NZ Privacy Act 2020: What Every Tradie Must Know About Customer Data

Published 31 May 2026 ยท NZ Tradie Tools
PrivacyComplianceRegulationsNZIRDBusiness

NZ Privacy Act 2020: What Every Tradie Must Know About Customer Data

Most NZ tradies are across their health and safety obligations, their GST returns, and their LBP licence renewals. But one compliance area that often flies under the radar is privacy law โ€” specifically, the Privacy Act 2020, which applies to every New Zealand business that collects, stores, or uses personal information.

If you keep a client spreadsheet, take photos on the job, store payment details, or have staff, you are subject to the Privacy Act. Getting it wrong can result in complaints to the Privacy Commissioner, enforceable compliance orders, and fines of up to $10,000 for serious breaches.

Here is what NZ tradies need to know in plain language.

What Is the Privacy Act 2020?

The Privacy Act 2020 replaced the 1993 version and came into force on 1 December 2020. It is administered by the Office of the Privacy Commissioner (OPC) and sets out 13 information privacy principles (IPPs) that govern how businesses collect, hold, use, and disclose personal information.

"Personal information" is any information about an identifiable person โ€” a name, address, phone number, email, payment details, health information, or even a photo where someone is recognisable.

For tradies, this covers: - Customer contact details in your CRM or phone contacts - Invoices and payment records - Job site photos that show identifiable people - Employee records (wages, IRD numbers, performance notes) - CCTV footage from vehicles or job sites

The 5 Privacy Obligations Most Relevant to Tradies

1. Only Collect What You Actually Need

Under IPP 1, you should only collect personal information that is genuinely necessary for the job. If you only need a name, address, and phone number to do a plumbing repair, you do not need to collect a date of birth or national insurance details.

Practical tip: Audit your quote form and job management app. Remove any fields you are not actually using.

2. Tell Customers Why You Are Collecting Their Data

Under IPP 3, you must tell people what you are collecting their information for and who you might share it with โ€” ideally at the point of collection. For most tradies, a short note on your quote or in your terms of trade is enough.

Something like: "We collect your contact and property details to manage your job, process payment, and comply with our legal obligations. We may share these with our accountant or relevant subcontractors."

If you use a job management tool like Fastcrew (fastcrew.nz) or Tradify, check their privacy policy to ensure your customers' data is stored securely โ€” ideally in New Zealand or Australia.

3. Keep Data Secure

Under IPP 5, you must take reasonable steps to protect personal information from loss, misuse, or unauthorised access. For tradies, this means:

  • Password-protecting your job management app and phone
  • Not emailing customer spreadsheets without encryption
  • Securing old invoices and contracts (paper or digital)
  • Wiping old phones before disposing of them
  • Using strong, unique passwords for your accounting software

Cloud platforms like Xero or MYOB generally handle security well. The risk is usually your own device or how you share files. See our Xero vs MYOB NZ guide for more on choosing secure accounting software.

4. Give Customers Access to Their Data If They Ask

Under IPP 6, individuals can ask what information you hold about them and request corrections. You have 20 working days to respond. For most tradie businesses, this will be rare โ€” but if a former customer or ex-employee asks, you are legally obliged to respond.

What to do: If you receive an access request, check your job management software, emails, and accounting records and provide a summary. You can charge a reasonable fee if the request is complex.

5. Notify the Privacy Commissioner of Serious Breaches

This is the big new addition of the 2020 Act. Under Section 113, you must notify the Privacy Commissioner if a privacy breach is likely to cause serious harm. You also must notify the affected individuals.

Examples of notifiable breaches for tradies: - Your phone is stolen and it had unsecured customer records - You accidentally email a customer's detailed quote to the wrong person - Your job management app is hacked and customer data is exposed - An employee shares customer payment details externally

The notification must be made "as soon as reasonably practicable" โ€” in practice, within a few days of discovering the breach. You can notify the OPC at privacy.org.nz.

Penalty: Failing to notify when required is an offence under the Act, with fines up to $10,000.

Job Photos and CCTV: A Grey Area for Tradies

Taking photos on the job is normal practice โ€” for quoting, documenting progress, and protecting yourself if disputes arise. But photos can trigger privacy obligations if they show identifiable people.

General rule: - Photos of the work itself (a leaky roof, a tiled bathroom) โ€” fine, no privacy issue - Photos of a client's home interior without consent โ€” grey area, especially if shared publicly - Photos showing identifiable people without consent โ€” a potential privacy issue

For marketing: If you want to use before/after photos on Instagram or your website, get written consent from the homeowner first. A quick text message agreement is better than nothing.

CCTV on vehicles or tools: If you run dashcam footage or site cameras, you should have a brief notice that recording is in progress. This is particularly relevant if the camera captures workers, customers, or public areas. Refer to the OPC's guidance on workplace surveillance.

Employee Records: Extra Care Required

Employee information is sensitive personal information. Under the Privacy Act, you must:

  • Keep payroll records, IRD numbers, and contract details secure
  • Only share employee information with authorised parties (e.g., your accountant)
  • Retain records for at least seven years as required by IRD
  • Delete information you no longer need after the statutory period

Health information about workers โ€” injuries, medical clearances, drug test results โ€” is classified as sensitive information under the Act and must be held with extra care. WorkSafe recommends keeping injury records as part of your health and safety documentation.

For guidance on employee records and PAYE obligations, see our guide to employing staff.

What Happens If You Get a Privacy Complaint?

Complaints go to the Office of the Privacy Commissioner, who will attempt mediation first. If unresolved, the matter can be referred to the Human Rights Review Tribunal, which can award damages of up to $350,000 for serious harm.

In practice, most complaints against small businesses are resolved through mediation. The OPC expects businesses to cooperate in good faith. The most common outcome for first-time breaches is a compliance improvement plan rather than a fine.

Quick Checklist: Privacy Act Compliance for NZ Tradies

Use this checklist to ensure your business is covered:

  • [ ] Terms of trade or quote form explains why you collect customer data
  • [ ] Job management app and phone are password-protected
  • [ ] Customer records are stored securely (not in unsecured spreadsheets)
  • [ ] You have a process for handling data access requests
  • [ ] Staff know not to share customer information externally
  • [ ] Marketing photos have customer consent where people are identifiable
  • [ ] Ex-employee records are retained for 7 years then destroyed
  • [ ] You know how to notify the Privacy Commissioner if a serious breach occurs

Free Templates to Help You Comply

Download our free NZ tradie templates at tradietools.nz/templates/ โ€” including a privacy notice for quotes, a customer data consent form, and a terms of trade template that covers your Privacy Act obligations.

You can also use our GST calculator and hourly rate calculator while you review your business compliance settings.

Further Resources

  • Office of the Privacy Commissioner: privacy.org.nz
  • Privacy Act 2020 (full text): legislation.govt.nz
  • Workplace surveillance guidance: OPC โ€” Cameras in the Workplace
  • IRD record-keeping requirements: ird.govt.nz

NZ Tradie Tools provides free calculators, templates and guides for New Zealand tradies. Visit tradietools.nz.

Free NZ Tradie Templates

Quote templates, tax invoices, variation orders, SWMS and more โ€” 28 templates, free to download instantly.

Browse all 28 free templates โ†’