Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Privacy for agencies

The digital information generated about the average person on a daily basis now surpasses the amount of digital information individuals actively create about themselves. Agencies cannot avoid personal information; therefore they need to be able to design, recommend or install systems which manage personal information in a privacy protective way.

For a broader understanding of what privacy means for your organisation, check out our Privacy for agencies section. We also prepare a number of guidelines to help businesses and government departments to comply with their privacy obligations in relation to emerging and existing technologies:

Privacy guidelines for emerging and existing technologies

Apps guidance
This new resource helps businesses and app developers understand their legal obligations under the Privacy Act when collecting personal information through mobile apps.  It is designed to help build user trust and loyalty through good privacy practices.

Apps can gather large amounts of information about their users but apps often don’t explain clearly what information they collect and for what purpose.

While consumers may assume that established, trusted businesses will develop trustworthy apps, this is not necessarily the case. It is important that agencies, businesses and app developers know that it is unlawful to collect more information than is necessary. It is also important that consumers are informed about the permissions they agree to when they download an app.

Data Safety Toolkit
Data breaches happen often. Agencies can lose or leak personal information through complacency, inadequate security, poor procedures or rare accidents. The ease of digital copying and transmission means the data breaches can range from the loss of one person’s information to hundreds of thousands of records. The cause of a breach can be accidental or through the deliberate actions of others. It is vital to any organisation’s reputation and its relationship with the people who trust it with their information that it does everything it can to prevent a data breach from happening. But when a data breach occurs, it is important to do everything it can to minimise the harm that it might cause.

This guidance provides tips to help organisations prevent common mistakes that lead to data breaches, and advice on what to do when a breach happens.

Using the cloud
If you're a business person thinking about using the cloud, read on....

Shifting to the cloud can make good business sense, but there's a lot to weigh up.  One question that often worries businesses is whether their client and staff information will be safe if they switch to cloud services. 

We've developed a privacy checklist to help you to answer that question.  The checklist and its supporting material set out the most important privacy queries you should think about, and ask your cloud provider about. 

Why does it matter? Because whether personal information is held on your own computers, in a shared datacentre in New Zealand, or offshore, you've got legal obligations to protect it. Also, your clients trust you to get it right - and loss of trust is loss of business. So it's worth spending some time to think things through.

PSD Guide
Because of their small size, portable storage devices (PSDs) - like USB sticks - can be easily lost, misplaced or stolen. This guidance note is directed towards raising an awareness of the privacy risks associated with the use of PSDs in business and government.

CCTV Guide
Because CCTV captures images of people, which can be used, stored, manipulated and disseminated, those who operate the systems need to be aware of how to manage privacy issues. Good management of personal information is essential to the effective running of CCTV systems (including ensuring that they are cost-effective). These guidelines assist organisations of all sizes to manage CCTV systems in line with their legal obligations and good personal information handling practice.

Effective website privacy notices
Giving notice to website visitors about how your organisation collects and uses personal information is good practice. An effective approach to this task is to use a layered privacy notice, and we have recommended '10 Steps to develop a multilayered privacy notice' as a source of detailed information.

Privacy impact assessment handbook

Organisations frequently approach the Office of the Privacy Commissioner asking 'Will my project comply with the Privacy Act?' Sometimes this leads to the wider, and perhaps more valuable, questions:

  • How will my project affect the privacy of individuals?
  • Can I achieve my objectives while also protecting privacy?


View our new Privacy Impact Assessment Toolkit which provides the tools to help to answer these questions.