Our lawyers keep up with the latest trends and issues in New Zealand law and business, and regularly publish articles and reports on current topics.

Email me when new articles are published

Privacy Warrant of Fitness for Franchisors

Written by David Alizade PARTNER; Darryl King PARTNER on November 20th, 2020.    

Privacy 2020 final image-636

  Privacy Warrant of Fitness for Franchisors                                                                                        


The Privacy Act 2020 (Act) comes into force on 1 December 2020.  This warrant of fitness is designed to help you assess how well placed you are to comply with the Act, and what changes you might need to make.



Privacy Officer

Appoint a privacy officer (if you haven’t already).  We recommend that the Franchisor has a privacy officer that acts as a central point of control / contact for franchisees for privacy related matters. Each franchisee should also have a person nominated as their privacy officer.
Ensure your privacy officer is up to speed with privacy laws including the changes under the Act.

Collecting Information

Audit what information you collect (and how you collect it), including any information you collect online.
Check whether your privacy policy allows you to collect the information you and/or your franchisees are collecting.
Check whether you need to collect the personal information you and/or your franchisees are collecting.
If personal information is collected from children or young people, check that it is collected fairly.

Disclosing information

Identify who you and your franchisees disclose personal information to (and where in the world it goes).

If you or your franchisees send personal information overseas, check whether you comply with the changes to the Act.     
Check that the network’s privacy policy accurately and clearly describes who information is disclosed to, and how information will be protected if you transfer information overseas (if applicable).
Check that your agreements with third parties allow you to comply with your obligations under the Act (for example, by including a process for reporting breaches and restrictions on transferring data overseas).  Your template franchise agreement should also include these clauses.

Privacy Breaches

Create a data breach response plan and update your privacy policy with how you will respond to a breach.
Update your franchise manual to include your data breach response plan, with a clear process for franchisees to report, manage and notify data breaches.  Consider this being led and controlled by you to ensure compliance and to manage potential brand/PR damage.
   Test your breach response plan within your franchisees – you can use the Privacy Commissioner’s
 online  NotifyUs tool to run through example situations without submitting information to the Privacy     Commissioner.

Storage and Security

Review the safeguards and policies you have in place for protecting the personal information you and/or your franchisees collect. You may need to update your franchise manual.

If permitted by your franchise agreement, consider auditing how your franchisees are dealing with personal information, including its collection, storage, and disposal.

  If you or your franchisees deal with account numbers, drivers licence numbers or other unique identifiers,   consider how you can protect against these being misused.  Updated your franchise manual if required.  

Ensure that you and your franchisees are not keeping personal information longer than needed.

Check that you and your franchisees are disposing of personal information securely when finished with it


Check you have a process in place to respond to requests for access to or correction of personal information within the statutory timeframes.  This could be controlled by the franchisor.


Ensure that your franchisees and their employees understand the privacy obligations under the Act, the process to follow if there is a privacy breach, and your internal privacy policies.

Update your documents

Depending on the nature of your franchise, as part of completing this warrant of fitness you will need to review and update a number of documents you and your franchisees use.  These could include:

Privacy policyYour privacy policy should be easy to understand and accurately set out:
- the personal information collected and who the information is disclosed to (make sure you allow disclosure to and use by the franchisor and related entities);

- what information will be used for;

- how the information is stored, kept secure and disposed of;

- whether the information is sent overseas (and if so how it will be protected);

- how an individual can access and correct their information; and
- how you/the franchisee will respond to a privacy breach. 
Franchise manual – Your franchise manual should be updated with a new data breach response plan, and privacy policies and procedures which clearly set out franchisees’ obligations in relation to privacy, including in relation to sending personal information overseas. 
Internal privacy policy - You may want to create a separate internal privacy policy for franchisees to provide to their staff to follow (or update your existing one).
Internal training modules – If you provide franchisees with training booklets or modules, these should be updated to include privacy obligations.
Franchise agreement – Consider updating your template franchise agreement to include or update specific privacy related terms. For your existing franchisees, consider if changes to the manual are sufficient.  
Customer agreements and sign up forms ­– Remove any personal information you don’t need to collect, and make changes if information is sent overseas. Don’t forget online forms. 
   Third party agreements (e.g. supplier agreements)Updates should include a privacy breach process   and clauses that ensure information sent overseas is protected.  
   Cloud storage agreements ­– Check whether your agreements enable you to comply with your     obligations under the Act, including your obligation to report privacy breaches, and provide individuals
 with access to and correction of their information.
   Insurance – Check whether your insurance policy covers you for a privacy breach.

Please contact us if you would like help with complying with the Act and the changes you might need to make. We can provide you with clear advice on the Act, and the updates you need for your franchise network privacy policy and agreements. We can also assist you with training on compliance with the Act.

Disclaimer: The information contained in this publication is of a general nature and is not intended as legal advice.  It is important that you seek legal advice that is specific to your circumstances.

All rights reserved © Jackson Russell 2020
David Alizade Publications
David Alizade,

Darryl King Publications
Darryl King,

Level 13, 41 Shortland Street, Auckland 1010, New Zealand

PO Box 3451, Auckland 1140, New Zealand

+64 9 303 3849

Linkedin Circle-26