Entry D2 v1 — Privacy Act for SMBs

What to watch for

Six things that change how the Privacy Act actually applies to an SMB — most of which the privacy-policy-template content doesn't surface.

1. You need a Privacy Officer. Default position: you. Section 201 of the Privacy Act requires every agency to designate at least one Privacy Officer.¹ For SMBs, this is almost always the owner-operator. The Privacy Officer's role is to encourage compliance with the IPPs, deal with requests for personal information, work with the Privacy Commissioner on investigations, and ensure compliance with the Act generally. There's no formal qualification requirement and no registration — you just need to be appointed (a one-line internal note is enough), know what the role involves, and be the person who handles privacy matters. The trap is treating this as "we don't need a Privacy Officer because we're small" — every agency needs one, and the absence is itself a breach of section 201. The fix is the smallest paperwork move in the entry: write "[Your name] is the Privacy Officer for [Company Name], effective [date]" and keep it on file.

2. Notifiable privacy breaches. The test is "serious harm," and the clock starts ticking. Part 6 of the Privacy Act requires you to notify both the Privacy Commissioner and the affected individuals if a privacy breach has caused, or is likely to cause, serious harm.² Serious harm is assessed against factors in section 113: the sensitivity of the information, the nature of the potential harm, who obtained or may obtain the information, whether the information was protected (e.g., encrypted), and the steps you've taken to reduce the risk. The notification must be made "as soon as practicable" — there's no fixed deadline but undue delay is itself a breach. Common SMB breach examples: a laptop stolen from a car containing customer data; an email sent to the wrong address with personal information attached; a contractor with access to your CRM left and the access wasn't revoked. The discipline is having a response plan in place before a breach happens — a one-page document covering who to call, what to assess, when to notify, how to communicate. The plan doesn't have to be elaborate; it has to exist.

3. The 13 Information Privacy Principles. Mostly common sense; some sharp edges. Section 22 sets out the 13 IPPs governing the lifecycle of personal information.³ Common-sense principles: only collect what you need (IPP 1), collect it lawfully and openly (IPP 4), keep it accurate (IPP 8), don't keep it longer than necessary (IPP 9), use it only for the purpose collected (IPP 10), disclose it only as authorised (IPP 11). The sharp edges are in three principles: IPP 5 (security) — you must take reasonable security safeguards proportionate to the sensitivity of the information; for SMBs this means at minimum strong passwords, access controls, backup procedures, secure disposal. IPP 6 (access) — individuals have the right to request a copy of personal information about them that you hold; you have to respond within 20 working days. IPP 12 (overseas disclosure) — when you disclose personal information to an overseas party that uses it for its own purposes, you must ensure the receiving party either (a) has comparable privacy safeguards, (b) is bound by contractual privacy obligations, or (c) the individual has authorised the transfer. The key word is disclosure: a cloud provider holding your data as a processor or agent — for your purposes only, not their own — does not constitute disclosure under section 11(3) of the Act; the AWS server in Sydney is not an IPP 12 event. The trigger is when the overseas party uses the data independently: an overseas marketing platform building customer profiles, an analytics provider running your data through its own models, a contractor with substantive independent access. Map which overseas parties are agents (processing on your behalf) and which have independent use — only the latter triggers IPP 12.

IPP 3A (indirect collection notice — in force 1 May 2026) — the Privacy Amendment Act 2025 added a new obligation: if you collect personal information about someone indirectly (from a third party rather than from the individual themselves), you must notify that individual as soon as reasonably practicable. The existing IPP 3 collection-notice obligation covered direct collection; IPP 3A extends it to indirect collection. Common SMB indirect-collection scenarios: purchasing a contact or mailing list, receiving referrals where the referring party provides personal details, aggregating information from public directories or social media. If you collect personal information from any source other than the individual, a notification obligation applies — not retrospectively for historical collection, but for any indirect collection from 1 May 2026 onward.

4. The Privacy Act and the Records-Keeping obligations work in opposite directions. The reconciliation is the statutory period. Information privacy principle 9 says don't keep personal information longer than necessary. Section 22 of the Tax Administration Act says keep tax records for 7 years. Section 130 of the ERA + Wages Protection Act + Holidays Act say keep employment records for 6 years. The tension dissolves once you understand the reconciliation: the statutory retention periods establish what "necessary" means for those record types. You can lawfully keep payroll records for the statutory period; you must dispose of them once the period (plus any Commissioner extension) ends. See the entry on record-keeping obligations for the integrated picture. The Privacy Act over-retention exposure comes from records outside the statutory retention frameworks — old customer email addresses you've kept "just in case," former-employee personal information beyond the statutory period, marketing-list contacts who've unsubscribed but stayed on the list. Build a disposal discipline for those.

