If you run a business in New Zealand, you’ll hear “privacy” and “confidentiality” used like they mean the same thing.
They don’t.
Getting the difference right matters because it affects how you collect customer details, how you store employee records, what you can share with suppliers, and what you should put in your contracts. This guide is updated to reflect current expectations around data handling and workplace practices, so you can stay on top of your legal foundations as your business grows.
Let’s break it down in plain English.
What’s The Difference Between Privacy And Confidentiality?
The easiest way to think about it is:
- Privacy is mostly about personal information and your legal duties under the Privacy Act 2020.
- Confidentiality is mostly about keeping certain information secret because of a relationship or agreement (for example, a contract, an employment relationship, or professional duties).
They overlap a lot in real life, but they aren’t interchangeable.
Privacy In Practice
Privacy usually comes up when you’re dealing with information that can identify a person, like:
- a customer’s name, email, phone number, or address
- employee records
- CCTV footage where people are identifiable
- medical information (which is generally “sensitive”)
- IP addresses, device identifiers, or account logs that tie back to an individual
If you collect, store, use, or share personal information, you’re likely dealing with privacy obligations.
Confidentiality In Practice
Confidentiality is broader. It can include personal information, but it also covers non-personal business information you want to protect, like:
- pricing, supplier terms, and margins
- client lists and sales leads
- business strategies and marketing plans
- product formulas or “how we do things” processes
- software code, designs, and prototypes
For example, your customer database might involve privacy and confidentiality, while your pricing model is mainly a confidentiality issue.
Why This Difference Matters For Your Business
If you treat everything as “confidential” but ignore privacy law, you may end up:
- collecting personal information without proper notices or consent
- storing data insecurely (and exposing your business to breach risks)
- sharing personal information in ways you’re not allowed to
On the other hand, if you focus only on privacy and forget confidentiality, you may:
- lose valuable trade secrets when a contractor leaves
- have staff take client lists or pricing information to a competitor
- accidentally disclose commercially sensitive information during negotiations
The goal is to manage both properly, from day one.
What Does “Privacy” Mean Under New Zealand Law?
In New Zealand, privacy obligations mainly come from the Privacy Act 2020. The Act applies to many organisations (including small businesses) that handle personal information.
Privacy law isn’t about stopping you from collecting information entirely. It’s about making sure you handle it fairly, transparently, and securely.
“Personal information” is information about an identifiable individual.
It doesn’t need to be a name and address. In many situations, information can be personal if it can reasonably be linked back to a person (for example, account IDs, device identifiers, or combinations of data points).
Typical Privacy Obligations For Small Businesses
While the Privacy Act is detailed, the practical expectations for most small businesses often include:
- Collect only what you need for a legitimate purpose (for example, don’t collect date of birth “just in case”).
- Be clear about why you’re collecting it and what you’ll do with it.
- Store it safely and restrict access to people who actually need it.
- Use and disclose it appropriately (for example, don’t share a client’s details with another business unless you have a proper basis to do so).
- Keep it accurate if you’re relying on it.
- Don’t keep it forever if you no longer need it.
One of the most practical ways to support these duties is having a fit-for-purpose Privacy Policy that reflects how your business actually collects and uses personal information (rather than a generic template that doesn’t match your systems).
Privacy Comes Up More Often Than You Think
Many businesses assume privacy only matters if they’re a “tech company”. But privacy issues come up in everyday operations, like:
- sending marketing emails to customers
- running an online booking system
- storing CVs during recruitment
- using CCTV for security
- using third-party tools (e.g. CRMs, email platforms, cloud storage)
If you’re not sure whether something is “privacy” or “confidentiality”, a simple test is: does this information identify a person? If yes, privacy law is likely involved.
What Does “Confidentiality” Mean And Where Does It Come From?
Confidentiality usually comes from contracts and relationships, not a single “Confidentiality Act”.
In practice, confidentiality obligations often come from:
- a confidentiality clause inside a broader agreement (like a service agreement)
- a standalone non-disclosure agreement (NDA)
- employment obligations (including implied duties of fidelity and good faith)
- professional duties (for example, health providers and certain regulated professions)
If you’re sharing sensitive commercial information during negotiations, it’s common to have an NDA in place before you hand over documents, access to systems, or detailed pricing information.
Most contracts define confidential information broadly, often covering:
- business operations, plans, and strategies
- trade secrets and know-how
- financial information
- customer and supplier details
- product designs or intellectual property
But (and this is important) a confidentiality clause is only as useful as its wording. A vague clause can be hard to enforce, especially if there’s a dispute about what information was actually confidential.
Confidentiality isn’t just “nice to have”. It helps you control information that gives you a competitive edge.
For example, imagine you’ve built a service business with a strong client list and pricing model. If you don’t lock down confidentiality properly, a contractor could walk away with your client contacts and undercut you the next week. Even if you feel it’s unfair, enforcing your rights is much easier when you’ve set clear contractual obligations upfront.
Confidentiality And Employment Relationships
For employees, confidentiality often sits inside (or alongside) their employment terms. If you’re hiring, it’s worth ensuring your Employment Contract clearly covers things like:
- what counts as confidential information
- how it can be used during employment
- what happens when the employee leaves (including returning company devices and data)
- limits around client lists, pricing, and internal processes
Confidentiality clauses are also commonly paired with other protections (like restraints of trade), but those need careful drafting to be enforceable and reasonable in your circumstances.
