Resources and learning

A child sits in a small chat wearing a spiderman t-shirt and denim shorts. He looks happy. Agencies need to be transparent about what personal information they’re collecting and how they will use it under the Privacy Act 2020.

Privacy statements, policies and notices serve different purposes for communicating how your agency handles personal information. This guidance will help you understand the key differences between these documents and how to work out which document to use to meet your obligations under the Privacy Act 2020.

On this page:
• Overview
• Does my agency need to have a privacy statement, notice or policy?
• How to know when to use a privacy statement, notice, or policy
• Format of notification
• Layered privacy notification

Overview

Statement: a privacy statement is an external public facing explanation that tells individuals what personal information is collected, why it is being collected and how it will be used or shared.

Notice: a privacy notice is a short disclosure provided at the point of collection, telling people about key details. For example, a pop up on a website, a poster or sign on display in the entrance to a shop, or a brief verbal explanation over the phone. Privacy notices can be used in conjunction with your privacy statement, by providing people with the key points, then linking to the privacy statement for more information.

Policy: a privacy policy is an internal document, which sets out the procedures for managing personal information to ensure compliance with the Privacy Act 2020.

Does my agency need to have a privacy statement, notice or policy?

All organisations who collect personal information need to be open about how personal information is collected, used and shared under IPP3 and (in some cases) IPP3A.

IPP3 requires every agency to be open and transparent about why they are collecting personal information and what they will do with it. Depending on your agency and what information you're collecting, a privacy statement may be enough to comply with IPP3. Sometimes you may need to tell the person whose personal information you're collecting at the time of collection, using a privacy notice, for example if you are collecting particularly sensitive information.

If your agency collects personal information from someone other than the person themselves, IPP3A requires you to ensure the individual is aware of that that. Read our full guidance about IPP3A and what is required if you indirectly collect personal information.

You also have other obligations under other IPPs on collection, use, storage, access, correction, and disclosure. A privacy policy is a great way to think through what information you collect, how you will keep it safe, and how you let people know.

How to know when to use a privacy statement, notice, or policy

What is a privacy statement?

A privacy statement sets out what personal information an agency collects and for what purposes the information will be used. A privacy statement should be publicly available and ideally provided prior to the collection of personal information, or if that is not possible, as soon as practicable after the collection.

What should I include in a privacy statement?

It is important your privacy statement is tailored to the operations of your specific agency. A privacy statement should be easy to read and should include:

What personal information is being collected.
The reason you are collecting it (purpose).
Who the intended recipients are.
What will happen if all or part of the personal information is not provided. E.g., your agency won’t be able to provide a service.
An individual’s right to request access the information held about them, and their right to ask to correct it.
How to contact the organisation who has collected the information.
If applicable, whether your agency is required by law to collect the information, and what law that is.

When you’re creating your privacy statement it’s important to check you’re following the privacy principles of New Zealand’s Privacy Act 2020, as other countries have different rules and requirements.

Our free online privacy statement generator Priv-o-matic can be a useful starting point to help you create your own statement. You can also refer to our privacy statement if you would like to see an example.

What is a privacy notice?

A privacy notice, sometimes referred to as a ‘just-in-time’ notice is usually a short notice given at the point of collection of personal information. For example, this could be when speaking to a customer over the phone, or collecting information in a mobile app.

Privacy notices can take various forms, such as a pop-up, banner, notification, dialog box or pre-recorded message. Privacy notices can be used in conjunction with your privacy statement, by providing people with the key points, then linking to the privacy statement for more information.

If the collection is covered by a privacy code of practice, there may be more specific notice requirements that you need to meet. For example, if your agency collects technology which collects biometric information, there are minimum requirements of clear and conspicuous notification. Read our full guidance on the Biometric Processing Privacy code and what is required if your agency collects biometric information.

What is a privacy policy?

A privacy policy is the full rule book. It’s an internal organisation document that sets out how personal information will be managed by your organisation in line with your privacy statement. The document should outline staff responsibilities, processes and controls consistent with all the information privacy principles under the Privacy Act 2020. This ensures everyone understands what is expected of them when handling personal information along with having clear escalation processes if a privacy breach were to occur. Some agencies will provide a copy or a summary of their internal policy on their external website to further increase transparency with their client base.

Checklist of privacy situations to include in your privacy policy.

