When Can NZ Businesses Share Personal Information Without Consent?

Alex Solo
byAlex Solo11 min read
Contents

Note: This article is general information for New Zealand businesses and isn’t legal advice. The Privacy Act 2020 can apply differently depending on the facts, and you may need tailored advice for higher-risk disclosures.

If you run a small business, you’ll almost definitely handle personal information at some point. Customer names and emails, delivery addresses, employee records, CCTV footage, supplier contacts - it all counts.

Most of the time, the “safe” approach is simple: get consent before you share someone’s personal information. But real life isn’t always that neat.

Sometimes you need to share personal information to make a sale happen, respond to a safety issue, deal with a legal request, or fix a mistake. The big question is: when can NZ businesses share personal information without consent and still comply with the Privacy Act 2020?

This guide breaks it down in plain English, from a business owner’s perspective, with practical examples and a checklist you can actually use.

What Counts As “Personal Information” (And What Counts As “Sharing”)?

Under the Privacy Act 2020, personal information is information about an identifiable individual. “Identifiable” is the key word - it doesn’t need to be someone’s full name and address to qualify.

Common Examples For Small Businesses

  • Customer data: names, phone numbers, email addresses, delivery addresses, order history, account IDs.
  • Employee data: payroll information, leave records, performance notes, health information (including medical certificates), emergency contact details.
  • Marketing data: mailing list details, preferences, behaviour tracking (including some cookie and analytics data if it can identify someone).
  • Security data: CCTV footage, door access logs, incident reports, complaints.

Sharing personal information can include:

  • emailing a customer’s details to a courier
  • sending staff information to your payroll provider
  • giving a contractor access to your CRM
  • forwarding an email chain that contains personal details
  • disclosing information verbally (it doesn’t have to be written)

In other words: if another person or organisation gets access to personal information because of something you did (intentionally or not), you’ve “shared” it.

It’s a common myth that consent is always required. In practice, the Privacy Act 2020 is mainly structured around the Information Privacy Principles (IPPs) - including limits on use and disclosure, fairness, transparency, and data minimisation - rather than “consent for everything”.

As a business, you generally need to make sure that when you collect, use, or disclose personal information, it’s connected to a lawful purpose and handled in a way that’s reasonable and not overly intrusive.

Consent can help - especially when you’re doing something unexpected - but it’s not the only basis on which sharing may be permitted. In particular, IPP 11 (limits on disclosure) includes exceptions where disclosure may be allowed without consent in specific circumstances.

Still, if you’re relying on an exception, you should be able to explain:

  • why the disclosure was necessary (not just convenient)
  • what exactly you disclosed (data minimisation matters)
  • who you disclosed it to and why that recipient made sense
  • how you protected the information (secure method, limited access, etc.)

That’s also why it’s important to have clear internal rules and an external Privacy Policy that matches what your business actually does.

Here’s where we get practical. Below are some of the most common situations where NZ businesses may be able to share personal information without consent under the Privacy Act 2020 (often by relying on an IPP 11 exception), and what you should watch out for.

1) Sharing To Deliver Your Product Or Service (The “Business As Usual” Disclosure)

If a customer buys something from you, it’s usually within their reasonable expectations that you’ll share some of their information with third parties to fulfil the order - for example, a courier, payment provider, IT provider, or installer.

Example: You run an online store and need to send a customer’s name, phone number, and address to a shipping company. This will often be permitted because it’s directly connected to the purpose the information was collected for (fulfilling the customer’s order), and you’re only disclosing what’s needed for delivery.

Key risk: oversharing. Only disclose what the third party needs. A courier does not need a customer’s full order history or date of birth.

Good practice: make this clear upfront in your privacy notices, and use contracts that reflect what your providers can and can’t do with the data (especially if they’re offshore or cloud-based).

2) Sharing With Service Providers And Contractors (But You Still Need Controls)

Most small businesses rely on third parties for payroll, accounting, IT support, marketing tools, booking systems, and customer support software.

Often, you can disclose personal information to these providers where it’s necessary for your business operations and consistent with why you collected the information in the first place. However, you should still manage privacy and security risks, because you remain responsible for making sure personal information is protected.

Example: You give your bookkeeper access to staff payroll records to process payments. That can be legitimate, but you should control access (least-privilege) and have the right contractual protections.

This is where a tailored Data Processing Agreement can be critical, especially when the provider is processing data on your behalf.

