It’s become increasingly common for businesses to trade in personal information. Maybe it’s even something that you’re looking to incorporate into your own business model. Or perhaps you’re concerned that your business is inadvertently trading in personal information, and you want to be informed about the consequences of doing so. 

When you’re working out whether your business is allowed to trade in personal information, it is important to understand your obligations under privacy law. This is a tricky legal area to navigate, and getting things wrong could see you facing hefty penalties! 

What’s The Difference Between Personal Information And Sensitive Information?

Before you can determine whether your business will trade or is trading in personal information, it’s first important to understand what ‘personal information’ actually is, and how it differs from ‘sensitive information’. 

Personal Information

According to the Privacy Act 2020, personal information is ‘information about an identifiable individual’. 

Simply put, personal information is any information that could identify an individual, and can include things such as:

  • Name or date of birth
  • Contact details (e.g. a residential or business address, or a phone number)
  • Photograph
  • Internet protocol (IP) address
  • Location information from a mobile device
  • Credit information
  • Biometric information
  • Sensitive information
  • Unique identifiers (e.g. driver licence number)
  • Employment-related information

Ultimately, whether information will be considered to be ‘personal information’ depends on whether the individual can be identified in the particular circumstances.

Sensitive Information

Sensitive information is a category of personal information that includes information about an individual’s:

  • Racial or ethnic origin
  • Sexual orientation or practices
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union membership
  • Criminal record
  • Health information
  • Genetic information

Sensitive information generally carries a higher level of privacy protection compared to other types of personal information, as mishandling this type of information has the potential to have a bigger detrimental impact on the relevant individual.

Did You Know?

Personal information does not have to be true and can also include information that’s already publicly available. It’s important to remember the definition of personal information is really broad, and not just captured by the Privacy Act 2020.

Does Your Business Trade In Personal Information?

Now that you understand what constitutes ‘personal information’, the next step is to work out what it means to ‘trade in personal information’.

Trading in personal information involves buying or selling personal information without the consent of the relevant individuals. For example, if a business buys or sells a mailing list without the consent of the individuals contained on that list, the business will be trading in personal information. 

Whether your business is said to be trading in personal information generally comes down to the question of consent

If you collect and/or disclose personal information to someone else for some sort of commercial gain without the consent of the individual(s) to whom the information belongs, you will likely be considered to be trading in personal information. Conversely, if you have the consent of the individual concerned, you will not be trading in personal information. This applies even if you give or receive payment for the personal information.

Another circumstance in which you will not be considered to be trading in personal information is if you are sharing the information because you are authorised or required to do so by law.

The Privacy Act 2020 & The Information Privacy Principles

If your business trades in personal information, you will need to comply with the Privacy Act 2020 and the Information Privacy Principles (IPPs). 

The IPPs are a set of 13 principles you must follow in order to comply with the regulatory framework established by the Privacy Act. You need to understand your obligations under the IPPs to avoid interfering with the privacy of an individual, and to also avoid regulatory action and penalties.

The IPPs govern the standards, rights, and obligations surrounding:

  • How personal information can be collected, used, and disclosed
  • Your business’ obligations with regards to governance and accountability
  • What rights individuals have when it comes to accessing their personal information
  • The integrity and correction of personal information that has been collected

Your Business’ Obligations Under The IPPs

We’ve put together a quick summary of your business’ obligations under the IPPs. Abiding by these principles will ensure you don’t get into legal trouble when trading in personal information. 

[The detailed list of IPPs and obligations would be provided here, similar to the APPs in the original text, but tailored to New Zealand’s Privacy Act 2020 and the Information Privacy Principles.]

What Is The GDPR And Why Do You Need To Know About It? 

The European Union (EU) introduced the General Data Protection Regulation (GDPR) in May 2018. 

You might be wondering why we’re mentioning regulations from halfway around the world. As it turns out, the GDPR applies not only to businesses established in the EU, but also any business that supplies goods or services to, or monitors the behaviour of, individuals residing in the EU. 