Print a copy of this checklist (opens to PDF, 573KB)

Collection	What is your lawful purpose for the collection of personal information? What types of personal information do you collect? Who do you collect personal information from? Is it from the individual directly or is indirectly from another person? Is providing the personal information compulsory or voluntary? Do you collect any personal information via your website such as IP addresses, cookies and other data analytics?
Storage	Where will you keep the information? Consider both physical and digital locations. How will safeguard the personal information to prevent loss, misuse or disclosure? How long does the information need to be retained for? How will you dispose of the information once it is no longer needed?
Use	What are you using the personal information for? How will you ensure the personal information is only used for the original purpose which it was collected? How will you limit use to on a ‘need to know’ basis? E.g. by limiting permissions so only employees who need it as part of their duties have access.
Access	How will you provide an individual access to the personal information you hold about them? Do you need different processes if the requestor is a customer versus an employee? How will you provide access to CCTV footage? How will you respond to correction requests if a person thinks the information you hold about them is incorrect?
Disclosure	Before disclosing the information how will you ensure it is accurate, complete, relevant, up to date and not misleading? Will you be disclosing the information outside of New Zealand?
Privacy incidents	What steps should staff take when a possible privacy breach, a privacy breach, or a near miss occurs? Including who should the staff member who noticed the incident report it to? Consider processes for both internal and external privacy breaches. For example, unauthorised access by employee browsing or an external cybersecurity hack. How will incidents be recorded internally? Does your agency have a plan for how it will learn from incidents and improve its processes?
Other considerations	Are you sharing information with a third-party provider? Who is your organisation’s Privacy Officer? How often will the policy be reviewed and who is responsible for keeping in the loop about privacy law updates?

Format of notification

There are different ways your organisation can communicate privacy information. The best way to communicate your privacy information will depend on how you collect personal information. For example, if you collect personal information in person, it makes sense to share your privacy information in person as opposed to online and vice versa.

It is important privacy information is readily available and embedded into your processes when collecting personal information. This includes providing the content in an accessible way where people can understand and engage with the information. For example, ensuring the content is free from any jargon, acronyms and technical language. It may be appropriate to communicate your privacy information in multiple ways, which might include using alternative formats such as Easy Read, large print, braille and audio, ensuring it can be understood by all New Zealanders.

Organisations will often communicate their privacy information in a variety of ways and some common ways agencies can communicate their privacy information include:

On an agency’s external facing website.
Spoken, in person or on the phone.
At the front desk or reception.
Sign in kiosk or tablet.
Information brochures.
Signage.
Enrolment forms.
Before entering data and when people are about to submit an application or form.

Layered privacy notification

A layered privacy notification is an effective option you can use to communicate privacy information. That’s where the reader is presented a short summary or overview of the important details and then there are subsequent layers that provide more detailed information. By presenting your privacy information in this way people can find the most relevant details quickly.

The first layer could be a short notice provided at the point of collection, which will explain:

Why the personal information is being collected.
If providing the personal information is compulsory or voluntary
Who may receive the personal information provided.
A link to the full privacy statement.

The second layer will be for people who want more detailed information on your full privacy statement:

How the personal information will be used.
How the personal information is stored.
How long the personal information will be retained.
How individuals can access or correct their personal information held.
Details on who their information may be shared with.
A link to the full privacy statement, if you’re not using the full privacy statement as your second layer already.

A third layer is not always necessary but can be used to provide additional information such as technical details how personal information is stored in a secure data base.

Example of a layered privacy notification

Sally’s Shoes is a small business that operates across New Zealand selling locally-designed shoes. The business operates both physical and online stores. Personal information is collected to fulfil orders, send newsletters and as part of their loyalty programme. Below is an example of a layered privacy notice they provide to their customers.

Layer 1: Is a notice displayed directly on their counter or via a pop up online before a purchase or as part of a sign-up form to their newsletter or loyalty programme. It states:

‘We collect your name, email, and postal address to process your order and send you a digital receipt. We also collect your purchase history to send you a tailored newsletter and to sign you up to our loyalty programme. See our full privacy statement for more information.’

Layer 2: is a concise statement that explains what personal information they collect, how they use it, and people’s rights under the Privacy Act 2020.

Personal information we collect includes:

Name, phone number, email, postal address.
Purchase history.
Payment information.
Device and browsing data used for improving our website.

We collect personal information for the following purposes:

To process orders and payments.
To send tailored newsletters.
To communicate rewards as part of our loyalty programme.

Data storage and retention:

We store your personal information in a secure online New Zealand based platform and in an encrypted cloud storage system.
Personal information is kept for as long as necessary for a lawful purpose before it is deleted.
Marketing and loyalty programme information is retained until you unsubscribe.

We share your personal information with:

Payment processors and as part of layby payment plans.
Marketing partners.

Your rights:

To access and make a correction request for the personal information we hold about you.
Request your personal information be deleted.
Opt-out of our newsletter or loyalty programme.

You can contact us at [ example email address].

Quick links to other helpful resources

Poupou Matatapu – a free online toolkit to help you do privacy well.
Biometrics – guidance on the Biometrics Processing Privacy Code, if your agency uses biometric technologies such as facial recognition technology.
Working with third-party providers – what you need to think about from choosing a third-party provider, to your ongoing responsibilities when using them.
Artificial Intelligence – protecting privacy when using AI.
Children and Young People’s Privacy Project – to guide you on when you should or shouldn’t collect personal information from children and young people.
Access our free e-learning modules.