Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
- Are There Any Businesses That Are Not An “Agency”?
Practical Compliance Checklist If You’re An “Agency”
- 1. Map The Personal Information You Collect
- 2. Put A Privacy Policy And Collection Notices In Place
- 3. Update Your Customer-Facing Terms If They Touch Personal Information
- 4. Train Your Team (Even If Your “Team” Is Just Two People)
- 5. Have A Plan For Requests And Complaints
- 6. Review Your Contracts Where Third Parties Handle Data
- Key Takeaways
If you run a small business in New Zealand, you probably collect personal information more often than you realise - customer names, emails, delivery addresses, staff records, CCTV footage, website enquiries, even IP addresses.
Under the Privacy Act 2020, most businesses that collect, use or store personal information will be treated as an “agency”. That sounds like a government term (and it can include government bodies), but in privacy law it often applies to everyday businesses too.
This matters because once you’re an “agency”, you’re generally on the hook for complying with the Privacy Act 2020’s information privacy principles, including having a lawful reason to collect data, keeping it secure, responding to access requests, and notifying certain privacy breaches.
Note: This article is general information only and isn’t legal advice. Privacy obligations can be fact-specific, and your business may also need to comply with other laws (for example, the Unsolicited Electronic Messages Act 2007 for marketing messages).
In this article, we’ll break down the Privacy Act 2020 definition of an agency in plain English, show you the most common examples for small businesses, and explain what you should put in place to protect your business from day one.
What Does “Agency” Mean Under The Privacy Act 2020?
In simple terms, the Privacy Act 2020 uses the word “agency” to describe the people and organisations that the law applies to.
So, when the Privacy Act says things like “an agency must not collect personal information unless…” or “an agency must take reasonable steps to keep personal information secure…”, it’s talking about you if your business fits within the definition.
The definition of “agency” under the Privacy Act 2020 is broad. It includes:
- Many organisations and businesses (including companies, sole traders and partnerships),
- Government departments and public sector organisations,
- Not-for-profits, clubs, and charities, and
- Individuals in some cases (for example, where personal information is collected, held, used or disclosed other than purely for personal or domestic purposes).
For most small businesses, the key takeaway is this: if your business deals with personal information in the course of operating, you’re very likely an “agency” under the Act.
What Counts As “Personal Information”?
Personal information is information about an identifiable individual. It doesn’t need to be “secret” or “sensitive” to be protected - it just needs to relate to a person who can be identified.
Common small business examples include:
- Customer names, phone numbers, emails and addresses
- Order history, invoices and payment details (even if payments are processed by a third party)
- Staff contact details, payroll data, performance notes
- Photos or video footage where people can be identified
- Complaint records tied to a customer
- Device identifiers and analytics data that can identify someone (in some contexts)
Once your business handles this kind of information, the privacy compliance conversation isn’t optional - it becomes part of your legal foundations.
Are There Any Businesses That Are Not An “Agency”?
Yes - but the exclusions are relatively narrow, and they don’t apply to most trading businesses.
The Privacy Act 2020 contains exclusions where a person or organisation may not be treated as an “agency” in specific situations. These can include, for example, some personal/domestic activities (like keeping a private address book) or certain Parliamentary functions.
For a typical SME - whether you run an online store, a café, a consultancy, a trade business, or a service-based business - you should assume you’re an agency unless you’ve had advice confirming otherwise.
It’s also worth noting that even if you think an exclusion applies, you can still face reputational and commercial risk if you mishandle customer data. In practice, good privacy habits protect your business either way.
Why The “Agency” Definition Matters For Small Businesses
Once your business is an agency under the Privacy Act 2020, you have legal responsibilities around how you collect, use, store, and disclose personal information.
That doesn’t mean you need a full-time privacy officer on day one - but it does mean you should have systems in place that fit your size and risk profile.
1. You Need A Clear Reason To Collect Personal Information
One of the big ideas behind the Privacy Act is “collect what you need, and be transparent about it”.
As an agency, you generally need to ensure that:
- you are collecting personal information for a legitimate business purpose, and
- you’re not collecting more than you reasonably need for that purpose.
For example, if you’re delivering products, you’ll need an address. If you’re sending marketing emails, you’ll need an email address (and you should be careful to only market in a compliant way under the relevant rules).
Where businesses get into trouble is collecting information “just in case”, or using it later for a purpose the customer wouldn’t reasonably expect.
