Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Privacy for agencies

A real key to getting privacy right is to identify your purpose for collecting or using personal information - and to stick to that purpose.

Your purpose is the outcome you are trying to achieve: for instance, delivering a service or product or employing someone to do a particular job.

Identifying your purpose clearly will allow you up to make good decisions about collecting and using personal information when you start putting your project into action. For instance:

  • Do you need to collect personal information at all? If so, what exactly do you need to collect? From whom? When? Only collect what you need to achieve your purpose.

If you don't know what your purpose is, you won't be able to explain it to anyone else!

If your purpose changes, or you want to use the personal information you have collected for an extra, unrelated purpose, you are likely to need the agreement of the people you collected it from.


  •  I know what I am trying to achieve.
  •  I know why I need personal information.
  •  I have a clear statement of purpose.

Back to top

Agency Responsibility

The word 'agency' refers to almost anyone who holds personal information about others. Agency responsibilities are therefore your responsibilities.

Accuracy of personal information
Before you use personal information, you should take steps to check that it is accurate, up-to-date, complete, relevant and not misleading.

Incorrect information isn't any use to you, and it could lead you (or others) to make wrong decisions about the person involved.
[To read the law about this, click through to Privacy Principle 8]

Access to personal information
People have a right to access the personal information you hold about them. You should keep personal information in a way that is easily retrievable so you can:

  • tell a person that you hold their information when they ask, and
  • give them access to it.

There are sometimes good reasons for refusing to give a person access to information about themselves. There are strict timeframes for making decisions. If you are in the private sector, you may be able to charge for making information available.

[To read the law about this, click through to Privacy Principle 6]

Correction of personal information
People can ask you to correct their personal information if they think it is wrong. Tell them to let you know if the information is wrong - this is an easy way to ensure your information is up to date.

Even if you do not think a correction is justified, record that the person asked you to correct the information, and note exactly what they thought was wrong. Attach that record to the person's information so that everything is together. Knowing what the person thinks will help you (and anyone who looks at the record later) to make better decisions.

[To read the law about this, click through to Privacy Principle 7]

Holding on to personal information
Don't keep personal information for longer than is needed to achieve your purpose. Think about how long you need to keep it for.

[To read the law about this, click through to Privacy Principle 9]

Secure storage of personal information
Make sure that you hold and use personal information in a safe and secure way and that you dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly.

Think about how you will keep documents secure - for instance, do you need a locked cabinet for physical documents? Who has access to your records storage? Do you need password protection or encryption for electronic documents or equipment? Don't forget to look after information in transit - for instance, if you have an e-commerce site, have you got a secure channel for payments?

[To read the law about this, click through to Privacy Principle 5]

For guidance on security of portable storage devices like USB sticks and laptops, go to our guidance on the use of personal storage devices.

Agency Responsibility

  •  I know how I will check the accuracy of the personal information I hold.
  •  Individuals will be able to access, and correct, personal information about themselves as required by the law.
  •  I know how long I will need to keep the personal information for.
  •  I know how I will keep this information securely.

Back to top

Fair Collection

Whenever you get personal information deliberately, you are 'collecting' it. If you collect personal information, you need to do so fairly. There's nothing that alienates people more than feeling they've been treated unfairly.

And it's not hard to get it right. Here are some tips.

Only collect information you need
Check back to your purpose. Are you only collecting information that you need to carry out that purpose?

[To read the law about this, click through to Privacy Principle 1]

Collect information directly from the person
It's nearly always best to get information directly from the person concerned. Start from that presumption. Then the person will know what information you've got and what you're doing with it - they're far less likely to be surprised or upset.

Sometimes you do need to get information from others. Often, you have to get the consent of the person concerned before you do so (for instance if you're checking job references, or doing a credit check). Occasionally, though, it's impracticable to get the information from the person directly or get their consent. Or it might thwart your purpose if you let them know you're getting information about them.

[To read the law about this, click through to Privacy Principle 2]

Make sure you collect personal information in a way that is lawful, fair and not unreasonably intrusive. For instance, covert surveillance is usually not allowed.