5. Privacy breach penalties are real but bounded. Failing to notify is the bigger exposure. The headline penalty is small by international standards: failure to notify a notifiable privacy breach is a criminal offence carrying a maximum fine of $10,000.⁴ Individual complainants can also take cases to the Human Rights Review Tribunal, which can order damages. The bigger exposure isn't usually the fine — it's the reputational consequence of a public breach handled badly, plus the Commissioner's compliance notice powers (the Commissioner can publicly direct you to take specific actions, and non-compliance with a compliance notice is itself an offence). For SMBs the practical implication is that the response to a breach — notify quickly, communicate clearly, take demonstrable corrective action — usually determines the actual cost more than the technical breach itself. Have the response plan; don't try to manage a live breach from scratch.

6. Privacy policies are useful but not load-bearing. The substantive obligations are. Most "Privacy Act compliance" content focuses on having a published privacy policy on your website. A privacy policy is useful — it satisfies the IPP 3 transparency obligation about how you collect information and is good customer-trust practice — but it's not the substantive compliance. You can have an immaculate privacy policy and still breach the Act by storing data insecurely (IPP 5 breach), keeping data too long (IPP 9 breach), failing to respond to an access request (IPP 6 breach), or sending data overseas without comparable safeguards (IPP 12 breach). The privacy policy is the visible compliance; the substantive compliance is the operational discipline behind it. For SMBs the practical implication is that copying a privacy policy template doesn't make you compliant; it makes you appear compliant while leaving the substantive obligations unaddressed. The fix is to start with the substantive obligations (Privacy Officer appointed, breach response plan in place, IPP 5 security measures, IPP 6 access response process, IPP 12 overseas disclosure mapped) and then write the policy to reflect what you actually do.

A separate point on what the Privacy Act actually protects against operationally. Beyond the legal obligations, the substantive purpose of privacy compliance is trust — customers trust you with their information because they have to in order to transact with you, and the trust is conditional on you not doing things they wouldn't expect. A breach of the Act is usually a breach of that implicit trust, and the customer-side consequences (lost trust, lost business, reputation damage) typically dwarf the regulatory consequences. The compliance work isn't busywork to satisfy a regulator; it's the operational shape that produces the trust the business depends on. Treating it that way — privacy compliance as a customer-trust discipline rather than a regulatory burden — usually produces better compliance outcomes too, because the substantive principles (only collect what you need; keep it secure; use it for the stated purpose; let people see and correct it; dispose of it when done) are also the principles that build trust. Same discipline, two reasons to do it.

The third reason turns privacy from cost into access. Enterprise and government buyers send a security questionnaire before they sign — where's your data, who's your Privacy Officer, what's your breach response — and the operator who can answer wins work the one who can't doesn't get to bid for. Same discipline makes you sale-ready under DD.

Where this entry stops

This entry covers the Privacy Act 2020 framework as it applies to typical NZ SMBs. It doesn't cover:

• Specific industry privacy frameworks — health information has additional protections under the Health Information Privacy Code; credit reporting under the Credit Reporting Privacy Code; telecommunications under specific codes. Sector specialists territory.
• GDPR and overseas privacy law compliance — if you have EU customers, GDPR may apply alongside the NZ Privacy Act. Specialist territory; advice depends on your specific customer base.
• Specific breach response procedures — the technical and communications side of handling a live breach. Crisis management territory; engage specialists if a serious breach occurs.
• Direct marketing and Unsolicited Electronic Messages Act 2007 — the spam-and-marketing-consent framework. Adjacent territory.
• Employee monitoring and workplace privacy — cameras, email monitoring, surveillance. Specific Privacy Commissioner guidance; nuanced territory.

For specific questions, the Office of the Privacy Commissioner's AskUs tool is useful for SMBs. For breach response support, the Privacy Commissioner publishes a NotifyUs breach notification tool that walks through the assessment and notification process.

Last verified 9 June 2026. Full source list: references.