SBS Wealth logo
Join Now

1. Overview and Purpose

Overview
SBS Wealth Limited (SBSW) considers the protection of an individual’s privacy to be paramount and is committed to acting in accordance with the Privacy Act 2020 (the Act) when providing services to clients. SBSW will ensure the principles of the Act, including the promotion and protection of individual privacy in relation to the collection, use and disclosure of information, are upheld.

Purpose
The Privacy Act 2020 sets out strict rules on the gathering and use of personal information about an individual.
The key purpose of this Privacy Policy is to explain SBSW ’s general practices in the collection, storage, security, use and disclosure of client’s personal information in the provision of services. This Policy applies to information held on individual clients; it does not apply to information SBSW holds on companies and other organisations.

 

2. Procedural Matters

This revised Policy was approved and adopted by the SBSW Board in April 2026. SBSW Board Committee
approval is required before this policy is amended in any material way.

3. Roles and Responsibility

SBSW Privacy Obligations
All SBSW employees are required to uphold the legal requirements of the Privacy Act 2020. SBSW obligations
broadly involve:

  • Complying with the “information privacy principles” as appended in 11.1;
  • Telling clients what SBSW is doing and why;
  • Keeping information safe and secure;
  • Obtaining only the personal information that is needed to conduct business;
  • Only using personal information that is accurate and current; and
  • Respecting a client’s right to view and edit information.

Board of Directors

  • Overall responsibility, approval and periodic review of SBSW ’s Privacy Policy;
  • Ensuring all legislative and regulatory standards and requirements are adhered to; and
  • The overall application of this Policy.

From time to time, the Board may delegate some of their functions to a sub-committee of the Board, to the SBSW
Risk and Compliance Committee or the Chief Executive Officer (CEO), as may be appropriate.


SBSW Compliance Committee

To provide detailed oversight on various operational matters.

SBSW Chief Executive Officer

  • Fulfil the role of Privacy Officer;
  • Implementing the operational requirements of this Policy;
  • Establishment and maintenance of a Privacy Breach report within the framework of the SBSW Issue, Incident and Escalation Policy;
  • Reporting to the Board on this Policy on a timely basis;
  • Reporting to the Board on any material Policy breaches; and
  • Undertaking periodic reviews of this Policy to ensure currency and submit to the Board any material amendments to the Policy for approval.

From time to time, the CEO may delegate in accordance with this Policy, appropriate responsibilities to another
appropriate senior manager or key person of SBSW.

Specific Team Member Responsibilities

All SBSW employees are responsible for awareness and application of this Policy; it’s procedural requirements
and their respective responsibilities under it. Specific responsibilities for each group are listed below:

All SBSW employees are responsible for:

  • Advising clients of the SBSW Privacy Policy for Clients (Appendix11.2) as standard business practice and as requested; and
  • Applying the Policy in their day-to-day work.

All Managers are responsible for:

  • Ensuring their team know how to handle client information in accordance with this Policy through induction and training opportunities; and
  • Reviewing application of this Policy regularly.

4. Distribution

SBSW Privacy Policy for Internal Team Member

This Policy is available on the SBSW website – Adviser Section (www.sbswealth.co.nz). Key persons also receive a copy of this Policy. On-going team member training occurs via internal training modules.

SBSW Privacy Policy for Clients

The SBSW Privacy Policy as it applies to Clients (Appendix 11.2) is available to all clients via the SBSW website (www.sbswealth.co.nz).

5. Application of this Policy

This Policy applies to all SBSW employees and key persons.

6. Privacy Principles

At the core of the Privacy Act 2020 are 13 information privacy principles (Principles) that set out how businesses may collect, store, use and disclose personal information.

  • Principle 1: Purpose of collection of personal information
  • Principle 2: Source of personal information
  • Principle 3: Collection of information from subject
  • Principle 3A: Indirect collection of personal information
  • Principle 4: Manner of collection of personal information
  • Principle 5: Storage and security of personal information
  • Principle 6: Access to personal information
  • Principle 7: Correction of personal information
  • Principle 8: Accuracy of personal information to be checked before use
  • Principle 9: Personal information not to be kept for longer than necessary
  • Principle 10: Limits on use of personal information
  • Principle 11: Limits on disclosure of personal information
  • Principle 12: Disclosure of personal information outside New Zealand
  • Principle 13: Unique identifiers

For a full outline of the Principles of the Privacy Act and SBSW ’s practises in relation to those principles, see Appendix 11.1.The Office of the Privacy Commissioner website also publishes information about the Principles and codes of practice (http://privacy.org.nz/the-privacy-act-and-codes/privacy-principles/).