2. You Need To Tell People What You’re Doing With Their Data
In a practical sense, this is where a proper Privacy Policy becomes important.
Your privacy policy (and any collection notices you use) should generally explain things like:
- what personal information you collect
- how you collect it (e.g. website forms, in-store, phone, social media)
- why you collect it
- who you share it with (e.g. couriers, booking platforms, IT providers)
- how people can request access or correction
This is especially important if you operate online, run targeted advertising, or rely on third-party platforms to process customer orders.
3. You’re Responsible For Security (Even If You Outsource)
Most small businesses use third parties for storage and processing - like cloud email, accounting software, booking systems, marketing tools, or website hosting.
Even if a supplier is doing the “heavy lifting”, you’re still the agency collecting the information, and you’re still expected to take reasonable steps to protect it.
That usually means thinking about:
- who can access personal information in your business
- password management and multi-factor authentication
- staff training and internal rules
- secure disposal of old records
- choosing reputable providers and documenting expectations
If you’re working with vendors who handle information for you, it can also be worth documenting privacy and security expectations as part of your broader contractual terms (particularly where data is a key part of the service).
4. You May Need To Notify Privacy Breaches
The Privacy Act 2020 introduced mandatory notification obligations for certain privacy breaches.
If you experience a privacy breach that is likely to cause serious harm (for example, a hack, ransomware incident, or accidental disclosure of sensitive customer data), you may need to notify:
- the Office of the Privacy Commissioner, and
- the affected individuals.
For a small business, the hardest part is often working out whether the breach is likely to cause serious harm (which can depend on factors like the type of information involved, who received it, and what protections were in place) and what your notification should say. Having a plan in advance can save you a lot of stress when something goes wrong.
Real-World Examples: When Your Business Will Be An “Agency”
It can help to make this concrete. Here are some everyday examples where small businesses are usually an “agency” under the Privacy Act 2020.
You Run An Online Store
If you sell products online, you likely collect customer names, delivery details, email addresses, and payment-related information. You’ll also often share information with couriers or fulfilment providers.
This almost always means you’re an agency, and you should have a website Privacy Policy and clear internal processes for handling customer requests.
You Employ Staff Or Contractors
If you have employees, you’ll hold personal information like bank details, emergency contacts, performance records, medical certificates, and leave records.
That puts you squarely in agency territory - and it’s one reason your Employment Contract and internal policies should align with how you manage privacy, confidentiality, and workplace information.
If you engage contractors, you may also be holding their personal information, and you might be disclosing client information to them to do the work. This is where clearly written agreements help avoid misunderstandings about data handling and confidentiality.
You Use CCTV Or Recordings At Your Premises
Many retail, hospitality, and service businesses use CCTV for security and safety reasons. Footage that identifies people is personal information.
That means your collection and storage practices matter - for example:
- Are customers notified that CCTV is operating?
- Who can access footage?
- How long is it kept?
- When is it deleted?
If you also record calls for training or quality assurance, you’ll want to be careful about how consent and notice works, and how recordings are stored and accessed.
You Provide Professional Or Health-Adjacent Services
If you’re in consulting, education, wellness, allied health, or any service that collects potentially sensitive information, the privacy compliance stakes are higher.
Even if you’re a very small operation, you’ll want to be extra careful with:
- consent processes
- access controls
- retention and disposal
- sharing information with third parties
In these industries, privacy expectations can also overlap with professional standards and client trust - and that can have a real commercial impact if anything goes wrong.
Common “Agency” Mistakes Small Businesses Make (And How To Avoid Them)
Most privacy issues we see in small businesses aren’t malicious - they come from moving fast, wearing too many hats, and not having the right legal foundations set up early.
Here are some common pitfalls to watch for.
Collecting Information “Because It Might Be Useful Later”
If you don’t need certain personal information to deliver your product or service, think twice about collecting it. Over-collection increases your risk and can create awkward conversations later if a customer asks why you needed it.
A good rule of thumb: only collect what you need, and be able to explain why.
Using Customer Data For Marketing Without Clear Permission
Customer marketing is a normal part of running a business - but using personal information for marketing should match what customers were told at the point of collection, and you may also need to comply with specific marketing rules depending on the channel (for example, electronic marketing is regulated under the Unsolicited Electronic Messages Act 2007).