3) Sharing To Prevent Or Lessen A Serious Threat (Safety First)

The Privacy Act 2020 can allow disclosure in urgent situations, particularly where it’s needed to prevent or lessen a serious threat to someone’s life, health, or safety.

Example: You operate a gym. A member collapses, and a staff member provides relevant information (such as known medical conditions that are on file) to paramedics so they can respond appropriately.

This is one of those situations where waiting for consent could be unsafe or unrealistic.

Key risk: treating this as a “general safety exception.” It’s usually about serious, real threats, not minor inconvenience or general curiosity.

Sometimes you may need to disclose personal information to comply with another legal obligation, or in response to a lawful request. The key point is that you should only disclose where you’re satisfied there’s a proper legal basis to do so (for example, where an IPP 11 exception applies, or another law requires or authorises disclosure).

Example: Police request CCTV footage relating to an alleged incident near your premises. Depending on the circumstances and the nature of the request, disclosure may be permitted - but you should still consider whether the request is lawful, what information is reasonably necessary to provide, and whether you can narrow the time range or scope of footage.

Good practice: don’t hand over information automatically just because someone asks confidently. Ask for the request in writing where appropriate, confirm identity/authority, and keep a record of what you disclosed and why.

If you’re running workplace CCTV or monitoring tools, it’s also worth checking your overall approach to staff privacy, including whether cameras are appropriately used and communicated (for example, see the compliance issues raised in Are Cameras Legal In The Workplace?).

5) Sharing To Enforce Your Rights Or Resolve A Dispute

If there’s a dispute - for example, non-payment, a complaint, or potential legal action - it may be legitimate to disclose personal information where it’s reasonably necessary to protect your legal position, pursue a remedy, or respond to an issue raised.

Example: A customer makes a chargeback claim. You disclose relevant order and delivery details to your payment provider to challenge the claim.

Key risk: “venting” by over-disclosing. Even if you’re frustrated, you shouldn’t publish personal details online, send customer information to unrelated third parties, or share unnecessary background information.

If you’re dealing with recurring customer issues, it can also help to have robust customer-facing terms, like Business Terms, so you’re not relying on ad-hoc disclosures or informal processes when something goes wrong.

6) Sharing Within Your Business (Need-To-Know Still Applies)

“Sharing” isn’t just external. You can create privacy problems by sharing information internally with staff who don’t need it.

Example: A manager emails an entire team about an employee’s medical condition to explain roster changes. Even if it’s not shared outside your company, it could still be an unreasonable disclosure.

Good practice: limit internal access, train your staff, and document who can access what.

In many businesses, this is handled through a clear policy framework (and well-drafted employment documentation), such as an Employment Contract and workplace policies that explain confidentiality expectations and privacy procedures.

Even when you think an exception might apply, it’s worth slowing down and doing a quick check. Privacy issues often happen when someone is rushed, stressed, or trying to “be helpful”.

Here’s a practical decision-making framework you can use in your business.

Step 1: What’s The Purpose Of The Disclosure?

  • Are you disclosing to deliver a service, prevent harm, comply with law, or address a genuine dispute?
  • Or is it just convenient, “nice to have”, or based on assumption?

Step 2: Is The Disclosure Reasonably Necessary?

  • Could you achieve the same result without disclosing personal information?
  • Could you disclose less (for example, initials instead of full name, or confirmation of eligibility instead of full records)?

Step 3: Is This Within The Person’s Reasonable Expectations?

If you were the customer or employee, would you be surprised by this disclosure?

This is where transparency matters. If your privacy policy says one thing but your business does another, you’re exposed.

Step 4: Are You Sharing It Securely And To The Right Person?

  • Have you confirmed the recipient’s identity?
  • Are you using secure channels (not personal email accounts or public links)?
  • Are you limiting access and applying appropriate security?

Step 5: Have You Documented The Decision?

For higher-risk disclosures (especially anything involving health, incidents, police requests, or disputes), keep an internal note of:

  • the request (and who made it)
  • the information disclosed
  • why you believed disclosure was allowed
  • when/how disclosure occurred

This can be a lifesaver if there’s a complaint later, or if you need to brief your legal advisor quickly.

High-Risk Areas Where Businesses Get It Wrong (And How To Avoid It)

If you’re trying to share personal information without consent, these are the situations most likely to cause problems for small businesses.

