Privacy & IPP Mapping (NZ)
We align our workflows with the Privacy Act 2020 Information Privacy Principles (IPPs). Below is a plain-English mapping of what that means in practice.
Trusted, NZ-compliant AI solutions
- Aligned to NZ Privacy Act 2020 and MBIE AI guidance.
- Human-in-the-loop for auditability & clear accountability.
- Versioned and transparent—no black boxes.
| # | Principle | What it means | How NZGPTS applies it | Evidence |
|---|---|---|---|---|
| 1 | Purpose of Collection | We collect only what's needed to deliver the agreed services. | Scoped intake forms; optional data minimisation by default. | Scoped SOW + Audit Questionnaire |
| 2 | Source of Personal Information | We prefer collecting data directly from you unless impracticable. | Client-owned exports; access via secure channels only. | DPA + Secure Transfer SOP |
| 3 | Collection from Subject | People are aware of collection where reasonable. | Client informs staff/customers where needed. | Privacy Notice Template |
| 4 | Manner of Collection | Collection is lawful and fair. | No scraping of private systems without written consent. | SOW + Consent Clause |
| 5 | Storage & Security | Reasonable safeguards against loss/unauthorised access. | Encrypted at rest; least-privilege access; log review. | Security Controls Checklist |
| 6 | Access & Correction | Individuals can access and correct information. | We assist clients to respond to requests quickly. | Access Request SOP |
| 8 | Accuracy | We take reasonable steps to ensure accuracy. | Human-in-the-loop verification on deliverables. | QA Sign-off |
| 9 | Retention | Keep only as long as necessary. | Default: 90-day retention; client override available. | Data Retention Policy |
| 10 | Use of Information | Use only for the purpose collected. | No secondary use without consent. | DPA Purpose Limitation |
| 11 | Disclosure | Disclose only with authority or lawful reason. | Sub-processors listed; changes notified. | Sub-processor Register |
| 12 | Cross-border | Take steps to ensure comparable safeguards. | Model clauses; reputable AI vendors; client approval. | Cross-border Addendum |
| 13 | Unique Identifiers | Avoid creating new identifiers unless necessary. | We don't create new IDs; we use client references. | Data Model Design |
🔒 Your information never leaves New Zealand without explicit consent.
Privacy Documentation
Need Privacy Compliance Support?
Get expert assistance with privacy impact assessments, compliance reviews, and privacy documentation tailored to your New Zealand business.
Book Privacy ConsultationQuestions? Contact us. This page is versioned and updated as regulations evolve.