CRM and the NZ Privacy Act 2020

John Eccles, 18 October 2020

The new Privacy Act 2020, which replaces the Privacy Act 1993, will come into force on 1 December 2020. Virtually all organisations in New Zealand are covered by this Act which covers the information in your CRM system.


Now is a good time to review the information your organisation collects about staff, customers and other stakeholders, how it’s stored and the security of the information. I will highlight the key principles that apply to your CRM system and the actions you may need to take.

Only collect and retain information you need

If you have, or are thinking about collecting, personal information, you should consider why you need it. Even the Privacy Act 1993 requires that you only collect personal information that is necessary for a lawful purpose connected with your functions or activities such as delivering a product or service or finding the right person to employ. In any case, you would do well to eliminate unnecessary information which costs time and effort to keep up to date and manage.

Furthermore, personal information must not be kept for longer than is required for the purposes for which it was gathered. In effect, this means you will need regular purges of your CRM database.

The new Act goes further and states that “If the lawful purpose for which personal information about an individual is collected does not require the collection of an individual’s identifying information, the agency may not require the individual’s identifying information.” So, for example, if an anonymous survey is sufficient, you should not collect the contact details with the survey results.

Examine how personal information is collected

Generally, you should collect information directly from the person it’s about. That way you can inform the person what information you have and what you're doing with it. There are exceptions including when:

- You have the consent of the person the information is about

- Getting it from the person concerned would undermine the purpose of the collection (such as getting a job reference)

- You are a public sector body and that information is necessary to uphold or enforce the law

- The information is publicly available.

This means buying (or renting) mailing lists might get you into trouble. It is only OK if the information is available from publicly available sources or when the individuals have been advised up-front and consented to the information being sold or shared.

When collecting information directly from individuals, you need to make them aware that their personal information is being collected, who is collecting it, how it will be used, who is going to use it, who will hold or store it, and how it can be accessed or corrected by the individual concerned. (There are some exceptions where non-compliance to this general rule are permitted – check out section 22 of the Act for details.)

This doesn’t have to be a barrier. You just need a privacy statement and a way for individuals to assent. A simple privacy box on every information-gathering vehicle (website, order forms, competitions, coupons etc) is the most professional method.

Here is a sample Privacy Statement:

Your Privacy: Magnetism collects your details to keep you informed about CRM matters including new developments, training and current issues. Your details are stored securely in our Dynamics 365 CRM system and can only be accessed and used by Magnetism staff. You are welcome to contact us at any time to access and update your personal information or to opt out of receiving further communications from us – just email

Provide access to personal information and a means for it to be corrected

An individual is entitled to receive from you upon request:

a) Confirmation of whether you hold any personal information about them; and

b) Access to their personal information.

Further, they are entitled to request you to change the information and if they do you must either correct it or attach a ‘statement of correction’ to the record in a manner that it will always be read with the information. (Details are in section 22 of the Act.)

So you need:

1. A procedure (perhaps a business flow in your CRM system) to process requests about personal information. Be sure to incorporate checks to ensure that information requests are bona fide.

2. A procedure to process requests for changes to personal information.

3. (possibly) Configuration of your CRM system to attach statements of correction to disputed information.

Clearly the entitlement to access personal information means you need to take care about what information you collect. You should assume that the individual will be able to see it. Don’t even think about deleting requested information – under the new Act, it will now be a criminal offence to destroy personal information, knowing that a request has been made to access it.

Dealing with privacy breaches

The Act requires every organisation holding personal information to appoint a Privacy Officer who will be responsible for compliance with the Privacy Principles within the organisation. If you have a customer database you are required to have a Privacy Officer.

The Act requires that you store personal data securely against loss, misuse or unauthorised access. With a secure CRM system like Microsoft Dynamics 365, security of the information while stored within the system is well taken care of. But this does NOT mean the information is secure. You will need to implement robust policies and procedures to ensure that information is only accessed by authorised people for authorised purposes.

Start with common-sense security precautions:

- Train users to keep personal information confidential – in particular to take care when emailing or sending personal information. (Sending an email to the wrong person is a common mistake.)

- Train users to identify and avoid phishing emails.

- Eliminate or minimise personal information on mobile devices and train users not to use open WiFi access points with devices containing sensitive information.

- When an employee is leaving, ensure that access to the system is terminated – and take extra precautions if the departure is not amicable.

- Eliminate written login credentials on or around workstations.

- Encrypt data on laptops. (We use BitLocker)

- Ban unauthorised software on workstations. (One study found that one-third of corporate data loss incidents were caused by unauthorised programs installed by employees.)

- Administer role-based security in your system so staff can only access the information they need to access.

Consider a professional security audit. It will cost you, but the cost of a data breach may be a lot higher.

If your security precautions fail and you do have a data breach, you will need to contain it, assess the risks involved and do damage control.

When assessing the risks associated with a breach, consider the personal information involved, the extent of the breach (how many people) and the potential harm resulting from the breach including identity theft, financial loss, loss of business or employment opportunities and significant humiliation or loss of dignity.

Damage control may include notification of people you know to be affected. Notifying them promptly means they may be able to take steps to protect themselves and regain control of their information.

From 01 December 2020, you may have to notify the Office of the Privacy Commission as soon as possible. A notifiable breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals - or is likely to do so. It is an offence to fail to notify of a notifiable privacy breach.