Submission to the Ministerial Advisory Group for Victims of Retail Crime

Submitted via email, 4 February 2026

Safer Retail, Smarter Technology

Heart of the City (HOTC) represents the interests of businesses and property owners in Auckland's city centre. We advocate for a vibrant, accessible, safe, and welcoming city centre that is a great place to do business. 

Our members include small independents, hospitality venues, boutiques, and large-format retailers in New Zealand’s highest-footfall urban precinct. We support a framework that reduces repeat offending and harm while maintaining strong privacy protections, and that is workable for small businesses as well as national chains. 

The MAG papers correctly describe the current gap: principles-rich but implementation-poor privacy settings, uneven access to lawful information sharing, and fragmented use of technology that risks crime displacement onto small stores. 

We support a graduated pathway from clear guidance and a national standard to, if needed, a sector Privacy Code and enabling statute.

Responses to Questions:
Q1. Do the indicative thresholds adequately cover what’s needed to reduce retail crime and enable an effective, equitable, and trusted framework?
Mostly yes, with three important additions. The indicative thresholds and safeguards articulated in the Options Paper (e.g., reliable evidence, clear purpose, proportionate sharing, local-first, regular review/removal, independent oversight) are a strong base. We endorse them.

We recommend three refinements to ensure the framework is workable, equitable and reflective of real-world harms:

1. Include harassment, threats, and disorderly/abusive conduct as threshold harms, not just violence or dollar-value theft. Persistent harassment and intimidation and worse are major drivers of fear, staff turnover, and lost trade. “Verified repeated disorder/harassment” should qualify for inclusion in secure sharing/watchlists.

2. Enable cumulative, repeat low-value loss to count where there is reliable evidence of persistence. The Options Paper recognises cumulative harm; the threshold should explicitly allow two or more verified incidents (or breach of trespass) as an inclusion trigger, subject to review periods and appeal.

3. Equity levers for SMEs. Thresholds should be paired with supports so that small stores can participate safely (pooled accreditation, subsidised compliance, shared platforms), otherwise crime will continue to displace to the least protected businesses.

We also support cultural and equity safeguards and independent audit/complaints channels as specified.

Q2. How could official guidance be made easier to use?
Guidance must be scenario-based, practical, and consistent nationwide. A ‘cheat-sheet’ or retail playbook in plain language with short templates and visuals. Specifically:
•One-page decision trees for common scenarios (repeat low-level theft; trespass breach; verified harassment/abuse; violent incident).
•Template packs: privacy notices/signage, watchlist governance policy, incident verification checklist, proportionality worksheet, complaints & appeal process.
•Operational examples for SMEs (single-camera stores, no legal team) and translated versions to address language barriers.
•“Do/Don’t” guides on what can be lawfully shared (and what must not) and how to avoid public shaming (no social media walls of shame).
•Micro-learning videos (2–4 minutes) and a helpline/email triage for quick answers in peak trading hours.

Q3. What would make a national standard practical and effective, and should it be voluntary or mandatory?
Design for maximum uptake; start voluntary with a path to recognition/mandating. Practical features we support:
•Co-design through Standards NZ with retailers (large & small), OPC, Police, privacy advocates, and community groups.
•Scenario-specific modules covering: lawful data sharing; watchlist thresholds; FRT configuration/accuracy testing; human-in-the-loop checks; retention/review; complaints & appeal; supports for SMEs.

•Alignment with the Privacy Act and the Biometric Processing Privacy Code 2025, NZ information sharing standards, and relevant ISO/IEC AI/biometric benchmarks; periodic review to keep current.

Voluntary vs mandatory:
•Start voluntary to prove practicality and build trust; recognise the standard formally (OPC/Minister) as an approved compliance mechanism. If uptake stalls or inconsistency, enable recognition in law (via a Retail Privacy Code or statute) so elements can become mandatory for accredited networks and providers.
•Pair the standard with subsidised accreditation and shared services for SMEs, otherwise the benefits will skew to the largest players.

Q4. Would a new retail privacy code (led by the Privacy Commissioner) help? Or could it risk limiting flexibility and innovation?
Yes but only after guidance and the standard are tested. A Retail Privacy Code can provide binding, uniform rules (thresholds, retention, audit, signage, complaints) and certainty for the sector. Risks are rigidity and over-prescription before practice matures.
We support a sequenced approach:

1. Option A (Guidance) and Option B (National Standard) first (fast, co-designed, scenario-rich)
2 . Option C (Retail Privacy Code) later, to “lock in” what works and provide enforceability, with carve-outs for innovation where equivalent protection is demonstrated.

This aligns with consultation feedback that many stakeholders prefer staged regulation to maintain public confidence and adaptability.

Q5. Should Government create a new law now, or first test guidance and standards before legislating?
We favour a staged approach. We favour progression through stages:
•A (Enhanced Guidance) now for immediate clarity;
•B (National Standard) to build consistent practice and accredited networks;
•C (Retail Privacy Code) if needed to make core elements binding; and
•D (Retail Crime Information Act) only after evidence shows what should be codified and how to embed oversight, equity supports, and accreditation in statute.

This pathway levels the field, enables trusted participation (including small retailers), and preserves flexibility while privacy safeguards remain strong.

Additional Business-led Recommendations
1) FRT / informal data sharing – make it safe, fair, and accessible
•FRT adoption curve - We support working from Option A through to D so that smaller businesses can join over time under clear, auditable safeguards. Current costs and compliance overheads mean SMEs will adopt later, so frameworks must anticipate shared services and pooled accreditation.
•SME enablement: Develop trusted and accredited centralised platforms that deliver cost-effective, compliant sharing and optional FRT watchlist services for small stores. Subsidise onboarding, templates, and audits to ensure universality and equity.

Feedback we gathered from city-centre businesses shows interest in FRT when protocols, privacy constraints, PIAs, role-based access, and police linkage are clear; cost and training are pivotal, and customers are generally supportive when transparency is provided.

2) Reporting should be easy and consistent
•Create a single, simple, multilingual online form (and API) aligned to the national standard to capture incidents once and share to Police and accredited networks as permitted. Provide templated evidence checklists to improve verification quality.

4) Scope of “crime and harm”
•Explicitly include harassment, threatening or abusive behaviour, and persistent disorder as qualifying harms where proportionate and verified. Include not only violence or theft thresholds - reflecting real-world safety risks in all forms.

Closing statement
We support privacy and prevention working together. The pathway we propose keeps privacy strong, enables proportionate prevention, and brings small and large retailers into a trusted, consistent framework. With clear guidance, a practical national standard and if warranted a code and statute, New Zealand can move from ad-hoc, risky practices to safe, auditable and equitable technology use that reduces harm for workers, customers and communities.