone makes a valid access request. However, the Privacy Act 2020 does allow refusals or limitations in certain situations.

This is a section where it’s worth being careful - if you refuse access incorrectly (or without explaining yourself), that’s when complaints to the Office of the Privacy Commissioner can escalate.

Common scenarios where you may be able to withhold or limit what you provide include where disclosure would:

  • unreasonably disclose personal information about someone else;
  • breach legal professional privilege (for example, lawyer advice);
  • prejudice the maintenance of the law (for example, an investigation context);
  • prejudice the security or defence of New Zealand (rare for most small businesses);
  • in some situations, reveal evaluative material provided in confidence (such as references), depending on the circumstances.

Even where you can refuse, you often still need to consider whether you can provide a version with appropriate redactions rather than refusing entirely.

If you’re making a refusal decision, it’s smart to get tailored legal advice because the “can we withhold this?” analysis often depends heavily on context and how the information was created and stored.

Do You Have To Explain Your Decision?

In most cases, yes - if you refuse (or partially refuse), you should explain:

  • that access has been refused (or limited);
  • the reason, in a way the person can understand; and
  • that they can complain to the Office of the Privacy Commissioner.

Being transparent here can reduce conflict and shows you’re approaching the request in good faith.

How Quickly Do You Need To Respond (And Can You Charge)?

Timing matters with an access request. If you leave it too long, you increase the risk of a complaint - even if you eventually provide the information.

Under the Privacy Act 2020, organisations generally must decide whether to grant the request and respond to it as soon as reasonably practicable and no later than 20 working days after receiving it. If you need more time, you may be able to extend the timeframe in certain situations - but you should communicate that clearly (and early), including why you need an extension and when the person can expect your response.

A good “small business friendly” approach is:

  • acknowledge receipt quickly (even if you can’t provide the information yet);
  • confirm identity verification requirements upfront;
  • give an estimated response date (within the 20 working day timeframe, unless you’ve advised an extension); and
  • keep the person updated if there are delays.

Can you charge for responding to an access request? Sometimes a reasonable charge may be permitted (for example, where the request requires significant collation), but charging can be a sensitive step. It’s usually better to treat charging as the exception rather than the default, and to communicate and justify it clearly before incurring major work.

If you’re thinking about charging, it’s worth getting advice first so you don’t accidentally discourage or obstruct lawful access.

How Can Small Businesses Prepare For Subject Access Requests?

The best time to think about an access request is before you receive one.

When you build privacy compliance into your day-to-day operations, responding becomes faster, safer, and less disruptive. It’s also a strong signal to customers and clients that your business takes data seriously.

Put Clear Privacy Foundations In Place

At a minimum, most small businesses should consider:

  • a clear Privacy Policy that explains what you collect and how people can access/correct it;
  • internal rules about who can access customer data and when;
  • document retention and deletion practices (so you’re not holding outdated information “just in case”); and
  • security measures appropriate to what you hold (passwords, MFA, access controls, device security).

If you collect personal information through forms (online or in person), a Privacy Collection Notice can be a simple way to make sure you’re telling people the key things at the point of collection.

Train Your Team To Spot Requests Early

Access requests don’t always arrive labelled as a “request”. A customer might write something like:

  • “Send me a copy of everything you’ve recorded about me.”
  • “I want all notes from my appointment.”
  • “What information do you have about me?”

If your staff can recognise those messages and escalate them to the right person quickly, you’ll avoid missed deadlines and inconsistent responses.

Be Careful With Call Recordings And CCTV

If your business records calls (for training or quality purposes), those recordings may be personal information - and could be requested.

It’s worth checking your setup against the rules around business call recording laws in New Zealand, especially around notification and consent practices.

Likewise, if you use CCTV, consider signage, retention periods, access controls, and how you would locate footage if a request comes in.

Have A Plan For Complaints Or Escalations

Even when you do everything right, some requests can become contentious - especially where the person expects “everything” and you’ve legitimately withheld parts (for example, to protect another person’s privacy).

A Privacy Complaint Handling Procedure gives your business a consistent way to handle disputes, document your reasoning, and respond calmly.

It also helps show you’re taking compliance seriously, which can matter if the Office of the Privacy Commissioner gets involved.

Key Takeaways

  • An access request (often called a subject access request) is a request by an individual to access personal information your business holds about them, and it can come from customers, employees, contractors, or anyone else you have data about.
  • A request doesn’t need special wording to be valid - if it’s clear the person is asking for their personal information, you should treat it as an access request and respond promptly.
  • Your business should verify identity before disclosing information, then search all relevant systems (including email, shared drives, and CCTV/call recordings where applicable).
  • You may be able to refuse or limit access in certain situations (for example, where disclosure would reveal another person’s personal information), but you should be careful and explain your decision clearly.
  • Having strong privacy foundations - including a Privacy Policy, collection notices, secure handling processes, and a complaint procedure - makes access requests much easier to manage.
  • If you’re unsure whether to release, redact, or refuse certain information, getting tailored advice can help you stay compliant and protect your business.

If you’d like help setting up privacy documents and processes, or you’ve received an access request and want to respond confidently, you can contact Sprintlaw for a free, no-obligations chat at 0800 002 184 or team@sprintlaw.co.nz.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Incident Response Policies for New Zealand Care Providers

Incident Response Policies for New Zealand Care Providers

New Zealand care providers need more than a basic emergency procedure. This guide explains how an incident response policy should address care events

22 Jun 2026
Read more
Storing Credit Card Details: Legal Obligations In NZ

Storing Credit Card Details: Legal Obligations In NZ

If you run a business that takes card payments, it’s only natural to think about saving customers’ card details for faster checkout, subscriptions, or repeat bookings. But storing card details isn’t just...

22 Jun 2026
Read more
Complaints Handling Policies for New Zealand Dental Practices: Legal and Compliance

Complaints Handling Policies for New Zealand Dental Practices: Legal and Compliance

A complaints handling policy for dentists helps New Zealand dental practices respond to patient concerns consistently, protect health information, and

20 Jun 2026
Read more
Sent An Email To The Wrong Person? Legal Steps In NZ

Sent An Email To The Wrong Person? Legal Steps In NZ

You’re moving fast, juggling customers, suppliers, and your team - and then it happens: you’ve sent an email to the wrong person. Maybe it’s an attachment with a client’s details, a supplier...

15 Jun 2026
Read more
Website Terms and Privacy Requirements for Clinic Management Software Businesses

Website Terms and Privacy Requirements for Clinic Management Software Businesses

Clinic management software websites often collect sensitive information well before a full customer contract is signed. This guide explains the website

15 Jun 2026
Read more
Does a Software Reseller Need a Privacy Policy in New Zealand?

Does a Software Reseller Need a Privacy Policy in New Zealand?

If you resell software in New Zealand, a privacy policy is often needed in practice because your business usually collects personal information through

15 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call