Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
This is a fictional example to help people using Poupou Matatapu understand how to do privacy well.
Fern Leaf is one of Aotearoa New Zealand’s largest retail companies and can trace its route back over 100 years. It has its head office in Wellington, regional hubs in the major cities and shops in almost every town and city. A lot of its business is conducted online.
Fern Leaf has about 7,000 employees made up of a mix of shop workers on the ground and back-office workers. It has a Board, and their leadership consists of roles such as CEO, chief risk officer, chief people officer, General Counsel, Chief Marketing Officer, and Head of Retail. On average, Fern Leaf handles over 1 million transactions every year.
Fern Leaf collects personal information when dealing with transactions. The specific personal information collected will depend on the nature of the interaction with an individual. For example, some customers have set up an online account where they can see their receipts, receive a special promo for their birthday, and complete customer surveys to allow Fern Leaf to hear from its customers. It also processes transactions without any of this information – for example, customers can just pay at a till and only provide personal information needed to settle that transaction. If a customer sets up an online account, they receive a 20 percent discount on their first order.
Fern Leaf believe in giving back to the community and has a charity arm to its business – Fern Leaf Foundation. It often partners with charities to deliver on key strategic objectives, including getting people into work through graduate programmes and work experience.
Following an internal audit, Fern Leaf Ltd is reviewing its privacy practices. The Board has recently considered several key strategic initiatives, which include ramping up its marketing capabilities to ensure that its products reach individuals who are interested in them, and increasing churn rate(external link).
The nature of the volume of transactions, staff numbers, use of personal information and strategic initiatives means that Fern Leaf has a high privacy risk profile.
This is a fictional example to help people using Poupou Matatapu understand how to do privacy well.
Reach High is an Auckland-based charity that provides mentoring, counselling, and other support services to at-risk young people and their whānau. It receives referrals from schools, health agencies, or other government agencies, and young people and their whānau can also directly approach Reach High for assistance.
Reach High is a small organisation, with only 15 employees. Their leadership team comprises a chief executive, a director of support services, and a director of fundraising and outreach. A counselling team manager leads three counsellors; a mentoring team manager leads four mentors; and two outreach officers report to the director of fundraising and outreach. There is also an administrator who manages the office and provides administrative support.
Reach High operates out of an office in central Auckland, but many of its counsellors and mentors travel for work and meet with clients at their homes. It also permits its employees to work from home where required. Reach High has a minimal operating budget, relying on government funding and some public donations.
Reach High has around 100 clients on its books at any given time. As part of its counselling and mentoring services, Reach High could collect a broad range of personal and health information about its clients, including contact information, demographic information, information about medical conditions (including mental health conditions), information about drug or alcohol dependency, criminal conviction information, and information about whānau relationships.
Reach High collects personal and health information directly from clients and their whānau, but also indirectly from other organisations that refer clients. In addition, Reach High often needs to share personal and health information about its clients with other organisations, for the purposes of enabling the delivery of wraparound social services. In some cases, Reach High needs to share personal and health information to keep clients safe from harm.
Reach High also collects a small amount of personal information as part of its fundraising activities, including contact information and financial information about prospective and actual donors.
While Reach High is a small organisation with a minimal operating budget, the nature of its work and the type of personal information it collects mean it has a high privacy risk profile.
This is a fictional example to help people using Poupou Matatapu understand how to do privacy well.
SwiftStart NZ is a software as a service (SaaS) company based in Christchurch that aims to provide online solutions for small and medium-sized retail businesses. The company was recently founded by three digital entrepreneurs who saw a gap in the market for affordable and easy-to-use tools for managing various aspects of business operations, such as accounting, marketing, customer service, and project management. SwiftStart NZ's mission is to help businesses grow and succeed by offering them a suite of cloud-based applications that can be accessed from any device and location.
SwiftStart NZ has a small and dynamic team of seven employees, including the three founders who act as the chief executive officer, the chief technology officer, and the chief product officer. The other four employees are two software developers, one marketing and sales manager, and one Operations Manager, who is responsible for any legal and compliance issues. They work collaboratively to create and deliver high-quality and user-friendly SaaS products for their clients.
SwiftStart NZ’s platform is still in its early stages, but they have already secured a dozen pilot clients in New Zealand who are testing and providing feedback. The company hopes to fully launch its services to the wider New Zealand market by the end of the year, and then will look to expand to international clients, particularly in Australia and America.
SwiftStart NZ directly manages personal information of its clients (account holder contact information etc.) and employees (including contracts, contact information and wage records). It is also responsible for a wide range of personal information that it holds on behalf of its clients through its cloud-based applications, including for example contact information, sales records, customer correspondence, marketing preferences, invoices and billing information.
After one of the pilot clients raised concerns about the privacy of their customer’s records, SwiftStart NZ decided to conduct a comprehensive review of its data protection policies and practices to ensure that its products comply with privacy requirements and meets best practice.
SwiftStart NZ believes that the review will enhance its reputation and credibility as a SaaS provider and create more value and satisfaction for its clients and their customers. By demonstrating its commitment to privacy and data protection, SwiftStart NZ hopes to build long-term and loyal relationships with its clients and to attract more potential customers who are looking for reliable and secure online solutions for their businesses.
While SwiftStart NZ has limited budget and resources to dedicate to privacy, its clients expect SwiftStart NZ to appropriately manage privacy risks, and failure to do so may place them in breach of contract with their clients. Given it’s a service provider with large amounts of data that it processes for its clients, and this will increase as the organisation expands, SwiftStart NZ has a medium privacy risk profile.
Green Gardens is a gardening business in Aotearoa New Zealand, offering residential and commercial gardening services in Nelson. They have a website where customers can enquire about their services via their online enquiry form.
Green Gardens is a small organisation, with only six employees. The team is made up of the owner/manager, four gardeners, and an administrator who manages the office and provides administrative support. Green Gardens operates out of the manager’s home office in central Nelson, but five out of its six employees work offsite daily at client’s homes or businesses.
Green Gardens has around 50 clients on its books at any given time. To provide its services, Green Gardens collects limited personal information from its clients. This includes their name, contact information such as phone and email, and the home or business address where services are to be provided. Green Gardens collects personal information directly from clients via email and over the phone, as well as receiving personal information via their online enquiry form.
Green Gardens also shares personal information about its clients with another local small business, for the purpose of outsourcing their arborist services.
The nature of its work and the type of personal information it collects means that Green Gardens has a low privacy risk profile.
Jo Jones is a Registered Dietitian and works as an independent contractor in Aotearoa New Zealand. She offers one on one consults to clients, both virtually and in person. In person consults are done at the client’s home, as Jo Jones doesn’t have an office, she conducts all her business online.
Jo Jones also has contracts with community health service providers, offering in person services based out of the health service provider’s clinic or office.
Jo Jones has around 10 clients at any given time, including the community health service providers. Jo Jones collects personal information from her clients for the purpose of providing dietitian services, therefore she has obligations under the Privacy Act. Jo Jones also collects health information from her clients and receives health information about her clients from the community health service providers, so the Health Information Privacy Code (HIPC) also applies.
Given the nature of her work and the potentially sensitive types of personal and health information Jo Jones collects, she has a privacy risk profile of medium-high.
The Ministry is a government agency with 350 employees and a few contractors, split across two office locations with some staff who work from home part-time.
It has Chief Executive who was appointed by the Public Service Commissioner. The Chief Executive is responsible to a relevant Minister for the performance and operation of the agency. The Minister generally is not involved in day-to-day operations of the Ministry.
The Ministry also has a Senior Leadership Team which supports the Chief Executive. It does not have a Board.
The Ministry collects personal information in a variety of ways. It has a call centre which takes enquiries from individuals. It has information about its employees and contractors, including salary, medical and performance-related information.
The Ministry also has empowering legislation in place which allows it to collect and share personal information for certain purposes connected with the delivery of its functions, which includes making some information publicly available on a searchable public register. This legislation and the Ministry predate the Privacy Act and as a result the Ministry holds a lot of information from over the last 50 years. The Ministry also has policy teams which may prepare policy proposals that have privacy impacts.
The Ministry has a small privacy team of 2 Privacy Advisers that report to the Head of Privacy who is also the statutory Privacy Officer. Their team is in the same branch as the risk and legal functions of the organisation, and the Manager reports to a General Manager, Risk and Assurance, who reports to a Deputy Chief Executive.
Given the size of The Ministry and the amount and variety of personal information it collects, it has a medium privacy risk profile.
