Reading time: 6 minutes

If your business collects and uses personal information, then you should have a privacy policy. It tells your customers that you deal with this kind of information and explains how this affects their privacy. According to the New Zealand privacy law, you need to let your customers know when you handle their personal information. A privacy policy can help you do that. Depending on the nature of your business, the personal information you collect may be sensitive. This means you need to take extra precautions when securing this information, which you should inform your customers about in your privacy policy. Therefore, this article will go through four tips for drafting a sensitive information clause for your New Zealand privacy policy.

Privacy Law and Sensitive Information

The Privacy Act, New Zealand’s law regulating privacy protection, mandates that every organisation or business (which the Act calls ‘agencies’) that collects personal information must comply with the rules. Personal information is any information that can identify a person, such as:

  • names;
  • addresses;
  • financial information;
  • mobile numbers; or 
  • images.

Other countries implement special rules for high-risk personal information, which they call sensitive information. This is information that, if leaked, could be harmful to people or the organisation. Both Australia and the European Union (EU) do this, with sensitive information including:

  • racial or ethnic origin;
  • political opinions;
  • sexual orientation;
  • criminal records;
  • trade union or other professional membership;
  • health information; or 
  • biometric information.

New Zealand law does not make this distinction in most cases. You need to observe the same rules for all personal information and protect it according to the law.

However, you do need to take the sensitivity of personal information into account when:

  • determining appropriate security safeguards; and
  • deciding whether to report a data breach.

According to the Privacy Act, you need to provide reasonable safeguards for the personal information you store according to its sensitivity. You also need to report privacy breaches likely to cause serious harm to the Privacy Commission, and the potential harm will depend on the sensitivity of the information lost.

For example, financial information counts as sensitive information. Therefore, you may need more digital safeguards for your customers’ credit card details than you would for their email addresses.

Drafting a Sensitive Information Clause for Your Privacy Policy

If you deal with this kind of sensitive information, you should include a sensitive information clause in your privacy policy. A sensitive information clause tells your customers exactly how you protect their personal information and reassures them you will do so appropriately according to the law. Below are some tips to help you when drafting.

1. Identify the Sensitive Information You Collect

Your clause should clearly define what sensitive information you collect from your customers and how you do so. Under privacy law, your customers need to know when you collect their personal information and their rights in that process. If you deal with confidential information, it may be helpful to identify when you collect it and what you use it for in your privacy policy.

Tip: Whenever you collect any sensitive information, provide a link to your privacy policy for easy access.

2. Provide Reassurances Around Security Measures

Your privacy policy is a collection of promises to your customers and other individuals around how you deal with their personal information. This is especially important when it comes to how you secure and protect that personal information. According to the Privacy Act, you need to implement safeguards that are reasonable according to the personal information you hold, to prevent its:

  • loss;
  • misuse; or
  • unauthorised disclosure.

In your sensitive information clause, you should provide reassurances that you have adequate security measures in place that are proportionate to the sensitivity of the personal information you hold.

Your customers trust you when they give you their sensitive information, so you should not betray that trust. Otherwise, you could face both legal and reputational penalties.

3. Be Clear About Disclosure

You should not disclose any sensitive personal information you hold unless:

  • that was the reason you collected it;
  • the law requires it;
  • you have the consent of the relevant individual;
  • It is necessary for court proceedings; or
  • you disclose it in a way that does not identify who it is about.

If you need to disclose sensitive information, you should detail the circumstances around that disclosure in your sensitive information clause. You also need to include who you may share their information with.

For example, personal health information is sensitive information. However, you may share this information when discussing an individual’s treatment with other health practitioners. The law expects this in regular procedure, but you should still tell individuals in your sensitive information clause that this disclosure will occur. 

4. Look Into Other Laws that May Apply

Other than New Zealand privacy law, there may be other laws that apply to personal information at your business. Personal health information has some additional rules about how you should handle it. Health information is sensitive information, so this will likely affect your security practices.

Additionally, the General Data Protection Regulation (GDPR), the EU’s data privacy law network, may also apply to you if you sell goods and services to EU residents. The GDPR does distinguish between sensitive information and personal information. Therefore, you may need additional content in your sensitive information clause.

Key Takeaways

New Zealand privacy law does not distinguish between sensitive and personal information as other countries do. However, it may still be helpful to include a sensitive information clause in your privacy policy to reassure your customers about how you handle their sensitive information. If you would like more information or help drafting a sensitive information clause for your privacy policy, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information in New Zealand is any information about an identifiable individual. This means that if you use this information, you can identify a person, whether this is on its own or in combination with other information.

What is sensitive information?

New Zealand does not have a specific legal definition for sensitive information like other countries do. However, you do need to treat sensitive information more carefully if you hold it. Sensitive information may include financial details, health information, or confidential information.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards