Personal Information: What it is and how to protect it
All businesses collect information about people they work with or for, eg staff, suppliers, customers. New privacy laws may affect how you collect and store personal information. But what makes information personal?
The Privacy Act is changing.
If you collect, store or use personal information about employees or customers, you need to know about these changes.
Get ready for privacy law change.
What you need to know
Privacy is important when it comes to personal information about customers and staff. This information needs to be handled carefully. You can collect personal information as long as it’s needed for your business, but it must not be misused or leaked, even accidentally.
This idea is fairly well known, but what is less understood is what personal information actually is.
If you’ve been wondering about this, you’re not alone. This is the number one question the Office of the Privacy Commission receives through their interactive FAQ AskUs.
Examples of personal information
Personal information is any piece of information that relates to a living, identifiable person. Anything you can look at and say, “This is about a specific person”.
It could be:
- contact details
- financial health
- purchase records.
Personal information can be found in many different places, including:
Even if there is no name attached, it can still be personal information.
The test is whether there's a reasonable chance someone could be identified from the information. It doesn’t need to be "secret" or "sensitive" — it just needs to be about them. For example, using photos of customers in marketing material might not identify the customers by name, but people might still recognise them.
What you need to do
Only ask for relevant information
You can ask for personal information from customers and staff. But make sure what you ask for is relevant and needed in that situation. Don’t ask for information you don’t need.
For example, when hiring, only ask for information related to the role you want to fill. If you are hiring someone who will need to drive, you’ll need to check they have a valid driver’s licence. It’s also justified to show if they are eligible to work in New Zealand. But it’s not justified to ask them about their religion or whether they are single.
If your business collects personal information, you must tell people how, when and why.
Build your own privacy statement with the online tool Priv-o-matic.
Priv-o-matic (external link) — Office of the Privacy Commissioner
Take care when sharing
You can only share personal information (called disclosure) in special circumstances:
- Sharing the information is the main reason you got it. For example, passing on a customer’s address and contact details to a courier to deliver something they bought.
- The information is needed for law enforcement or court. For example, reporting a crime to the police, or there’s a risk or serious threat to another person or the public.
- The person agrees their information can be shared. For example, an employee moving to another city gives you permission to give their email address to one of your contacts to set up a job interview.
- The information is going to be shared in a way that doesn’t identify the person. For example, after a customer trips in her store and injures themselves, the shop manager sends information to her staff about the incident and safety issue without sharing any identifying information about the customer
Limits on disclosure of personal information (external link) — Office of the Privacy Commissioner
Requests for stored personal information
If a customer or worker asks for the information you have on them, you must respond to their request within 20 working days. If the information can be easily accessed, you need to tell them you have information and give them what you have.
The person requesting to see their information doesn’t need to tell you why they want to see it.
Anna works at a beauty salon. A man rings asking for a client’s new address so he can send flowers. She passes on the address, thinking he sounds trustworthy. A week later the client threatens to make a complaint under the Privacy Act.
Anna hadn’t known the man was her client’s abusive former partner.
This is why she shouldn’t have passed on the address — it’s impossible to know why someone may not want their information passed on, so it’s best to let people choose for themselves. Instead, she could have said she’d pass on a message to her client.
Good privacy is simply good business practice, regardless of the type of business or industry.
Do you have more questions about personal information?
Ask the Office of the Privacy Commissioner. Call 0800 803 909, use the online AskUs FAQ tool, or use the enquiry form on their website.