Reading time: 5 minutes

If your business deals with personal information, you are responsible for protecting that personal information in line with your obligations under privacy law. If you fail to do this adequately, you can run into both reputational losses and financial penalties. However, it can be difficult to determine what level of protection your personal information needs. Some kinds of identifying information will be more critical than others, so you may need more intensive security measures and protections. The New Zealand Privacy Act does not generally have specific requirements for handling sensitive information outside of a couple of situations. However, you still need to protect it appropriately. Therefore, for some guidance, this article will explain how New Zealand privacy law protects sensitive information.

What Is Sensitive Information?

The Privacy Act protects personal information. This kind of information is anything that can identify a person, whether it is by itself or with another piece of data. It cannot be about companies/organisations or non-living individuals. Examples of this kind of data can include:

  • names;
  • physical addresses;
  • financial details, such as credit card numbers;
  • photographs;
  • email addresses; and
  • phone numbers.

This definition is very broad and can include a variety of different kinds of information. It aims to allow for unexpected privacy breaches, given how fast information can spread due to technology.

However, New Zealand law does not have a special definition for sensitive information. Other countries with similar privacy laws do have special legal protections for information of this nature. For example, Australian law includes the following as sensitive information:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • sexual orientation or practices;
  • criminal records;
  • health information;
  • genetic information; and
  • biometric information.

Organisations that handle these kinds of sensitive information have special restrictions in Australia.

Does New Zealand Have Extra Protections for Sensitive Information?

New Zealand privacy law protects this kind of sensitive information as well (except for opinions), as long as it comes under the umbrella of “personal information”. Even so, it does not include extra obligations like Australian law might.

Nonetheless, that does not mean that there are not instances where you need to take the sensitivity of the personal information you hold into account. If the Privacy Commissioner is making a decision about how you handled a privacy breach or evaluating your security measures, then information sensitivity will certainly factor into their decision. Therefore, it needs to factor into yours as well.

Protecting Sensitive Information

Under the Privacy Act, you need to protect the personal information your business holds against:

  • loss;
  • unauthorised access, modification, disclosure, or use; and
  • any other kinds of misuse.

What security protections you implement need to be reasonable according to the circumstances. Determining this reasonableness relies on various factors, one of those being information sensitivity.

For example, you would restrict access to clients’ financial accounts to only those who need them. However, clients’ names may not need the same restrictions. Naturally, this depends on the kind of business you run.

Privacy Breach Assessment

Another area that sensitive information is important is when you are dealing with a privacy breach. If you are the unfortunate victim of a breach, you need to determine the exact harm that breach could cause. One of the indicators of this is the sensitivity of the information lost. The more sensitive the information lost the greater risk of harm to the individual at hand.

If a privacy breach involves this information, then you may need to notify both the:

  • people it concerns; and
  • privacy commission.

As an agency that holds personal information, the law requires that you notify the privacy commission if a breach is likely to cause significant harm.

Other Kinds of Personal Information

Additionally, certain kinds of information require extra protections because of the sensitivity of their content. These are usually industry-specific and will have additional regulations particular to that nature.

One of these examples is personal health information. Any information about a person’s health, such as diagnoses or conversations with doctors, is likely to be highly sensitive and private. Therefore, there are extra regulations for health information, which the law sets out in the Health Information Privacy Code. If your business deals with personal health information, you need to do so according to this code. It is very similar to the general rules around personal information in the Privacy Act, but there are a few differences.

If the health information your business wants to use or collect is particularly sensitive or personal, then you may need to give a more detailed explanation as to why you want that information. You need to justify this added intrusion into a client’s privacy if the information is of a sensitive nature.

Key Takeaways

The Privacy Act does not protect sensitive information as a separate category, as other countries’ privacy laws may do. However, this does not mean that you should not take sensitive information into account when fulfilling your privacy law obligations. If you would like more information or help with sensitive information at your business, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any information that you can use to identify a living individual. Examples include names or images of that individual.

What is sensitive information?

When relating to privacy law, sensitive information is high-risk private information of a personal nature. Exact definitions vary according to the situation you use it in. Sensitive data may include confidential information, such as financial details.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards