03 377 4421

Privacy Policy

    1. Our collection of personal information is subject to the New Zealand Privacy Act 2020 (Act).
    2. This privacy policy forms part of our terms of business with clients and sets out how we collect, use, disclose and protect personal information in accordance with our obligations under the Act.
    3. In this policy ‘personal information’ means information relating to an individual which can be used to identify that individual.


2.1 We may not be able to properly advise clients or offer our services if we are not provided with necessary personal information when requested to do so. By the client engaging us and providing us with their personal information it will be deemed that they have given express consent for us to use and store that information for the purpose it has been collected.

2.2 If you give need to give personal information about the client, to a third party, please ensure you have their consent to do so first.

    1. The type of personal information we collect and store, includes but is not limited to:
      • Name
      • Postal address
      • Physical address
      • Phone number
      • Email address
      • Date of birth
      • Work information (such as job title, company and location)
      • Billing information (such as address for service and bank account details)
      •  IRD number
      • Copies of your identification (such as passport, birth certificate, or driver licence)
      • Financial information

    1. We collect and use information as part of our everyday part of doing business.  You must:
  • Keep that information safe and secure
  • Only ask for details you need for business purposes.
  • Only use personal information, after taking reasonable steps to make sure it is accurate and up to date.
  • Respect a client’s right to view and edit their information.
  • Get permission before passing on any information to another organisation or business.
  • Tell people what the information is for and why you are collecting it.
  • Tell people if you need to send personal information overseas.
  • Make sure that the information gathered from any source is accurate, up to date and not misleading.

5.1 We may use personal information for, but not limited to, the following reasons:

  • To verify identity
  • To provide our services to the client
  • To communicate with the client (including for marketing purposes) and respond to communications from them.
  • To improve the services, we provide and to undertake credit checks when required.
  • To bill and to collect money owed.
  • To protect and/or enforce our legal rights and interests, including defending any claim and/or registering your name for credit reporting purposes
  •  For any other purposes authorised by the client or the Act
  • To provide marketing materials and our newsletter where consented. Revocation of consent to receiving these materials at any time must be followed.


6.1 In certain circumstances we may disclose personal information to third parties where our services or functions are being outsourced. In that situation, the third party must comply with this policy or have their own privacy policy that has the same or greater protections in relation to your personal information.

6.2 We may disclose personal information to any person or entity authorised by law to request such information from us (such as government authority or law enforcement agency).

6.3 We may disclose your personal information to any person or entity that you authorise.

6.4 While maintaining client confidentiality and legal privilege to the extent allowed by law, we may at times, without reference to the client, be required to make certain disclosures to the New Zealand Police Financial Intelligence Unit under the Anti -Money Laundering and Countering Financing of Terrorism Act 2009 or other legislation.

6.5 At NO TIME should any client information be passed on without the prior consent by the client.  ALSO at no time should any staff information be passed on with the prior consent of that individual.


7.1 We need to take all reasonable steps to keep personal information safe from loss, unauthorised activity or other misuse. These steps include:

  • Adopting and regularly reviewing the performance and terms of our internal data security policies and systems to ensure that they are fit for purpose and protect personal information from unlawful processing, accidental loss, destruction and damage.
  • Adopting technologies for our internal use that meet the standards required by the Act.
  • Verifying the suitability of security systems in place with third parties that we work with to ensure that they meet the standards required by the Act.
  1. In some cases, the personal information that we collect may be processed outside of New Zealand. When this is the case, third parties that process the information are also obliged to comply with the Act when dealing with the personal information. We must make all reasonable endeavours to ensure that all entities that we work with outside of New Zealand offer satisfactory protection regarding that personal information.
  2. We have taken steps to ensure that our website is secure. We use the secure HTTPS data transfer protocol ‘for the transmission of data and our site holds an SSL certificate from a trusted organisation Despite this, the internet is not in itself a secure environment, and we cannot give an absolute assurance that information will be secure at all times. Transmission of personal information over the internet is at the client’s own risk and you should advise that they only enter, or instruct the entering of, personal information within a secure environment.
  3. Personal information will be kept in electronic or hard copy, or both.
  4. Electronic copies of personal information we collect, and hold will be stored in our computer system on our hosted servers located in a secure cloud storage facility and is backed up daily.
  5. Hard copies of the personal information we collect, and hold will be stored at our premises or at the Iron Mountain storage facility in Christchurch.


There will have been a privacy breach if there is:

8.1 an authorised or accidental access to, or disclosure, alteration, loss or destruction of, personal information held by this firm; or

8.2 an action that prevents the firm from accessing the information on a temporary or permanent basis.

8..3 At the first reasonable opportunity upon discovering or being advised of any security breach in which personal information is lost, stolen, accessed, used, disclosed, copied, modified or disposed of by any unauthorised person or in any unauthorised manner MUST be reported.

8.2 Should such a breach occur we are committed to taking all reasonable steps to remediate the issue that gave rise to the security breach to prevent further loss and subsequent security breaches.

8.3 If the event is deemed to be notifiable, we will be required to report the breach to the Privacy Commissioner. A privacy breach is deemed notifiable if it is reasonable to believe that the breach has caused serious harm to an affected individual or is likely to do so.  To assess whether a privacy breach is likely to cause serious harm, the following must be considered:

  • Any action taken to reduce the risk of harm following the breach
  • Whether the information is of a sensitive nature
  • The nature of harm that may be caused to the affected individuals;
  • The person or body that has obtained or may obtain personal information as a result of the breach (if known)
  • Whether the personal information is protected by a security measure; and
  • Any other relevant matters.

8.4 As soon as practicable, any notifiable data breach must be notified to the Privacy Commissioner and any affected individuals.  The notification must include:

  • A description of the breach including the number of individuals affected (if known) and the identity of any person the firm suspects may be in possession of person information because of the breach;
  • An explanation of the steps the firm has taken or is going to take in response of the breach, including whether the affected individual has been contacted;
  • The names or general description of any other persons or entity contacted with respect to the breach and the reasons for doing so.
  • That information is to be provided to the Practice Manager.
  • Failure to meet the above may result in a fine of up to $10,000.


11.1 We reserve the right to change this policy at any time by providing a revised copy of the policy.

Kannangara Thomson, Barristers & Solicitors 2021