Studio Pacific Architecture Privacy Policy

Updated July 2023



Studio of Pacific Architecture (SPA) is committed to creating an environment of trust, care and respect for legal requirements (under the Privacy Act 2020) when it comes to the collection, use and management of personal information. This policy sets out how SPA stores, collects, uses and discloses personal information and other data about SPA clients and any other individuals we may deal with from time to time. 

Personal information means information about an identifiable individual. As such it does not include information about a company or other incorporated legal person. For this reason, SPA will likely collect more personal information on residential projects. However, we will inevitably also collect personal information from client representatives and others when working on commercial projects (i.e. where the client itself is a company that does not have any privacy rights).


Privacy Policy: Studio of Pacific Architecture Limited (we, us, our) understands the importance of protecting your Personal Information and takes your privacy seriously. For this reason, we have prepared this Privacy Policy ("Policy") to explain the steps that we take to comply with the New Zealand Privacy Act 2020 (the Act) when dealing with "personal information". In particular, this Policy outlines what Personal Information we may collect as well as how it is collected, used, disclosed and protected. 


Privacy Rights at Law: This policy does not limit or exclude any of your rights under the Act. If you wish to seek further information on the Act, see


Changes to Policy Terms: We may update or revise the terms of this Policy without notice by uploading a revised Policy version to our Website. By continuing to access or use our Website after an updated version of this Policy has been posted you unconditionally agree to those updated terms.


SPA's approach to privacy

When SPA collects, stores and uses personal information about its employees and clients it will always adhere to the following privacy principles to ensure that personal information is treated with respect and in a legally compliant manner: 

  • Data minimisation – we will only collect, create and retain personal information that we really need (i.e. reasonably require) for the purpose of carrying out legitimate SPA activities and functions.

  • Transparency – we will always be open and up front with our employees and clients about the personal information we collect as well as how we may use, store and disclose it.

  • Security – we will always take all reasonable steps (as determined by the nature of the personal information in question) to ensure that personal information is adequately protected against loss and unauthorised access, use and disclosure.

  • Use limitation – we will only ever use and share personal information (be it within SPA or with external people) in ways we say we will or otherwise agreed with the person the information is about, and only where necessary to meet our lawful purposes (e.g. as a service provider in relation to client information and an employer in the case of employee information).

  • Rights focused – we will make sure that our people can exercise their important privacy rights, including the right to know in advance and consent to how their personal information is used and shared as well as the right to access and correct their information when they wish to.


How we collect Personal Information about clients

How is it collected: We will only collect your Personal Information from: 

(a) You directly: when you elect to provide that Personal Information to us; or

(b) Automatically: if it is provided by your computer or other device when accessing the Website;

(c) Third parties: where you have authorised this or your Personal Information is publicly available. 


Automatic collection: If your computer automatically or manually provides Personal Information when accessing the Website, this may include Personal Information:

(a) that is automatically provided by your browser to the servers that support our Websites; 

(b) about your browsing and interactions with our Websites and the various pages viewed within; 

(c) that we capture or place on your computer or generate using cookies or like technologies; and 

(d) that you input into forms and fields on our website.


Personal information about clients and others will often also be generated over the course of each project (e.g. as project related correspondence and other documents are created over the course of the project).


Types of Personal Information we collect

While the exact list of information may vary, the types of personal information we may collect include the following:

Personal information we collect from clients and others directly includes: 

– Contact information (e.g. name, address, email, phone number and similar information)

– Work-related information (e.g. their employer and job title and information regarding their relevant work-related experience, expertise and like information).

– Project-related information that is personal in nature. For example, personal information that is relevant to and informs a client’s brief and subsequently identified design requirements and any underlying personal needs that inform this same (e.g. health/medical and other personal information that drives design requirements and decisions). 

– Any relevant health information (e.g. disabilities or other conditions that might impact on your health and safety while at SPA’s offices or visiting the relevant work site) as well as information about health and safety incidents (if one occurs).

– Credit card or other payment, insurance and like information that is reasonably required for billing purposes. 

