All articles
For Brokers

Managing Client Data and Your Privacy Obligations

The Chaperone Team··4 min read

Mortgage broking involves collecting some of the most sensitive personal and financial information that clients ever share with anyone. Bank statements, payslips, identity documents, credit reports, relationship details, and health disclosures can all pass through a broker's hands during a standard application. At Chaperone, we believe that handling this information responsibly is not just a compliance matter - it is a fundamental part of the trust relationship that makes broking work. This article covers the key privacy obligations and practical habits that every broker should have in place.

The Privacy Act 2020: Core Obligations

New Zealand's Privacy Act 2020 sets out information privacy principles that govern how personal information must be collected, stored, used, and disclosed. The key principles most relevant to brokers include collecting only the information that is necessary for the purpose, keeping it secure, retaining it only for as long as needed, and not sharing it without the individual's knowledge or consent except in limited circumstances. The Act also gives individuals the right to access information held about them and to request corrections. Familiarising yourself with these principles - or confirming that your compliance processes reflect them - is the starting point for sound data management practice.

Collecting Only What You Need

A common risk in broking practice is over-collection - gathering documents and data that are not actually required for the current application. While it can feel efficient to collect everything upfront, retaining unnecessary information creates privacy exposure. If you hold data you did not need to collect, you are responsible for protecting it, and its presence increases the potential harm if a data breach were to occur. Review your standard document checklists periodically to confirm that everything you routinely collect is genuinely necessary for the types of applications you handle.

Secure Storage and Transmission

The way client data is stored and transmitted matters as much as what data you hold. Sending sensitive documents as unencrypted email attachments, storing files on personal devices without adequate protection, or using consumer-grade cloud storage for client information are all practices that create unnecessary risk. Using secure client portals for document collection, encrypting email communications where possible, and ensuring that any software you use meets appropriate security standards are practical steps that meaningfully reduce your exposure. If you use third-party software tools that hold client data, you are responsible for understanding their security and privacy practices.

Retention and Disposal

Privacy obligations do not end when an application settles. You should have a clear policy for how long you retain client records and how they are disposed of when that period ends. The Financial Markets Authority and your obligations under the Financial Advisers Act inform the minimum retention period for financial advice records in New Zealand. Beyond the minimum, retaining records longer than necessary creates ongoing privacy and security obligations without corresponding benefit. Shredding physical documents and securely deleting digital files at the end of the retention period is part of responsible practice.

Third-Party Disclosure

In the normal course of a mortgage application, you will share client information with lenders, valuers, and other parties involved in the transaction. Clients generally understand and consent to this when they engage you. What requires more care is any use of client information outside the direct application context - for example, sharing client details with referral partners, using client stories in marketing material, or passing information to third-party service providers. Ensuring you have clear consent for any disclosure outside the primary purpose is an important safeguard. Your engagement letter or client agreement should address this explicitly.

Responding to a Privacy Breach

Even with strong systems in place, data breaches can occur. Under the Privacy Act 2020, serious privacy breaches must be notified to the Office of the Privacy Commissioner and to affected individuals. Knowing in advance what constitutes a notifiable breach and having a basic response plan - who you will notify, in what timeframe, and how you will communicate with affected clients - means you can respond quickly and appropriately if something goes wrong. At Chaperone, we encourage brokers to treat privacy not as a box-ticking exercise but as a professional standard that reflects the trust clients place in them every time they share their financial lives.

Explore more articles