If your website is available worldwide and uses cookies to track the behaviour of users through their personal data, it’s important to ensure you’re complying with the GDPR.

The good news is that, if your business already complies with the IPPs, you’re likely to tick the majority of boxes in relation to the GDPR. You’re probably only going to need to make a few minor changes to your business’ operations to ensure that you’re abiding by the GDPR. These changes include having a GDPR compliant privacy policy on your website, and understanding how to run your business while being GDPR compliant. 

‘Personal Information’ vs ‘Personal Data’

You may have noticed that when it comes to the GDPR, we’re talking about personal data as opposed to personal information

That’s because, where the IPPs refer to ‘personal information’, the GDPR refers to ‘personal data’. It is important to be aware of the differences, though slight, between the two terms. 

As we noted above, personal information relates to information about an identifiable individual. 

In contrast, personal data is any piece of information that relates to an identifiable person. This can include a broad range of identifiers, including a name, an identification number or online identifier, location data, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual. 

The GDPR provides a useful guide to what can be considered personal data here.

Consent & The GDPR

Under the GDPR, your business will need to show that an individual has consented to their personal data being collected.

 An easy way for you to ensure you comply with this requirement online is by getting your customers to click or tick a box stating that they consent to the collection of their personal data in accordance with your business’ privacy policy.

Consumer Rights & The GDPR

The GDPR also provides a more comprehensive list of consumer rights than the IPPs. 

These include:

  • The right to the erasure of personal data: Your customer can ask you to erase their personal data in certain situations, such as if you no longer require the data for the purpose of initial collection, if they withdraw consent to the processing of their data, or if the data was wrongfully collected.
  • The right to data portability: Your customer has the right to ask for you to hold their personal data in a structured, commonly used and machine-readable format.
  • The right to object to the processing of personal data: Your customer can, at any time, object to the processing of their personal data. 

It’s Best To Get Consent

If you’re still unsure about what you can and can’t do, it’s a good first step to be transparent and honest with the people from whom you collect personal information. Not only does this help your business avoid breaching any privacy laws and regulations, but it can also help you build trust with your customers.

If you have a website, make sure your privacy policy is not only easy to find, but also easy to read. 

Your privacy policy should include details relating to what information you may collect, the reasons for collecting the information, and how that information may be used. It’s also a good idea to ask your customers to accept that they have read your privacy policy and agreed to its terms. 

We wouldn’t recommend you draft your privacy policy yourself. A lawyer can help draft a privacy policy specific to your business.

Need Help?

Understanding what you can and can’t do with your customer’s personal information can be quite complex. 

If you need help drafting a privacy policy – or if you’re not sure where your business stands when it comes to trading in personal information – Sprintlaw has a team of friendly and experienced lawyers who are happy to help! 
Don’t hesitate to get in touch at [email protected] or call us on 0800 002 184 for a free, no-obligations chat.

Kayleigh Yap
Kayleigh is a graduate in Arts and Law from the University of New South Wales. With an interest in human rights and intellectual property law, she has experience working in communications and marketing for small businesses and not-for-profits.
About Sprintlaw

We're an online legal provider operating in New Zealand, Australia and the UK. Our team services New Zealand companies and works remotely from all around the world.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Information Security Policy

Protect your business' information with an Information Security Policy.
Learn More

Information Memorandum Disclaimer

Raise capital while keeping information confidential.
Learn More

Personal Training Agreement

Get legal help for your Personal Training Agreement
Learn More

Privacy Policy (Sensitive Information)

If you hold sensitive data, it's important you comply with privacy law.
Learn More
Related Articles
How Do I Protect Customer Data?
Posted 31st January, 2024
A Guide To The Privacy Act 2020
Posted 24th January, 2024
Business Call Recording Laws In New Zealand
Posted 24th January, 2024
Get A Cross-Border Data Processing Agreement
Posted 24th January, 2024
Is ChatGPT Copyright Free?
Posted 24th January, 2024
New Zealand Law Data Breaches: What You Need To Know
Posted 24th January, 2024