Workplace Issues (Medical Info, CCTV, Complaints)

Employment situations can be sensitive because you’re often handling health information, allegations, performance issues, and security concerns. That’s exactly the kind of information that can trigger a serious privacy complaint if mishandled.

If you’re updating your policies or managing staff issues, it helps to have clear documentation from day one (including disciplinary and privacy processes), and tailored workplace policies rather than generic templates.

Marketing And Mailing Lists

Marketing is where many businesses accidentally move from “reasonable use” into “unexpected disclosure”. For example:

  • uploading customer emails into a marketing platform without telling customers
  • using customer order history to target ads in a way customers don’t expect
  • sharing a customer list with another business as part of a partnership promotion

If you’re doing email marketing, make sure your approach is lawful and transparent, and consider aligning it with the practical guidance in Email Marketing Laws.

Online Reviews And Customer Complaints

It’s tempting to respond to a negative review by “setting the record straight” with details of what happened. But disclosing personal information in a public forum (even if the customer started the discussion) can be risky.

A safer approach is to respond generally, invite the customer to contact you privately, and keep personal details out of public comments.

Business Sales And Due Diligence

If you’re selling your business (or buying one), it’s common to share information with prospective buyers during due diligence. But customer and employee information is still protected.

Example: A buyer asks for a list of customers including names, contact details, and spend history. That’s sensitive - and it’s not automatically okay to hand it over just because you’re negotiating a sale.

You’ll often need to think carefully about de-identifying information, staging disclosure, and using confidentiality arrangements. The documents and structure around the transaction matter too, including what’s in your Business Sale Agreement.

If you want to be confident you can share personal information without consent (when it’s genuinely allowed), it helps to set your systems up properly from the start.

1) Map What You Collect And Who You Share It With

  • What personal information do you collect (customers, staff, suppliers)?
  • Where is it stored (CRM, spreadsheets, email, cloud storage)?
  • Who has access?
  • Which third parties receive it (courier, payroll, IT, marketing platform)?

2) Have Clear Privacy Documents

Most small businesses should have a tailored Privacy Policy and (where relevant) clear collection notices at the point you collect information.

Your goal is to avoid surprises. If customers and employees understand what happens to their information, you’re less likely to face complaints and you’ll be in a stronger position if you rely on an exception.

3) Use The Right Contracts With Providers

If suppliers process or store personal information for you (especially IT and software providers), put appropriate terms in place - including confidentiality, permitted use, and security requirements.

For many arrangements, that means a Data Processing Agreement or a properly drafted service agreement that covers privacy responsibilities.

4) Train Your Team On “Need-To-Know” Access

  • Make sure staff only access personal information needed for their role.
  • Teach staff not to disclose personal information casually (even to “help”).
  • Have a clear process for police requests, emergencies, and disputes.

5) Prepare For Mistakes (Because They Happen)

A lot of privacy incidents are simple human errors: an email sent to the wrong person, a shared folder link left open, or a spreadsheet attached accidentally.

Having a plan matters. It’s worth putting a Data Breach Response Plan in place so you can respond quickly, contain the issue, assess harm, and meet any notification obligations.

6) When In Doubt, Pause And Get Advice

Some disclosures are straightforward. Others depend heavily on context - particularly anything involving:

  • health information
  • employee disputes or misconduct
  • law enforcement requests
  • business sale due diligence
  • sharing with overseas providers

If you’re unsure, it’s usually cheaper (and far less stressful) to get advice before the disclosure than to manage a complaint afterwards.

Key Takeaways

  • Personal information is broadly defined in New Zealand - if someone can be identified, it likely counts.
  • New Zealand businesses can sometimes share personal information without consent under the Privacy Act 2020, but you should be able to justify why it was necessary and reasonable (often by reference to an IPP 11 exception).
  • Common situations where sharing may be permitted include fulfilling services (like deliveries), sharing with providers who help you operate, preventing serious threats, responding to lawful requests, and managing genuine disputes - but you should avoid oversharing.
  • A simple internal test helps: clarify your purpose, check necessity, confirm expectations, share securely, and document your decision (especially for high-risk scenarios).
  • Small businesses often run into trouble with employee info, marketing, negative reviews, and business sale due diligence - planning and policies make a big difference.
  • Strong privacy foundations include a clear Privacy Policy, appropriate contracts with providers, staff training, and a Data Breach Response Plan.

If you’d like help setting up your privacy documents or making sure your business can share information lawfully (without creating unnecessary risk), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.