A photography business took pictures of a parent with their child for free, informing them that the pictures would only be held for parent to purchase them.

Later, the parent was surprised to see their pictures used as advertising material for the business. They complained to the Privacy Commissioner who found the business in breach of their privacy obligations.

Under New Zealand’s privacy laws, any agency (including a business) collecting personal information has an obligation to make individuals aware that their personal information is being collected, and how it will be used. This can be done for clients through a privacy policy.  The policy can also include the business’s general privacy obligations under privacy law.

Your privacy policy can be located on your business’s website, and at any point of collection of personal information. It must be made available to clients before any personal information is collected, or as soon as practicable after the information is collected.

A privacy policy must include:

The fact that information is being collected;

  • The purpose for which information is being collected;
  • The intended recipients of the information;
  • The name and address of the agency collecting the information;
  • The name and address of the agency holding the information;
  • Any law under which the information is required or authorised, and whether the supply of information by an individual is voluntary or mandatory;
  • What happens if an individual refuses to provide their personal information; and
  • The rights of an individual to access and correct their personal information.

As each business collects and uses personal information differently, it is important to have a tailored privacy policy which is specific to your business. For example, if your business is engaged in e-commerce, you will need to address any privacy issues regarding online payment in your policy.

Where relevant, you can also include the following in your policy:

  • What steps your business will take to ensure personal information is accurate, up to date, complete, and not misleading;
  • What steps your business will take to secure personal information against misuse, loss, unauthorised access, or disclosure;
  • How long personal information will be stored, and when it will be destroyed;
  • Where personal information will be stored, and whether it will be stored in digital or hard copy format;
  • Whether your business’s website will use cookies or online tracking technology;
  • The privacy policies of suppliers of additional software which collects information on behalf of your business (e.g. an online payment provider);
  • Whether unique identifiers will be assigned to your clients;
  • What happens if your clients’ privacy is breached; and
  • How your clients can make a complaint about their privacy.

In the case of the above photography business, if it had a privacy policy detailing that the images could be used for promotional purposes, this would have likely meant that they had fulfilled their obligations as the parent would have been informed about the future use of the images.

To ensure your business’s privacy policy complies with our privacy laws, it pays to get advice from a legal professional experienced in the area who can assist you in appropriately drafting your privacy policy. 

Guy Goodwin and Hanifa Kodirova