Privacy guide for suppliers and service providers

Waka Kotahi NZ Transport Agency deals with the personal information of a large number of people and engages with a wide range of people and organisations who may handle personal information on its behalf.

Managing personal information appropriately is important to us and to the people whose personal information we hold. As an organisation who handles personal information on our behalf, we expect that you will also manage personal information appropriately and that if any issues arise (such as unauthorised access to or disclosure of personal information, whether accidental or deliberate), you will work with us to resolve them.

What is personal information?

Personal information is information about an identifiable individual. Any information which tells us something about a specific individual is personal information. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.

Personal information is not limited to information about an individual’s private or family life. This can include information about an individual’s business or work activities. Personal information can range from sensitive and confidential information to information that is publicly available. At Waka Kotahi, we also generally treat motor vehicle registration plate numbers as personal information.

Your obligations under the Privacy Act

All organisations have obligations to comply with the Information Privacy Principles set out in the Privacy Act (the Act). The Act covers the life-cycle of personal information and requires all organisations to have a Privacy Officer to oversee their compliance with the Act and to investigate any privacy complaints they may receive.

What we expect of you as our supplier/service provider

If you’re working with us, you have responsibilities when handling our customers’ information. In particular, unless your contract with us expressly states otherwise, we expect you to:

  • comply at all times with the Act and any other New Zealand laws regulating how personal information is handled
  • not do anything with our customers’ information that would be likely to clause Waka Kotahi to breach any New Zealand privacy laws
  • not use or disclose any personal information that we give to you, or that you collect on our behalf, unless as strictly necessary to deliver your obligations under your contract with us
  • not store or process any of our, or our customers’ personal information outside New Zealand without our express written consent.

We expect you to have the following in place:

  • privacy policies that cover the life-cycle of personal information
  • a privacy incident management process that involves notifying us when you discover a privacy incident, whether that be a privacy breach or near-miss
  • training programmes to ensure that staff who handle personal information are aware of the Information Privacy Principles and privacy policies and processes
  • processes to proactively identify and monitor privacy risks and report on these
  • processes to ensure that personal information is appropriately protected, ie by only giving access to personal information to the staff who need it in the course of their duties. This extends to managing the access rights when staff change roles or cease employment, or when systems change.

Managing and responding to privacy incidents

Privacy incidents can happen through complacency, inadequate security, poor procedures or by accident. Privacy incidents are often simple mistakes that only take a second to make but result in damage that can be serious and long-lasting. Proper incident management is critical, as it can help to minimise the harm to the individuals affected, your organisation, and Waka Kotahi.

What is a privacy incident?

We classify privacy incidents into two types:

  • privacy breaches, and
  • near-misses.

A privacy breach is an incident where personal information is accessed by an unauthorised person, or is collected, used or disclosed without authorisation, for example, where personal information is used or disclosed for a different purpose to that for which it’s been collected, or a person not authorised to see that information accesses it. Failure to store personal information securely is also a privacy breach.

A near-miss is an incident that had the potential to become a privacy breach but was prevented before it could happen.

What you should do if you discover a privacy incident?

If you or any of your staff identify or suspect the existence of a privacy breach or near-miss involving  personal information collected or processed on behalf of Waka Kotahi, you must as soon as practicable, notify your Waka Kotahi contract or relationship manager. Unless otherwise required by law, we will take responsibility for notifying affected individuals and the Privacy Commissioner, but you must provide all reasonable co-operation to assist us in securing or recovering the personal information and conducting an investigation into the cause of the privacy incident. 


The terms of this privacy guide are in addition to those in your contract with us. If there is a conflict between any particular terms in this guide and those in your contract, the terms of your contract will take priority.

More information

The Office of the Privacy Commissioner has comprehensive guidance and training on its website for agencies and organisations that deal with personal information. Some useful links are provided below.

Privacy for agencies – your obligations(external link)

Protecting personal information – the PADLOCK card(external link)

Data safety toolkit(external link)

Online privacy training (free)(external link)

If you would like to talk to someone at Waka Kotahi, please get in touch with your contract or relationship manager.