What Is Personal Information Under New Zealand’s Privacy Act?

Most small businesses collect more data than they realise.

Maybe you run an online store and you’ve got customer delivery details. Maybe you manage a team and you store emergency contacts. Maybe you use CCTV for security, or you record customer service calls for training.

All of that can be personal information in New Zealand - and if it is, the Privacy Act 2020 sets expectations for how you collect it, use it, store it, and share it.

This guide breaks down what counts as personal information, why the definition matters for your business, and the practical steps you can take to reduce risk and stay compliant (without drowning in legal jargon).

What Is Personal Information Under The Privacy Act 2020?

Under the Privacy Act 2020, personal information generally means information about an identifiable individual.

That definition is deliberately broad. In practice, information will usually be personal information if:

• it is about a person (not a company); and
• the person is identified or is reasonably identifiable from the information (either on its own or when combined with other information you hold).

This is the key point for business owners: it’s not just “name and address” data. Personal information can include things that identify someone indirectly.

Direct Identifiers vs Indirect Identifiers

Some personal information identifies a person immediately. For example:

• full name
• photo or video footage where the person is recognisable
• phone number
• email address (especially if it contains the person’s name)
• home address

Other information might not identify someone on its own, but can identify them when combined with other data you hold (or data that’s readily available). For example:

• customer numbers or account IDs
• device identifiers
• IP addresses (depending on context)
• purchase history tied to an account
• location data
• employment records linked to a staff profile

If you’re ever unsure, a good rule of thumb is: if you can reasonably work out who it is, it’s personal information.

Common Types Of Personal Information Businesses Collect (Often Without Thinking About It)

When people ask what personal information is, they’re often thinking about “classic” data like names, emails, and phone numbers. But for businesses, the list is usually much wider.

Here are common categories of personal information you might be handling day-to-day.

Customer And Client Information

• names, emails, phone numbers, delivery addresses
• booking information (appointments, attendance history)
• support tickets and complaints (especially where a person is identifiable)
• customer preferences and profiles (eg marketing segments tied to individuals)
• payment-related details (even if you use a third-party payment provider)

If you collect personal information through your website, you’ll usually want a clear Privacy Policy that explains what you collect and why.

Employee And Contractor Information

• employment agreements, payroll records, bank account details
• performance notes and HR files
• rostering and timesheets
• emergency contact details
• health and safety incident reports (if linked to an individual)

Even in a small team, it’s worth treating people data as high-risk, because it often includes more sensitive details than customer data.

CCTV, Photos, Videos, And Audio

Many businesses use CCTV for security or take photos/videos for marketing (think gyms, events, hospitality, retail, clinics, trades, and more).

If a person can be identified from footage or recordings, it’s personal information.

The same applies to call recordings. If your team records calls (or you use a system that automatically records them), you should also consider the privacy angle alongside the rules in this area - for example, the practical issues covered in call recording laws.

Online Identifiers And Website Data

Depending on how you operate, you might collect:

• IP addresses
• cookie identifiers
• login history
• device details
• behaviour analytics tied to a user profile

Not all website analytics will be personal information in every situation, but if it can be linked back to a specific person (especially if they have an account), it can quickly move into “personal information” territory.

“Sensitive” Personal Information

Some personal information is higher-risk because it could cause greater harm if misused or leaked (or because people reasonably expect extra care).

This can include:

• health information (including medical notes, injuries, disabilities)
• biometric information (eg facial recognition templates)
• criminal history checks (where relevant and lawful)
• information about a person’s finances
• information about children

If your business deals with this kind of data, you’ll want stronger safeguards and clearer internal rules. It may help to read up on sensitive personal information so you can spot higher-risk scenarios early.

What Is Not Personal Information? (And Why This Matters For Small Businesses)

Knowing what counts as personal information is only half the puzzle. The other half is understanding what doesn’t count - so you don’t over-complicate your compliance.

Company Information (Usually) Isn’t Personal Information

Information about a company (like an NZBN, registered office address, or a generic info@ email) is generally not personal information.

But be careful: if you’re dealing with a sole trader or a very small business, “business details” can still be personal information if they identify the individual (for example, “Jane Smith Plumbing” with a mobile number that goes straight to Jane).

Truly Anonymised Information

Information that has been anonymised so an individual is not identifiable is generally not personal information.

However, “anonymised” is often trickier than it sounds. If you can re-identify someone by combining the data with other information you hold, then it may still effectively be personal information.

For example:

• “Customer #1842 in a small town ordered this product at this time” might still be identifiable if you have matching order records.
• “One employee in the Wellington office had a workplace injury last week” could be identifiable in a small team.

Aggregated Stats (Usually) Aren’t Personal Information

Aggregated reporting like “25% of customers bought Product A” usually won’t be personal information, as long as it isn’t possible to connect it back to an individual.

This matters because good privacy practice isn’t just about protecting people - it also helps you keep your operations lean. Where possible, using aggregated or anonymised data can reduce your compliance burden and reduce breach risk.

Why The Definition Matters: Your Key Privacy Obligations As A Business

Once you’re handling personal information, you’re expected to follow the Privacy Act 2020 and the Privacy Principles (often called the “information privacy principles”).

You don’t need to memorise the principles to run your business well - but you do need to understand the main themes:

1. Collect Personal Information For A Clear, Lawful Reason

As a starting point, ask yourself:

• Why are we collecting this information?
• Do we actually need it to run the service?
• Could we collect less?

This “data minimisation” mindset is one of the easiest ways to reduce privacy risk from day one.

