Privacy & Data Protection Program - NZ Medium Business

01 — WHAT

What is it?

The Privacy & Data Protection Program — NZ Medium is a comprehensive, governance-grade privacy compliance program designed for New Zealand businesses with 16 to 100 staff. It builds on the Small Business foundation and adds the structures, reporting tools, and management controls that medium-sized organisations need — including department-level Privacy Lead appointments, tiered approval workflows, quarterly Senior Leadership Team dashboards, and annual Board-level reporting.

It provides everything needed to govern personal information at scale across multiple departments, teams, and management layers — in full compliance with the Privacy Act 2020, the Privacy Amendment Act 2025, and current Office of the Privacy Commissioner guidance.

02 — WHO

Who is it for?

• Business owners, boards, and senior leadership teams overseeing privacy compliance
• NZ medium businesses (16–100 staff) with multiple departments handling personal information
• Privacy Officers managing privacy governance across multiple functions
• Department managers and team leaders responsible for data handling in their area
• IT and systems staff managing platforms, cloud services, and AI tools that process personal data
• Contractors and external parties who need structured obligations and sign-off requirements

03 — WHY

Why does it matter?

At medium business scale, personal information flows through multiple departments, systems, and third-party relationships simultaneously. Without structured, department-level governance, compliance gaps multiply — tools are adopted without assessment, collection notices fall out of date across different teams, and when a breach occurs there is no clear chain of accountability across the organisation.

Relevant legislation includes:

• Privacy Act 2020 — 13 Information Privacy Principles (IPPs 1–13)
• Privacy Amendment Act 2025 — IPP 3A (effective 1 May 2026)
• Biometric Processing Privacy Code 2025 — for automated biometric systems
• Human Rights Act 1993 — data practices must not discriminate on protected grounds
• Harmful Digital Communications Act 2015 — restrictions on harmful disclosure

Without a structured medium-business privacy program, organisations risk:

• IPP 3A non-compliance across multiple departments from 1 May 2026
• Unassessed AI tools and cloud platforms processing personal information without governance
• Privacy breaches not identified or escalated promptly across a multi-team organisation
• Board-level accountability gaps when a breach requires external notification
• Staff and contractor privacy obligations not consistently documented or enforced

04 — WHEN

When do you need it?

• When the business has grown beyond a single Privacy Officer being able to manage all data flows personally
• When departments are independently adopting new systems, AI tools, or third-party services
• Before the 1 May 2026 IPP 3A deadline — particularly important at medium scale where indirect data collection spans multiple functions
• When the Board needs structured annual privacy reporting and attestation
• When contractors and external parties need formal, documented privacy obligations
• When the organisation needs a tiered approval framework for new data activities

05 — WHERE

Where does it apply?

• All departments and functions handling personal information
• Department-level data collection, storage, use, and disclosure
• Cross-departmental privacy risk assessment and approval workflows
• Senior Leadership Team and Board governance and reporting
• AI tools, cloud platforms, and third-party services across all departments
• Staff and contractor training and acknowledgement
• Privacy breach identification, escalation, and response across a multi-team organisation

06 — HOW

How does it work?

• Appoint a Privacy Officer and one Department Privacy Lead per function
• Map personal information across all departments using the master Privacy Register
• Obtain Board or Senior Leadership Team approval for the Privacy & Data Protection Policy
• Activate the tiered approval workflow for all new data activities
• Train all staff, managers, Privacy Leads, IT teams, and contractors in their role-specific obligations
• Run monthly department sign-off checks and quarterly SLT dashboards
• Present the annual Board Privacy Report with Privacy Officer attestation
• Review the full program annually and update for legislative changes

07 — INCLUDED

What is included?

1.0 Product Document Index 1.1 Welcome Pack 1.2 Quick Start Guide 1.3 60-Day Implementation Roadmap 1.4 Programme Navigation Guide

2.1 Executive Summary 2.2 Board Privacy Report Template

3.1 Privacy & Data Protection Policy 3.2 Privacy Acceptable Use Policy 3.3 Privacy Data Handling Procedure 3.4 Privacy Risk Management Policy 3.5 Privacy Breach Response Policy 3.6 Privacy Approval Workflow Policy 3.7 Privacy Document Review & Update Policy

4.1 Privacy Breach Response Procedure 4.2 Third-Party Data Sharing Procedure 4.3 Privacy Impact Assessment Procedure 4.4 Individual Access & Correction Procedure

5.1 Privacy Impact Assessment Template 5.2 Staff Privacy Acknowledgement Form 5.3 Individual Access Request Form 5.4 Privacy Approval Request Form 5.5 Contractor Privacy Obligations Form

6.1 Privacy Register 6.2 Privacy Breach Register 6.3 Privacy Action Plan Register 6.4 Training Register 6.5 Third-Party Register 6.6 Version Control Register 6.7 Legislative Update Log

7.1 Privacy Monthly Review Checklist 7.2 Third-Party Assessment Checklist 7.3 Annual Privacy Review Guide 7.4 Privacy Dashboard Reporting Guide

8.1 Staff Privacy Training Guide 8.2 Manager Privacy Training Guide 8.3 Privacy Lead Training Guide 8.4 IT Systems Privacy Addendum