Privacy Officer

As stipulated in section 201 of the Privacy Act 2020, all businesses must have at least one privacy officer in their business that knows about ‘privacy’. SBSW supports the belief that good privacy builds trust with clients and employees and therefore enhances its reputation.

The SBSW Privacy Officer is responsible for:

  • Encouraging SBSW to comply with the information privacy principles;
  • Developing effective policies for handling personal information that suit SBSW’s business needs;
  • Dealing with requests made to SBSW under the Act;
  • Training team members to deal with privacy properly and effectively;
  • Advising managers on how to ensure SBSW’s business practices comply with privacy requirements;
  • Alerting appropriate key persons to risks that might arise with personal information (such as security);
  • Working with the Privacy Commissioner in relation to any investigations conducted by the Privacy Commissioner; and
  • Ensuring SBSW complies with the Act.

The Chief Executive Officer holds the position of the Privacy Officer.

Reporting a Breach

Privacy breaches will be reported within the framework of the SBSW Issue, Incident and Escalation Policy.

Part 6 of the Act provides for mandatory reporting of notifiable privacy breaches.

A “notifiable privacy breach” is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so.

When assessing whether a privacy breach is likely to cause “serious harm” in order to decide whether the breach is notifiable, we must consider the following:

  • Any action taken by us to reduce the risk of harm following the breach;
  • Whether the personal information is sensitive in nature;
  • The nature of the harm that may be caused to affected individuals;
  • the person or body that has obtained or may obtain personal information as a result of the breach;
  • Whether the personal information is protected by a security measure;
  • Any other relevant matters.

In the event of a notifiable breach, we must notify the Privacy Commissioner as soon as practicable after becoming
aware that a notifiable privacy breach has occurred.

In the event of a breach requiring notification to the Commissioner, the following persons will be notified
immediately:

  • The SBSW Board
  • The CEO of SBS Bank
  • The Supervisor (if applicable)
  • The Financial Markets Authority (if applicable)

7. Document Retention

SBSW will:

  • Maintain documentation of all assessments/processes carried out under this Privacy Policy; and
  • Retain all documents for a period of seven years in accordance with the SBSW Record Keeping Policy.

8. Monitoring and Review

Ongoing compliance with the Privacy Policy will be reported to the Risk and Compliance Committee at each
meeting.
The Board or Risk and Compliance Committee and CEO will conduct regular reviews of all matters pertaining to
this Policy and on an as-required basis.

9. Related Documents

This Policy is related to and should be read in conjunction with:

  • New Zealand legislation - Privacy Act 2020 (and associated codes of practice)
  • SBSW Record Keeping Policy
  • Office of the Privacy Commissioner website and guidance material http://privacy.org.nz/

10. Definitions

Act Privacy Act 2020
Board Board of Directors of SBSW
CEO Chief Executive Officer of SBSW
Director person occupying the key position of Director of SBSW
SBSW SBS Wealth Limited
FMC Act Financial Markets Conduct Act 2013
Key person(s) person holding the position of Director, Chief Executive Officer or Senior Manager of SBSW
Key position(s) position/s held by a key person in SBSW 

11. Appendices

Appendix: 11.1 Privacy Act 2020: The Information Privacy Principles and our policies
Appendix: 11.2 SBSW Privacy Policy for Website

Appendix 11.1: Privacy Act 2020, Information Privacy Principles

1.1 Principle 1: Purpose of collection of personal information

Personal information must not be collected unless:

  • the collection is for a lawful purpose connected with a function or activity of the agency collecting the information; and
  • it is necessary to collect the information for that purpose.

Our Practice

SBSW will only collect information that is relevant or required by law for the purpose of provision of the service offered to the client.

1.2 Principle 2: Source of personal information

Personal information must be collected directly from the individual concerned.
The exceptions to this are when the agency collecting the information believes on reasonable grounds that:

  • the interests of the individual concerned are not prejudiced;
  • complying with this principle would prejudice the purposes of collection;
  • the individual concerned authorises collection of the information from someone else;
  • the information is publicly available;
  • it is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings;
  • complying with this principle would not be reasonably practical in the particular case; or
  • the information will not be used in a form that identifies the individual.