2. Tell People What You’re Doing (Transparency)

If you collect personal information, people should generally know:

• what you’re collecting
• why you’re collecting it
• who it might be shared with (eg couriers, booking platforms, IT providers)
• how they can access or correct their information

This is where a Privacy Collection Notice can be really useful - especially for forms, sign-ups, bookings, and onboarding processes.

3. Use And Disclose It Only In Ways That Fit The Original Purpose

One common small business trap is collecting personal information for one reason, then later using it for something else.

For example:

• collecting an email to send a receipt, then adding it to a marketing list without a proper basis
• collecting customer details for a booking, then sharing them with another business “because they might be interested”

Even when your intentions are good, this is where privacy complaints often start.

4. Keep Personal Information Secure

You’re expected to take reasonable steps to protect personal information from loss, unauthorised access, or misuse.

What’s “reasonable” depends on your business size and the sensitivity of the data, but practical examples include:

• strong passwords and multi-factor authentication
• limiting staff access to “need to know”
• encrypting devices (especially laptops and phones)
• secure storage for paper files
• safe disposal (shredding documents, secure deletion)

If your team uses work devices, cloud tools, or shared systems, internal rules like an Acceptable Use Policy can help set clear expectations and reduce “accidental” privacy breaches.

5. Let People Access And Correct Their Information

Individuals generally have rights to request access to personal information you hold about them, and to request corrections.

For a small business, the key is having a simple internal process so you can:

• recognise a request when it comes in (it might arrive by email, social media message, or in-person)
• verify identity appropriately before releasing information
• respond within the required timeframe (generally within 20 working days, unless an extension applies)

6. If There’s A Privacy Breach, You Need To Respond Quickly

Privacy breaches aren’t just a “big corporate” problem. Small businesses are often targeted because they have fewer controls in place, and one compromised inbox can expose a lot of customer data.

If you have a breach (like hacked accounts, misdirected emails, lost devices, or accidental disclosure), you’ll need to assess it and take action - and if it’s a notifiable privacy breach, you must notify affected people and the Privacy Commissioner as soon as practicable.

This is where having a Data Breach Response Plan can save you a lot of time and stress, because it sets out who does what, when, and how.

A Practical Compliance Checklist: How To Handle Personal Information In Your Business

Privacy compliance is much easier when you treat it like a business system rather than a one-off document.

Here’s a practical checklist you can use to tighten things up.

Step 1: Map What You Collect (And Where It Lives)

Make a quick list of:

• what personal information you collect (customers, staff, suppliers)
• how you collect it (website forms, email, phone, in-store, third-party platforms)
• where it’s stored (CRM, spreadsheets, emails, accounting tools, paper files)
• who has access (team members, contractors, service providers)
• how long you keep it

This exercise alone often reveals “hidden” privacy risks - like old spreadsheets, shared inboxes, or unnecessary data sitting in someone’s laptop downloads folder.

Step 2: Minimise The Data You Collect

Ask: Do we need this information to provide the product or service?

If the honest answer is “not really”, consider removing that field from your form or changing your process. Less data means less risk if something goes wrong.

Step 3: Put The Right Customer-Facing Notices In Place

At minimum, many businesses will benefit from:

• a clear Privacy Policy on the website (especially if you collect info online)
• a short collection notice at the point of collection (eg your checkout, booking form, enquiry form)

This is also a trust issue. People are more likely to buy from you (and come back) if they feel you treat their data with care.

Step 4: Set Up Internal Rules For Staff

Your privacy risk isn’t just external hackers - it’s everyday human error.

Consider:

• training staff on phishing and handling customer information
• locking screens and not leaving devices unattended
• rules about forwarding emails, using personal devices, or saving data locally
• clear guidance on what can be shared with suppliers and when

If your systems are changing quickly (new software, remote work, new hires), tailored Privacy Advice can help you set rules that fit how you actually operate.

Step 5: Vet Your Suppliers And Service Providers

Most businesses use third parties to run efficiently - booking systems, payroll providers, cloud storage, marketing platforms, IT support, couriers.

From a privacy perspective, you should know:

• what personal information you’re sharing with them
• why they need it
• how they protect it
• whether the information is stored offshore (and what that means for risk)

Even if a third party causes the problem, your business can still wear the relationship damage if customers feel their information wasn’t handled properly.

Step 6: Have A Simple Process For Access Requests And Complaints

Small businesses often get caught out not because they did something intentionally wrong, but because they didn’t respond well when someone asked questions.

A simple process might include:

• a dedicated email address or person responsible for privacy queries
• a checklist for verifying identity before releasing information
• a standard response timeframe and escalation pathway

If you want to make this even easier, consider nominating a “privacy lead” internally (even if it’s not a formal role) so requests don’t get lost between team members.

Key Takeaways

• Personal information under the Privacy Act 2020 is broadly any information about an identifiable individual, including indirect identifiers in many cases.
• If your business collects names, contact details, bookings, CCTV footage, call recordings, HR files, or online identifiers tied to a user, you’re likely handling personal information.
• Information can still be personal information even if it doesn’t include a name - if someone is reasonably identifiable from the data you hold.
• Key privacy obligations include collecting only what you need, being transparent, limiting use/disclosure, keeping information secure, and responding appropriately to access requests and breaches.
• Practical steps like a Privacy Policy, collection notices, staff rules, and a breach response plan can significantly reduce your legal risk and protect your reputation.

If you’d like help setting up your privacy compliance (including a Privacy Policy, a Privacy Collection Notice, or a Data Breach Response Plan), feel free to reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.