– Email and other correspondence (including any file notes made in respect of phone calls and meetings). 

– Any survey or feedback information that we may collect from time to time, including any information relating to a complaint or dispute. 

– Any other information that we reasonably require to deliver architectural and related services. 


Personal information we collect from others will include:

– Publicly available information such as council building and resource consent records as well as any relevant land title, surveying and like information that we may need to obtain for a given project.

– Information related to anti-money laundering and/or credit check where this is relevant.

– Publicly available information (e.g. available on LinkedIn and other forums including google and other websites) relating to the professional background and expertise of a person whom SPA may work with on a given client engagement.  

– Information available via other professional bodies (e.g. Engineering NZ). 

– Any other information that we reasonably require to deliver architectural and related services.

– Footage from CCTV Camera which is located in the ground floor lobby of our Te Whanganui-a-Tara Wellington studio at 74 Cuba Street.


As noted above, we will also need to generate personal information about the client and others working on a given project. This will only occur when doing so is required to deliver the services we have been engaged to provide. 


How we may use Personal Information about clients and others

We will only ever use the personal information collected from clients and others to the extent that is reasonably required: 

– To enable the proper provision of architectural and related services.

– To determine, process and administer invoicing and other fee-related matters. 

– To communicate with clients and others about project related subject matter and deal with any other inquiries associated with the delivery of our services.  

– To ensure the health and safety of any client or other person whom we are responsible for under the Health and Safety at Work Act 2015.

– To comply with legislative reporting and recordkeeping requirements.

– To conduct benchmarking, analyses, quality assurance and planning activities, including statistical and management reporting, and

– To protect and/or enforce our legal rights and interests, including defending any claim.

– In any other way that is reasonably required as a responsible service provider and permitted by law.

How we may share Personal Information of clients and others

As a business and service, we will often need to share the personal information of clients and others internally with those who have a legitimate reason or need for accessing this information. For example, personal information provided to SPA by a client will typically need to be shared with those working on a project that the information was provided in relation to. 

It is important that SPA only ever shares such personal information internally to the extent that doing so is reasonably required for a legitimate purpose. Where we need to share information in a way we have not anticipated here, we will only do so if required or permitted by law.


Internal people who may have access to the personal information of clients and others include:

– The specific SPA employees who are allocated to work on the project to which the information relates. 

– SPA support staff who require the information for any ancillary business purpose (e.g. accounts receivable or the design staff who may require it to prepare an RPF response or like document). 

– Executive Directors and Practice Leadership Group (PLG) when deemed necessary.

– Contracted service providers that we use to perform services on our behalf (such as banking, mailing house services, logistics and IT service providers), within and outside New Zealand (see more below).

– Legal advisers or other professional advisers and consultants engaged by SPA.

At times we will also need to share the personal information of clients and others with external people or agencies where doing so is reasonably required for any business or service delivery purpose. Where possible, we will always seek the consent of the relevant person before disclosing their personal information to third parties. Where this is not possible, we’ll only disclose their personal information if we have a lawful and reasonable basis for doing so. 

How we store and protect Personal Information

We use some third-party services to store personal information that is provided to us by clients and others. Such third party services include MS Teams, Dropbox, SharePoint, In/Out App and others. This means we may transfer personal information or access it from countries other than New Zealand.

SPA will only send personal information to countries that have adequate privacy laws in place (such as New Zealand, Australia or the EU). 

SPA will only retain the personal information of clients and others for as long as it is needed to perform our contractual obligations or meet our legitimate interests, or to comply with our legal obligations, including the requirement to retain information in accordance with the Tax Administration Act, Employment Relations Act and Public Records Act. SPA will take all reasonably practicable steps to delete such personal information once it is no longer required for this purpose. 

Wherever personal information is stored, we will take reasonable steps to ensure that it is protected against loss or unauthorised access, modification, use or disclosure. All access and use of personal information will be strictly in accordance with the privacy principles noted at the beginning of this Policy and the legal obligations set out in the Privacy Act 2020 

Where personal information is particularly sensitive (e.g. it is financial or health-related) SPA will take additional steps to ensure the information is secure and can only be accessed by those at SPA who have a legitimate need to access and use it. 

Social Media

It is important to keep in mind that “following” people on personal or work-based social media and collecting information from the same amounts to the collection of personal information that is subject to all the rules set out in the Privacy Act 2020 and each of SPA’s applicable privacy policies.

For this reason, all employees need to keep in mind that just because they have become privy to personal information via a social media platform (e.g. as a result being a “friend” or “following” a client or other person via Facebook, Instagram or LinkedIn) it does not mean that such information is to be treated any differently. 

For this very reason, we will always err on the side of caution when it comes to retaining, using or further disclosing personal information obtained via social media. How and when such personal information can be retained, used or disclosed will always depend on the context. For example, information posted by a person in circumstances where they have elected to make it fully accessible to the public at large is to be treated differently to information that a person has elected to only make available to a more selected or private group (e.g. via private messenger system or some other permissions settings on the relevant social media platform). 


Privacy breach – notification by SPA employee or contractor

If any SPA employee or contractor becomes aware of an actual or potential privacy breach, they will report this to the Privacy Officer or Managing Director as soon as possible so that SPA can respond without delay. This will help minimise any harm caused to the affected people. 

A privacy breach could entail leaving documents containing personal information on the bus or entail a large-scale intrusion into SPA’s server. In any scenario where personal information is lost or compromised in any way, it will be treated as a privacy breach until proven otherwise. 

The Privacy Act 2020 makes it compulsory to report any privacy breaches “that have caused serious harm, or are likely to do so”. In the event that a breach of this nature does occur SPA will notify the Privacy Commissioner of the privacy breach. If we are unsure as to whether the breach is a serious one, we will contact the Privacy Commissioner and seek guidance. 

Regardless of the seriousness of the breach, we will always be open and transparent with people about how we are handling their personal information. On this basis, if there is a breach we will always notify the affected individuals promptly so that they can take steps to protect themselves and regain control of their information as soon as possible.

Privacy breach – external notification

If a client or contact of SPA becomes aware of an actual or potential privacy breach, we would appreciate being made aware of the situation as soon as possible so we can act to remedy it as soon as possible. Breaches can be reported to the individual’s SPA contact or SPA’s Privacy Officer –

The Privacy Act 2020 makes it compulsory to report any privacy breaches “that have caused serious harm, or are likely to do so”. In the event that a breach of this nature does occur, SPA will notify the Privacy Commissioner of the privacy breach. If we are unsure as to whether the breach is a serious one, we will contact the Privacy Commissioner and seek guidance. 

If external parties are unhappy with SPA’s remedial actions or assess the complaint as serious, they can also notify the Privacy Commissioner by completing the online Complaint Form

Regardless of the seriousness of the breach, we will always be open and transparent with people about how we are handling their personal information. On this basis, if there is a breach we will always notify the affected individuals promptly so that they can take steps to protect themselves and regain control of their information as soon as possible.

Accessing and controlling Personal Information

Everyone has an important range of privacy rights. The rights of clients and others include the following: 

The right to request a copy of their personal information and/or know what personal information we hold
Please note that on some limited occasions we may need to withhold some personal information, for example, where it is legally privileged, concerns information provided to us by another person in confidence or includes personal information about other people. If we need to withhold information, we will tell the relevant person why. We will take careful steps to verify the identity of the person requesting personal information before making any disclosure. 


The right to correct any of the personal information we hold about a client or other person
If a client or other person thinks any of the personal information, we hold about them is wrong, they can ask us to correct it. If we cannot correct your information - for example, where we don’t agree that it’s wrong – we will explain why if this is the case. The requesting person can ask us to attach their correction request to the relevant personal information as a statement of correction.


Right to make a complaint
If a client or other person has any concerns about the way that we have collected, processed or used their personal information we will seek to resolve the matter to their satisfaction. If we are unable to resolve the matter with the person concerned we should always advise them of their right to file a complaint to the Office of the New Zealand Privacy Commissioner by calling the commission or making a complaint via their website: