New Zealand has traditionally had a good track record of keeping
things confidential, and overall the country's business ethics
rate 9.5 out of 10 in the corruption scale at www.transparency.org. As we
plunge further into the digital age, however, we're seeing
reports of breaches of privacy and confidentiality more often.
Recently we've seen WINZ, Immigration NZ, ACC and Novopay
hitting the headlines for the wrong reasons – essentially
inadvertently releasing people's sensitive information to
New Zealand has the Privacy Act 1993 to protect personal
information. The Privacy Act has a number of principles included
within it, which cover the collection, storage, use, distribution,
transfer and protection of a person's personal information
that's collected by either public or private organisations.
Failure to comply with the principles can result in fines and
damages being awarded against the organisation that's in
The Privacy Act, however, doesn't extend to company
information in the hands of another. As such, most companies when
entering into arrangements with other parties will require a
confidentiality clause to be inserted in their agreement or
contract. This has the effect of preventing either party from
disclosing the other's confidential information. There's no
Act of Parliament that the company is relying on, rather contract
law. If both parties have agreed to the confidentiality clause, its
terms can be enforced.
Once the clause has been included in the contract, if you're
receiving confidential information then it's up to you to put
reasonable and adequate protection in place to ensure this
information is protected. This could be storing physical copies of
documents within a locked filing cabinet or, if electronically
held, using a protected device or network, where only authorised
people have access. Access needs to be restricted to those who have
a need to know the information and are allowed, by the terms of the
contract, to know the information. Confidentiality agreements can
also be used when at the initial discussion phase of a
relationship, before any formal contract is in place.
In terms of protection within a business or organisation,
it's useful to have in place proper confidentiality protections
with staff; these could be a confidentiality clause in employment
agreements, and/or a robust privacy and information protection
policy. This will ensure that staff know what is expected of them
when handling sensitive information and the various processes that
should be followed. Information security audits are also useful to
test how the protection is actually working in practice.
So if despite all of this, the worst happens, and you suspect
that information that you hold has been leaked, what do you need to
do? The first step is to determine what information has been
leaked, to whom and how this has happened? Patching the source of
the leak should be the next priority, to prevent further
information loss. Then you need to consider what obligations are
owed to whom, whether that be under the Privacy Act or under a
confidentiality agreement (or both). If it's in breach of the
Privacy Act, notifying the Privacy Commissioner can be a good way
to minimise the negative reaction, rather than waiting for a
complaint to be made against you. In terms of confidentiality
agreements, the specific requirements will depend on what has been
agreed between the parties.
Overall, if you're collecting or holding sensitive
information, you'll have obligations to collect and deal with
it properly. It's good practice to ensure that your obligations
are being complied with and that your own confidential information
is secure, so that you or your organisation don't end up in the
headlines for the wrong reasons.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Anyone with standard form contracts who deals with small business must review the contracts for potential unfair terms.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).