Legal Updates

The Importance of Understanding your Privacy Obligations as a Business Owner and Employer

If you’re a business owner, of any size, it is more than likely you hold private information on file. This private information may be in relation to client and customer details or held on staff files. This article serves as a friendly reminder for all business owners to ensure they are complying with the Privacy Act 2020 (“the Privacy Act”) and minimising any risk of a privacy breach.   

The Privacy Act governs how businesses can collect, store, use and disclose private information. By taking the necessary steps to protect personal and private information and being aware of privacy obligations, business owners can avoid costly consequences resulting from privacy breaches.

We have set out some key considerations below for business owners to ensure they are upholding their privacy obligations.


Familiarise yourself with the Privacy Act Principles


The Privacy Act has 13 information privacy principles that govern how businesses and organisations should collect, handle and utilise private information. Some of the privacy principles may apply more to you than others.  Nevertheless, if you are a business owner or employer, you need to be familiar with them all.

If any of the principles are breached, even accidentally, there may be grounds for a client or employee to lay a complaint under the Privacy Act. If private information is incorrectly disclosed, and has caused or is likely to cause anyone serious harm, then you must notify the Privacy Commssioner and any affected people as soon as you are practically able. It is expected that a breach notification is made to the Privacy Commissioner within 72 hours after an organisation is made aware of a privacy breach.


Assign a Privacy Officer


Every organisation, regardless of its size, must appoint someone to be its privacy officer. The officer’s main responsibilities include:

  • Ensuring the organisation complies with the Privacy Act;
  • Dealing with requests made to the organisation about individuals’ information; and
  • Working with the Privacy Commissioner when the Commissioner investigates complaints in relation to the organisation.

The privacy officer’s role is generally assigned to a current employee, so no need to go out and hire one. Having a privacy officer helps a business to identify and sort out any privacy complaints in a quick and thorough manner without incurring any unnecessary expenses.


Have a Workplace Privacy Policy


Privacy breaches don’t always occur simply by businesses being hacked (although you should most definitely take steps to prevent this). Engaging proactively with privacy risks  so employees are  aware of these issues is key to preventing privacy breaches.

Privacy Act breaches often occur when staff aren’t aware of what information can and can’t be disclosed to third parties. We consider the best way to educate staff regarding their privacy obligations is by having an accessible and regularly updated privacy policy.

By taking steps to ensure your staff know how to keep all private information safe and secure and to only ever ask for personal details (if necessary for business purposes) you will significantly reduce your organisation’s risk of a privacy breach.

If a privacy breach occurs at your business or organisation and you unintentionally lose or release someone’s personal information, staff need to know how to act fast to manage the security breach and notify the affected person and Privacy Commissioner if necessary. A policy can help staff respond quickly and prevent breaches from happening in the first place.


It is important to note that privacy compliance is a collective responsibility that involves every member of a business, not just the business owner or assigned privacy officer. Careless handling of private information or breaching the Privacy Act can be incredibly costly for businesses in a number of ways, including but not limited to fines and reputational damage.

If you need expert advice on privacy policies or guidance navigating the Privacy Act, get in touch with Jaesen or Caylee.



The information on this webpage provides you with general information that is true and accurate to the best of Ford Sumner’s knowledge.

Ford Sumner may change, delete, add to, or otherwise amend the information contained on this webpage without notice.

Information on this webpage is not business, tax, or legal advice. You should take specific, professional advice before taking any action based on this information.

While Ford Sumner has taken all reasonable care in placing the correct information on this webpage, it cannot be liable for any inaccuracy, error, omission, or any other kind of inadequacy, deficiency, or flaw in, or in relation to the information contained on this webpage. Ford Sumner fully excludes any and all liability of any kind to any person or entity that chooses to rely upon the information.