This is where your privacy policy, sign-up language, and unsubscribe processes need to be consistent and clear.
Relying On Generic Templates That Don’t Fit Your Business
Privacy documentation isn’t just “paperwork”. If your policy doesn’t match what you actually do, it can create risk - especially after a complaint or breach.
For example, if your policy says you “never share information with third parties” but you routinely provide customer details to couriers or booking platforms, that mismatch can cause problems fast.
Getting tailored privacy advice (and tailoring your documents) is a practical way to protect your business as it grows. Where privacy obligations are built into commercial relationships, you may also need the right contract structure around services and data handling, such as a properly drafted Service Agreement.
Forgetting That “Employee Records” Still Need Careful Handling
It’s easy to focus on customer data and forget staff data - but HR information can be particularly sensitive.
From a risk management perspective, it’s worth ensuring you have:
- clear access controls (not everyone should see HR files)
- confidentiality obligations
- well-documented processes for handling requests and complaints
If you also operate in a way that handles employee information across related entities (for example, a group structure), it’s even more important to document who holds what and why.
Practical Compliance Checklist If You’re An “Agency”
If you’re reading this and thinking, “Okay, I’m definitely an agency - what do I do now?”, don’t stress. Most small businesses can get into a good compliance position with a few practical steps.
Here’s a straightforward checklist to work through.
1. Map The Personal Information You Collect
Start with a simple inventory:
- What personal information do we collect?
- Where does it come from (website, phone, email, POS system)?
- Where is it stored (software tools, shared drives, email inboxes)?
- Who do we share it with (couriers, IT providers, payroll providers)?
- How long do we keep it?
This is often the fastest way to spot gaps - like data being stored in personal inboxes, or having no clear retention rule.
2. Put A Privacy Policy And Collection Notices In Place
If you collect personal information through a website, booking form, sign-up page, or online checkout, a privacy policy is usually essential.
A good privacy policy isn’t there to sound impressive - it’s there to match your actual business processes and explain them clearly to customers.
3. Update Your Customer-Facing Terms If They Touch Personal Information
Depending on your business model, your customer terms may touch on privacy issues too - for example, if you run a subscription service, marketplace, online platform, or app.
It can be worth reviewing your Website Terms And Conditions so they don’t contradict your privacy policy, especially around user accounts, marketing, and third-party services.
4. Train Your Team (Even If Your “Team” Is Just Two People)
Privacy compliance usually succeeds or fails in day-to-day behaviour:
- How do staff handle customer complaints that include personal information?
- Do they verify identity before disclosing order info?
- Do they know what to do if an email is sent to the wrong recipient?
A short internal process (and a quick training session) can drastically reduce risk.
5. Have A Plan For Requests And Complaints
Individuals have rights to request access to their personal information and to request correction.
You don’t need a complicated system, but you do need to be able to:
- recognise a privacy request when it comes in,
- respond within the required timeframe, and
- avoid disclosing information to the wrong person.
Having a written process helps you respond consistently, especially if you’re busy or the request is sensitive.
6. Review Your Contracts Where Third Parties Handle Data
If suppliers and contractors handle personal information on your behalf (think IT providers, marketing providers, cloud platforms, outsourced admin), it’s smart to ensure your contracts deal with:
- confidentiality
- security expectations
- breach notification obligations
- what happens to data when the relationship ends
This is also where a well-drafted Non-Disclosure Agreement can be useful in certain relationships - especially if sensitive commercial information and personal information are being discussed during onboarding or negotiations.
Key Takeaways
- The definition of an “agency” under the Privacy Act 2020 is broad, and most small businesses will be an “agency” if they collect, use, store, or disclose personal information.
- “Personal information” includes common business data like customer names and contact details, staff records, and identifiable CCTV footage.
- Once you’re an agency, you have responsibilities around lawful collection, transparency, security, access/correction requests, and (in some cases) mandatory privacy breach notifications.
- Practical compliance starts with mapping what data you collect, having a clear privacy policy and consistent customer-facing terms, and training your team on day-to-day privacy handling.
- If third parties handle personal information for you, your contracts should clearly cover confidentiality, security, and what happens if there’s a breach.
- Getting your privacy settings and documents right from day one is one of the easiest ways to protect your business as you grow.
If you’d like help getting your privacy compliance sorted - including a Privacy Policy, website terms, or tailored advice for how your business handles customer and staff information - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.








