New Zealand has traditionally had a good track record of keeping things confidential, and overall the country's business ethics rate 9.5 out of 10 in the corruption scale at www.transparency.org. As we plunge further into the digital age, however, we're seeing reports of breaches of privacy and confidentiality more often. Recently we've seen WINZ, Immigration NZ, ACC and Novopay hitting the headlines for the wrong reasons – essentially inadvertently releasing people's sensitive information to others.
New Zealand has the Privacy Act 1993 to protect personal information. The Privacy Act has a number of principles included within it, which cover the collection, storage, use, distribution, transfer and protection of a person's personal information that's collected by either public or private organisations. Failure to comply with the principles can result in fines and damages being awarded against the organisation that's in breach.
The Privacy Act, however, doesn't extend to company information in the hands of another. As such, most companies when entering into arrangements with other parties will require a confidentiality clause to be inserted in their agreement or contract. This has the effect of preventing either party from disclosing the other's confidential information. There's no Act of Parliament that the company is relying on, rather contract law. If both parties have agreed to the confidentiality clause, its terms can be enforced.
Once the clause has been included in the contract, if you're receiving confidential information then it's up to you to put reasonable and adequate protection in place to ensure this information is protected. This could be storing physical copies of documents within a locked filing cabinet or, if electronically held, using a protected device or network, where only authorised people have access. Access needs to be restricted to those who have a need to know the information and are allowed, by the terms of the contract, to know the information. Confidentiality agreements can also be used when at the initial discussion phase of a relationship, before any formal contract is in place.
In terms of protection within a business or organisation, it's useful to have in place proper confidentiality protections with staff; these could be a confidentiality clause in employment agreements, and/or a robust privacy and information protection policy. This will ensure that staff know what is expected of them when handling sensitive information and the various processes that should be followed. Information security audits are also useful to test how the protection is actually working in practice.
So if despite all of this, the worst happens, and you suspect that information that you hold has been leaked, what do you need to do? The first step is to determine what information has been leaked, to whom and how this has happened? Patching the source of the leak should be the next priority, to prevent further information loss. Then you need to consider what obligations are owed to whom, whether that be under the Privacy Act or under a confidentiality agreement (or both). If it's in breach of the Privacy Act, notifying the Privacy Commissioner can be a good way to minimise the negative reaction, rather than waiting for a complaint to be made against you. In terms of confidentiality agreements, the specific requirements will depend on what has been agreed between the parties.
Overall, if you're collecting or holding sensitive information, you'll have obligations to collect and deal with it properly. It's good practice to ensure that your obligations are being complied with and that your own confidential information is secure, so that you or your organisation don't end up in the headlines for the wrong reasons.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.