Our Practice

The personal information to be collected will be specified in the relevant application forms and will be collected directly from the applicant (or in the case of minors, their legal guardian(s)) or from publicly available sources. Any other personal information will be collected from Government agencies (such as Inland Revenue) in the ordinary course of provision of the service.

1.3 Principle 3: Collection of information

When an agency collects personal information directly from the individual concerned, it must take reasonable steps to ensure the individual is aware of:

  • the fact that the information is being collected;
  • the purpose;
  • the intended recipients;
  • the names and addresses of who is collecting the information and who will hold it;
  • any specific law governing provision of the information and whether provision is voluntary or mandatory;
  • the consequences if all or any part of the requested information is not provided; and
  • the individual’s rights of access to and correction of personal information.

These steps must be taken before the information is collected or, if this is not practical, as soon as possible after
the information is collected.

An agency is not required to take these steps if they have already done so in relation to the same personal
information, or information of the same kind, on a recent previous occasion.

It is also not necessary to comply with this principle if the agency collecting the information believes on reasonable
grounds that:

  • it is not prejudicing the interests of the individual concerned;
  • it is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings;
  • complying with this principle will prejudice the purposes of collection;
  • complying with this principle is not reasonably practical in the particular case; or
  • the information will not be used in a form in which the individual concerned is identified or will be used for statistical or research purposes

Our Practice

When entering into a new business relationship, the application form will refer to our privacy statement situated on the website in the manner specified in the appendices. The privacy statement reference will be also incorporated into forms containing personal information in the ordinary course of a relationship.

1.4 Principle 3A: Indirect collection of personal information

When an agency collects personal information indirectly, it must take reasonable steps to ensure the individual is aware of:

  • the fact that the information is being collected;
  • the purpose for which it has been collected;
  • the intended recipients;
  • the names and addresses of who is collecting the information and who will hold it;
  • if the collection is authorised or required by law, which particular law; and
  • the individual’s rights of access to and correction of personal information.

These steps must be taken as soon as is reasonably practicable after the information is collected (unless taken
sooner).

An agency is not required to take these steps if the individual concerned has previously been made aware of these
matters by any means in relation to the agency’s collection of the information.

It is also not necessary to comply with this principle if the agency collecting the information believes on reasonable grounds that:

  • non-compliance would not prejudice the interests of the individual concerned;
  • the information is publicly available;
  • non compliance is necessary for a public sector agency to collect the information to uphold or enforce the law, protect public revenue, or assist court or tribunal proceedings;
  • complying with this principle would prejudice the purposes of collection;
  • complying with this principle is not reasonably practicable in the particular case; or
  • the information will not be used in a form in which the individual concerned is identified or will be used for statistical or research purposes.

Our Practice

At the time of entry in a new relationship we will receive the applicant’s express authority enabling us to collect information from a third party and provide the applicant with a copy of our Privacy Statement which will contain the information required under this Principle to be provided to individuals in relation to each indirect collection. 

1.5 Principle 4: Manner of collection of personal information

Personal information must be collected by only:

  • lawful means; or
  • by means that are fair and does not intrude unreasonably on the personal affairs of the individual concerned.

Our Practice

SBSW will only collect personal information directly from its clients or from publicly searchable (and verifiable) resources or as supplied by Government Agencies. Any personal information collected will only be relevant to the nature of the service provided to the client.

1.6 Principle 5: Storage and security of personal information

An agency holding personal information must ensure that:

  • There are reasonable safeguards against loss, misuse or disclosure; and
  • if it is necessary to give information to another person, such as someone working on contract, everything reasonable is done to prevent unauthorised use or unauthorised disclosure of the information.

Our Practice

Protection of client information is paramount whether it is held directly by SBSW or by third party service providers.
This also extends to employee information.

SBSW will mitigate the risk of a privacy breach by:

  • password protecting all electronic communications containing client confidential information;
  • requiring third party service providers to password protect all electronic communications containing client confidential information;
  • seeking regular confirmations from third party service providers that they have complied with the Act;
  • Limiting access to client information to those employees or other persons who have a legitimate need to access the information;
  • Require employees and other contracted persons to be bound by a “declaration of secrecy” of client
    information.

1.7 Principle 6: Access to personal information

Where personal information is held in a way that it can readily be retrieved, the individual concerned is entitled to:

  • obtain confirmation of whether the information is held; and
  • have access to information about them.

An agency may refuse to disclose personal information for a range of reasons as referenced in part 4 of the Act,
including that it would:

  • pose risks to New Zealand's security or defence;
  • breach confidences with another government;
  • prevent detection of criminal offences or the right to a fair trial;
  • endanger the safety of an individual;
  • disclose a trade secret or unreasonably prejudice someone's commercial position;
  • involve an unwarranted breach of another individual's privacy;
  • breach confidence where the information has been gained solely for reasons to do with the individual's employment, or to decide whether to insure the individual;
  • be contrary to the interests of an individual under the age of 16;
  • breach legal professional privilege;
  • reveal the confidential source of information provided to a Radio New Zealand or Television New Zealand journalist; or
  • constitute contempt of court or the House of Representatives.

Requests can also be refused, for example, if the agency does not hold the information or if the request is frivolous
or vexatious.

Our Practice

SBSW will provide such information upon request subject to the provision of suitable identification documentation.
SBSW will take into account the exceptions, if in particular, it suspects that the client may be vulnerable or subject to coercion or in any of the instances listed above.

1.8 Principle 7: Correction of personal information

Everyone is entitled to:

  • request correction of their personal information; and
  • request that if it is not corrected, a statement of correction is attached to the original information saying what correction was sought but not made.

Correction may be refused if any of the provisions of part 4 of the Act apply (see above).

If agencies have already passed on personal information that they then correct, they should inform the recipients about the correction.

Our Practice

SBSW will correct information upon request subject to the provision of suitable identification documentation. SBSW notes that the Inland Revenue may direct SBSW to alter client tax information. The Inland Revenue makes its own arrangements regarding notifying affected people.

1.9 Principle 8: Accuracy of personal information to be checked before use

An agency must not use or disclose personal information without taking reasonable steps to check it is accurate,
complete, relevant, up to date, and not misleading.

Our Practice

Our forms and online applications allow for clients to keep their information up to date. Where communications (either electronic or by post) are sent we will take steps to seek updated correct information from the client where possible.

1.10 Principle 9: Personal information not to be kept for longer than necessary

An agency holding personal information must not keep it for longer than needed for the purpose for which the agency collected it.

Our Practice

SBSW’s policy is to “digitise” all client documents where possible. These documents will be held either directly by SBSW or via third party services providers or in the “cloud” storage. Maintenance of digital files is captured by the SBSW Record Keeping Policy.

1.11 Principle 10: Limits on use of personal information

Personal information obtained in connection with one purpose must not be used for another. The exceptions
include situations when the agency holding personal information believes on reasonable grounds that:

  • the individual concerned is not identified; or is to be used for statistical or research purposes;
  • the individual concerned has authorised the use;
  • the agency got the information from a publicly available publication and in the circumstances, it would not be unfair or unreasonable to use the information;
  • the use is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings;
  • the use is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual.

Our Practice

SBSW will not use the information collected for a purpose other than the initial intended uses (cross marketing is captured within our privacy statement).
We can only use information for a secondary purpose if authorised by the customer or if it is to lessen a serious or imminent threat to public health or safety or of the individual concerned. Information can also be disclosed to public sector agencies like the Police with appropriate requests.
The information can be used if the individual cannot be identified e.g.: research or statistical information.

1.12 Principle 11: Limits on disclosure of personal information

Personal information must not be disclosed unless the agency reasonably believes that:

  • the disclosure is in connection with, or directly related to, one of the purposes for which it was obtained;
  • disclosure is to the individual concerned;
  • disclosure is authorised by the individual concerned;
  • the agency got the information from a publicly available publication, and in the circumstances, it would not be unfair or unreasonable to disclose the information;
  • it is necessary for a public sector agency to disclose the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings;
  • disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual;
  • disclosure is necessary to facilitate the sale of a business as a going concern; or
  • the information is to be used in a form in which the individual concerned is not identified.

Our Practice

We must not give any personal information to anyone else unless the individual is aware and has authorised the disclosure e g Solicitor, Accountant, Brokers etc.

SBSW has an information sharing arrangement with the SBS Group of companies. All information provided to other third parties will be incidental to the underlying business relationship that the customer has entered into.

1.13 Principle 12: Disclosure of personal information outside of New Zealand

An agency may disclose personal information to a foreign person or entity in reliance of principle 11 only if:

  • the individual concerned authorises that disclosure after being expressly informed by the agency that the foreign person or entity may not be required to protect the information in a way that, overall, provides comparable safeguards under the Act; or
  • the foreign entity or person is carrying on business in New Zealand and the agency believes on reasonable grounds that the foreign person or entity is subject to the Act; or
  • the agency believes on reasonable grounds that the foreign person or entity is subject to privacy laws that, overall, provide comparable safeguards to those in this Act; or
  • the agency believes on reasonable grounds that the foreign person or entity is a participant in a prescribed binding scheme; or
  • the agency believes on reasonable grounds that the foreign person or entity is subject to privacy laws of a
    prescribed country; or
  • the agency otherwise believes on reasonable grounds that the foreign person or entity is required to protect the information in a way that, overall, provides comparable safeguards to those in this Act (for example, pursuant to an agreement entered into between the agency and the foreign person or entity).

However, it does not apply if the personal information is to be disclosed to the foreign person or entity on the
following grounds:

  • it is necessary for a public sector agency to disclose the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings; or
  • disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual; and
  • it is not reasonably practicable in the circumstances for the agency to comply with the requirements of this subclause.

Our Practice

SBSW does not in the ordinary course of its business disclose personal information to entities outside of New
Zealand. 

1.14 Principle 13: Unique identifiers

Unique identifiers - such as IRD numbers, bank client numbers, driver/s licence and passport numbers - must not be assigned to individuals unless this is necessary for the organisation concerned to carry out its functions efficiently. The identifiers must be truly unique to each individual (except in some tax related circumstances), and the identity of individuals must be clearly established. No one is required to disclose their unique identifier unless it is for, or related to, one of the purposes for which the identifier was assigned. The Government is not allowed to give people one personal number to use in all their dealings with government agencies.

Our Practice

We can only use a method of identification like a code or number for the purpose of operating more efficiently. We
cannot share these codes or identification methods with other businesses.

1.15 Exceptions to the Privacy Principles

Many of the principles have built-in exceptions. It's important to read the principles together with their exceptions to see how they relate to particular circumstances. The exceptions to the principles are set out in sections 25-29 of the Act.

Our Practice

Exceptions to the privacy principles will be considered on a case by case basis, with exceptions to be referred in the first instance to the SBSW Risk & Compliance Manager, who will submit a recommendation to the Privacy Officer.

1.16 Handling Biometric Information (Biometrics Processing Privacy Code 2025)


SBSW may collect and process biometric information (e.g., facial images) for purposes such as identity verification or fraud prevention. Where biometric processing is undertaken SBSW must ensure it complies with the  Rules set out in the Biometrics Processing Privacy Code 2025, including ensuring:

  • The biometric processing is necessary and effective in achieving SBSW’s lawful purpose(s), it has implemented reasonable privacy safeguards to protect the biometric information, and the biometric processing is proportionate to the likely impacts on individuals (proportionality test).
  • Individuals are informed before or at the time of collection, including (but not limited to):
    • The purpose of collection, specified with due particularity;
    • whether there is an alternative option to biometric processing available;
    • The technology used and any intended recipients of the information;
    • The retention period of the biometric information; Their rights to access and correct the data;
    • The process available to individuals to make a complaint about the processing; and
    • the location of SBSW’s proportionality assessment.
  • Biometric information must be stored securely and retained only as long as necessary.
  • SBS will not use biometric information for profiling or categorisation unless explicitly permitted under the Code.

Biometric information is treated as sensitive personal information and requires a Privacy Impact Assessment (PIA). 

Appendix 11.2: SBSW Privacy Policy (website)

SBS Wealth Limited – privacy policy

1 General

In this privacy policy, the terms ‘we’, ‘us’, and ‘our’ refer to SBS Wealth Limited and/ or our parent SBS Bank (collectively, the ‘Bank’). We are bound by, and comply with, the Privacy Act 2020. If you are located in the EU, you may also have rights under the EU General Data Protection Regulation.

This privacy policy explains how we may collect, store, use, and disclose personal information that you provide to us. By accessing or using our website, applying for and using any of our products or services, or otherwise providing us with your personal information, you consent to our collecting, storing, using, and disclosing your personal information in the manner set out in this privacy policy. Please read our privacy policy in conjunction with any other terms and conditions that apply to the use of our website, products or services.