Privacy & IPP Mapping (NZ)
We align our workflows with the Privacy Act 2020 Information Privacy Principles (IPPs). Below is a plain-English mapping of what that means in practice.
Trusted, NZ-compliant AI solutions
- Aligned to NZ Privacy Act 2020 and MBIE AI guidance.
- Human-in-the-loop for auditability & clear accountability.
- Versioned and transparent—no black boxes.
| # | Principle | What it means | How NZGPTS applies it | Evidence |
|---|---|---|---|---|
| 1 | Purpose of Collection | We collect only what's needed to deliver the agreed services. | Scoped intake forms; optional data minimisation by default. | Scoped SOW + Audit Questionnaire |
| 2 | Source of Personal Information | We prefer collecting data directly from you unless impracticable. | Client-owned exports; access via secure channels only. | DPA + Secure Transfer SOP |
| 3 | Collection from Subject | People are aware of collection where reasonable. | Client informs staff/customers where needed. | Privacy Notice Template |
| 4 | Manner of Collection | Collection is lawful and fair. | No scraping of private systems without written consent. | SOW + Consent Clause |
| 5 | Storage & Security | Reasonable safeguards against loss/unauthorised access. | Encrypted at rest; least-privilege access; log review. | Security Controls Checklist |
| 6 | Access & Correction | Individuals can access and correct information. | We assist clients to respond to requests quickly. | Access Request SOP |
| 8 | Accuracy | We take reasonable steps to ensure accuracy. | Human-in-the-loop verification on deliverables. | QA Sign-off |
| 9 | Retention | Keep only as long as necessary. | Default: 90-day retention; client override available. | Data Retention Policy |
| 10 | Use of Information | Use only for the purpose collected. | No secondary use without consent. | DPA Purpose Limitation |
| 11 | Disclosure | Disclose only with authority or lawful reason. | Sub-processors listed; changes notified. | Sub-processor Register |
| 12 | Cross-border | Take steps to ensure comparable safeguards. | Model clauses; reputable AI vendors; client approval. | Cross-border Addendum |
| 13 | Unique Identifiers | Avoid creating new identifiers unless necessary. | We don't create new IDs; we use client references. | Data Model Design |
🔒 Your information never leaves New Zealand without explicit consent.
Privacy Documentation
Questions? Contact us. This page is versioned and updated as regulations evolve.