Privacy Act 2020
The Privacy Act 2020 governs how organisations collect, store, use, and disclose personal information about individuals. It applies to SteadyOn in two specific contexts:
- Incident data — when you record information about an injured person, a witness, or an incident reporter
- Health and wellbeing data — when you handle medical information about workers as part of injury management or return-to-work
The Privacy Act 2020 replaced the Privacy Act 1993 and introduced stronger enforcement powers, mandatory breach notification, and a new framework based on 13 Information Privacy Principles (IPPs).
This page is not legal advice. For specific compliance questions, consult a qualified privacy or legal advisor.
When the Privacy Act applies to your SteadyOn data
Section titled “When the Privacy Act applies to your SteadyOn data”Not everything in SteadyOn involves personal information. Hazard records (a wet floor in a warehouse) and inspection records (a checklist of fire extinguisher locations) typically don’t involve personal information. The Privacy Act becomes relevant when:
| Scenario | Why Privacy Act applies |
|---|---|
| Recording the name of an injured worker in an incident report | Personal information about an identifiable individual |
| Recording the nature of an injury (e.g. broken arm, mental health crisis) | Health information — a special category requiring extra care |
| Recording witness names and statements | Personal information about a third party |
| Public incident reports that include names or contact details | Personal information collected from non-employees |
| Investigation notes that identify individuals | Personal information held by the PCBU |
| Training records linked to named workers | Personal information about employees |
The key Privacy Act obligations
Section titled “The key Privacy Act obligations”Collect only what you need (IPP 1)
Section titled “Collect only what you need (IPP 1)”Collect only the personal information that is necessary for your legitimate purpose — managing the health and safety incident and your obligations under HSWA.
Practical guidance: In an incident report, you need enough information to understand what happened, investigate root causes, and take corrective action. You do not need to collect information about an injured person’s personal life, medical history unrelated to the incident, or anything else that is not relevant to the safety event.
Collect directly from the person where possible (IPP 2)
Section titled “Collect directly from the person where possible (IPP 2)”Where practicable, collect personal information about an individual directly from that person — not from third parties.
Practical guidance: Where you are recording information about an injured worker, try to involve them in the incident report. SteadyOn allows any user to submit an incident report — workers can report their own incidents rather than having a manager record information about them second-hand.
Tell people what you’re collecting and why (IPP 3)
Section titled “Tell people what you’re collecting and why (IPP 3)”At or before the time you collect personal information, tell the person: who you are, why you’re collecting it, what it will be used for, and who else will see it.
Practical guidance: If your organisation collects information from injured workers or public reporters, have a brief privacy statement explaining that the information is collected for health and safety purposes under HSWA, will be held by your organisation, and may be shared with WorkSafe if required. Consider adding this to your public incident reporting link.
Store information securely (IPP 5)
Section titled “Store information securely (IPP 5)”Take reasonable steps to protect personal information from loss, misuse, or unauthorised access.
SteadyOn’s role: SteadyOn stores all data in a SOC 2 compliant cloud infrastructure. Access to SteadyOn is controlled by user roles — Members can report incidents but cannot view other users’ records beyond what their role permits. Only Admins and Owners can access the full incident register and investigation notes.
Your role: Ensure that your SteadyOn account is properly secured — use strong authentication, remove access for staff who have left, and review user roles regularly.
Don’t keep it longer than necessary (IPP 9)
Section titled “Don’t keep it longer than necessary (IPP 9)”Don’t keep personal information longer than is necessary for the purpose it was collected.
Balancing act — HSWA vs Privacy Act: HSWA requires you to maintain health and safety records to demonstrate compliance. WorkSafe recommends retaining records for at least 7 years (or longer for serious incidents). This retention need generally overrides the Privacy Act’s minimisation principle — you have a legitimate legal reason to keep the records. Once the retention period has passed, records containing personal information should be reviewed and deleted if no longer needed.
Mandatory breach notification
Section titled “Mandatory breach notification”If you have a privacy breach that is likely to cause serious harm to an affected individual, you must notify both the Privacy Commissioner and the affected individual as soon as practicable.
A breach could occur if, for example, SteadyOn incident records containing personal or health information were accessed by an unauthorised person, or were mistakenly shared outside the organisation.
Your obligations: Conduct regular user access reviews in SteadyOn. Remove users who are no longer part of the organisation promptly. Be cautious when exporting or sharing reports that contain personally identifiable information.
Health information — extra care required
Section titled “Health information — extra care required”Health information is a special category under the Privacy Act and requires a higher standard of care. This includes:
- The nature of a worker’s injury (e.g. specific diagnosis, body part affected)
- Medical treatment received
- Mental health information
- Return-to-work restrictions or medical certifications
Practical guidance for SteadyOn:
- Record only what is necessary for the H&S purpose (e.g. “worker sustained a soft tissue injury to the lower back” is sufficient for most safety purposes; a full medical diagnosis is not)
- Limit access to detailed injury information to those who need it (use SteadyOn roles to control who can view incident details)
- Do not include sensitive health information in exported reports that will be shared broadly
Public incident reporting and privacy
Section titled “Public incident reporting and privacy”The public incident reporting link allows anyone to report an incident without a SteadyOn account. People who use this link may provide personal information (their name, contact details, details of what happened to them or others).
Obligations:
- Display a privacy notice on the public report form (or in your organisation’s public-facing H&S policy) explaining how reports are handled
- Use the information only for the purpose of managing the safety event
- Do not share the reporter’s personal details more widely than necessary
Summary: Privacy Act and SteadyOn
Section titled “Summary: Privacy Act and SteadyOn”| Obligation | How to meet it |
|---|---|
| Collect only what is necessary | Limit incident descriptions to H&S-relevant information |
| Tell people you’re collecting | Include privacy notice in public incident reporting |
| Secure the data | Use SteadyOn roles to restrict access; remove departed users |
| Don’t over-share | Be selective with exported reports containing personal data |
| Retain appropriately | Follow HSWA retention guidance (7 years+); delete after period expires |
| Handle health info carefully | Record minimum necessary; restrict access to sensitive details |
| Notify breaches | Report serious breaches to Privacy Commissioner and affected person |
Further reading
Section titled “Further reading”- NZ Regulatory Framework — overview of all regulations
- Roles and Permissions — controlling who can see what in SteadyOn
- Office of the Privacy Commissioner — authoritative guidance on Privacy Act 2020