[To read the law about this, click through to Privacy Principle 4]

Tell people about what you are doing

Tell people:

  • that you are collecting their information and for what purpose. They need to know why they should give you their personal information
  • whether you are collecting their information under a particular law (and which one it is)
  • whether you will be disclosing it to anyone else and if so who
  • whether the person has a choice about giving you their personal information, and what will happen if they don't give it to you; and
  • that they can ask to access and correct their personal information
  • how to contact you, or any organisation that is holding their information for you.

Think about how and when you're going to tell the person what's happening with their information.

Again, sometimes you don't need to tell the person these things. But usually you should.

[To read the law on this, click through to Privacy Principle 3]

Fair Collection

  •  I know what personal information I need to collect.
  •  I know how I will collect this information.
  •  I know whether I can collect this information directly from the person themselves.
  •  I know what I will tell the person when I collect their information.

Back to top

Justified Use

Limit new purposes
As a general rule, only use personal information for the purpose for which you collected it. People get upset when you use their information for purposes that they hadn't anticipated. And you risk losing your good name and the trust of your clients. Breaches of privacy can also cost you money.

There are circumstances under which you can use personal information for a new purpose. The most obvious circumstances is where you have got the permission of the person you collected the information from.

[To read the law about this, click through to Privacy Principle 10]

Control access to personal information
It's a good idea to limit or control how people within your organisation can use personal information. Make sure they know what they can and can't do. Keep information secure.

Personal information is a useful and valuable commodity. Other people or organisations may want to use the personal information you have collected, rather than collecting it from the individual themselves. You need to be careful about allowing disclosures of information outside your organisation, unless this is the purpose for which you got it, or the person involved has allowed you to do so.

There are some circumstances when you can disclose personal information to another person or organisation even if the person involved does not consent.

[To read the law about this, click through to Privacy Principle 11]

Justified Use

  •  I know how I will use this personal information.
  •  I know how I will limit and audit access to this personal information.

Back to top

Appropriate Disposal

Once you no longer need the personal information for the reason you collected it, dispose of it securely so that no-one can retrieve it. Check it can't be linked back to an individual.

Think about things like:

  • removing names, addresses and birthdates from documents before you dispose of them
  • using shredders and secure destruction services
  • wiping the hard drives of machines - including photocopiers - before you sell them on or decommission them
  • deleting back-up files as well as originals.

Appropriate Disposal

  •  I know how and when I will destroy the personal information I have collected.


Back to top

Managing Risk

What are the most significant privacy risks in your business? Privacy risks are likely to fall into one of these key areas. Consider each category and list the risks you can think of:

  • Your purpose.
  • The responsibilities you have when handling personal information.
  • How you will collect personal information fairly.
  • If your use of personal information is justifiable.
  • How you will dispose of it appropriately.

Think too about how you can reduce the risk of someone's privacy being compromised.

If you're unsure about your risks, the Privacy Commissioner's enquiries staff may be able to help.

It can be useful to present risks in the form of a table. Update the table periodically.

For example:

Summary of Privacy Risks and Mitigations


* Type of Risk Risk Mitigation(s)
1 Purpose Individuals may not
know why we are
collecting their
personal information
and what happens to
it afterwards
We have an information use
statement and privacy
notice available on our
website, and in print form
at our office
2 Our responsibilities
A disk containing
personal files may
be lost
All disks are encrypted, and
kept in a secure place.
Disks cannot be taken
3 Use of information Employees may
browse through
personal files for
reasons not
connected with
their job
Only authorised people have
permissions to access
personal files. Run an audit
programme to identify who
has accessed which files at
what time and spot any
irregular or unusual uses
4 Disposal of
We are getting new
computers and
getting rid of the
old ones
Once information is
transferred to our new
computers, the old
computer drives will be
professionally wiped

Managing Risk

  •  I have identified the risks of having and using this personal information, and how they can be reduced.

Link to the Privacy Act for the authoritative legislation.