A 2024 privacy survey found that 70% of people were likely to consider changing service providers in response to poor privacy and security practices. By Privacy Commissioner, Michael Webster.
There are often legitimate reasons to share personal information, but it’s also an area in which you need to take considerable care.
The recent release of two government reports, the Public Service Commission’s inquiry, and Stats NZ report, show the protection of personal information needs to be treated as a priority.
Although focused on the public sector, the reports are reminders to all companies, that New Zealanders need to be confident that when they give you their personal information, it is collected, used, and shared as the law outlines it should be.
The Privacy Act is very clear that agencies collecting personal information need to keep it safe and treat it with care. This responsibility extends to the use of third-party service providers, and you need to be confident that personal information is protected wherever, and whatever, organisation is handling it.
Under the Privacy Act, you also need to have a specified reason for collection. Organisations can generally only use personal information for the purpose it was collected, and there are limits to using personal information for different purposes.
Ask yourself, why is personal information being collected, are people being made aware of this reason and you do have their permission to use their information?

Michael Webster (image supplied).
There are big advantages to making sure you take care of people’s personal information. Not only will it help you follow the requirements of the Privacy Act, but it can also go a long way to making sure your staff, customers and suppliers have faith that your organisation is doing the right thing with their details.
Essentially, it’s about trust. People want to know that the information they’ve given you is protected and is correctly used. Our 2024 Privacy Survey found around two-thirds of New Zealanders are concerned about businesses or government organisations sharing their personal information without telling them.
Privacy concerns drive behaviour. Our survey also showed that 70% of people were likely to consider changing service providers in response to poor privacy and security practice.
To put that simply, if people think you don’t’ care about their information, then they feel you don’t care about them, so they’re likely to look to move to a competitor who will take more care.
“There are some legitimate ways to share information correctly under the Privacy Act…”
There are some legitimate ways to share information correctly under the Privacy Act. Approved Information Sharing Agreement (AISAs) are formal agreements allowing personal information to be shared between (or within) agencies for the purpose of delivering public services.
Non-government agencies can be involved, but the AISA has to be linked to a public service mandate and must involve a government department as the “lead agency”.
There are also Privacy Codes of Practice which have rules for personal information in specific areas, such as health, telecommunications, and credit reporting.
It’s important you know the rules so that you’re doing the right thing with the personal information you collect and hold – it has value and needs to be treated with respect.
OPC has recently issued guidance to help agencies working with third-party providers on our website. There’s also information about AISAs and e-learning modules to upskill your privacy knowledge.
Michael Webster is New Zealand’s Privacy Commissioner.