Common Business Scenarios Where People Mix Them Up
In day-to-day business, privacy and confidentiality often show up together. Here are a few common scenarios where it’s easy to blur the lines.
1) Handling Employee Records
Employee records are usually personal information, so privacy law matters.
At the same time, you’ll generally treat HR information as confidential within your business. That means:
- only the right people should access files (for example, HR or the business owner)
- you should have safe storage practices (password protection, locked cabinets, restricted admin access)
- you should be careful about what gets shared internally and why
There’s also a practical workplace angle: even if something is “confidential”, you still need to manage it fairly. Your processes should be consistent and reasonable, especially when dealing with disciplinary issues or performance management.
2) CCTV And Workplace Monitoring
CCTV footage can be personal information if it identifies people, so privacy law can apply.
But businesses often think of CCTV as a “confidential security tool”. The tricky part is that privacy obligations can still require you to be transparent about things like:
- where cameras are located
- why you have them (e.g. safety, theft prevention)
- how long footage is kept
- who can access it
If you’re thinking about workplace cameras or monitoring systems, it’s worth checking the practical legal boundaries around surveillance, including when and how it’s used. This often overlaps with employment obligations and workplace policies.
3) Customer Databases And Mailing Lists
Your customer database often includes personal information (privacy issue) and valuable commercial information (confidentiality issue).
You should treat it like both:
- Privacy: collect and use customer information fairly and transparently, with secure storage and appropriate access controls.
- Confidentiality: use contracts and internal policies to prevent staff, contractors, or partners from taking the list or using it for their own purposes.
Health information is generally considered highly sensitive. If your business deals with any health-related details (even something like a customer allergy note for a catering business), you should treat it carefully.
Privacy law sets expectations around the handling of sensitive personal information, and confidentiality expectations are usually very high in practice.
5) Negotiations, Partnerships, And Collaborations
If you’re speaking with a potential investor, a joint venture partner, or even a supplier about a big opportunity, you may share financials, forecasts, business plans, customer insights, or operational processes.
This information may not be personal information (so privacy law might not be the main issue), but it’s often commercially sensitive. That’s where confidentiality steps matter most.
When a business relationship is being formalised, it’s also common to set expectations early about ownership and control (especially if you’re building something together). Depending on the arrangement, documents like a Shareholders Agreement or Company Constitution can help define who can access information, what must be kept confidential, and what happens if someone exits the business.
What Legal Documents And Policies Help You Manage Privacy And Confidentiality?
Most privacy and confidentiality problems don’t start with bad intentions. They start with unclear rules, missing documents, or “we’ll sort it later” thinking.
Putting the right paperwork in place makes expectations clear and gives you a practical framework to follow when decisions get tricky.
- Privacy Policy: explains what personal information you collect, why you collect it, how you use it, and how people can access or correct it. A properly drafted Privacy Policy is especially important if you operate online.
- Privacy Collection Notice: short notice used at the point of collection (for example, sign-up forms, booking forms, in-store forms).
- Data breach processes: internal steps for identifying, containing, and responding to suspected privacy breaches.
If you handle personal information in your business operations (which most businesses do), it’s also worth thinking about privacy as part of your customer-facing terms. For some businesses, this sits alongside their website terms or ecommerce terms.
- Confidentiality clauses in service agreements: important when you provide services, access client systems, or handle commercially sensitive business information.
- NDA: helpful before you disclose details during negotiations, pitches, or product development. An NDA can set clear rules about what must stay secret and what happens if there’s a breach.
- Employment agreements: confidentiality obligations for staff, including handling client lists, internal processes, and business strategy. Your Employment Contract is usually the key tool here.
- Contractor agreements: contractors often have access to high-value information (marketing accounts, customer data, code repositories), so you’ll want confidentiality and IP terms in writing.
Don’t Rely On Templates For This Stuff
Privacy and confidentiality documents can look “standard” at a glance, but the details matter.
For example:
- a Privacy Policy needs to match your actual data practices and tools
- a confidentiality clause should match what information is truly sensitive and what you’ll need to enforce later
- employment and contractor arrangements need to reflect real working relationships (and the risks that come with them)
If you’re not sure what you need, it’s often quicker (and cheaper long-term) to get it set up properly at the start than to scramble after a breach or dispute.
Key Takeaways
- Privacy is mainly about how you handle personal information under the Privacy Act 2020, including collecting, storing, using, and disclosing it appropriately.
- Confidentiality is mainly about keeping specific information secret because of a contract or relationship, and it can include both personal and non-personal business information.
- Many real-world situations involve both, such as employee files, customer databases, and CCTV footage.
- A tailored Privacy Policy helps you set clear rules around personal information and supports compliance when you collect data online or in-store.
- Strong confidentiality protections often come from contracts like an NDA, plus well-drafted workplace terms such as an Employment Contract.
- If you’re building a company with others, documents like a Shareholders Agreement and Company Constitution can help set expectations around access, control, and information rights.
If you’d like help putting the right privacy and confidentiality protections in place for your business, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
