Client Confidentiality Obligations In New Zealand For Businesses

If your business handles client information, you’re dealing with client confidentiality every day - even if you don’t call it that. It can be as simple as storing a customer’s contact details, taking payment, receiving a brief from a client, or running a support inbox where private issues get discussed.

For small businesses, confidentiality isn’t just about “being discreet”. It’s about protecting trust, complying with New Zealand privacy and consumer laws, and reducing the risk of costly disputes if information is misused or leaked.

In this guide, we’ll break down what client confidentiality means in NZ, what the key legal obligations are, and the practical steps you can put in place (from day one) to keep your business protected.

What Is Client Confidentiality (And Why Does It Matter For Small Businesses)?

Client confidentiality generally means information a client shares with your business (or information you learn about them through providing services) should be kept private, used responsibly, and only shared where there’s a lawful basis to do so.

In practice, it usually covers:

• Personal information (names, addresses, emails, phone numbers, date of birth)
• Financial information (bank details, invoices, payment records)
• Commercial information (pricing, product plans, sales data, supplier arrangements)
• Sensitive information (health details, family situations, identity documents)
• Access credentials (logins, API keys, admin access, account permissions)

Even if you’re not in a traditionally “confidential” profession (like legal or medical services), you still need to treat a lot of client data as confidential.

And from a business perspective, confidentiality matters because:

• Trust is your currency. A privacy slip can lose you clients fast, especially in service-based businesses.
• Legal compliance isn’t optional. NZ’s Privacy Act 2020 sets clear expectations for how you handle personal information.
• It’s a risk-management issue. A breach can trigger complaints, investigations, loss of contracts, and reputational damage.
• Your contracts might require it. Many client agreements include confidentiality clauses that you must comply with.

Where Do Your Confidentiality Obligations Come From In New Zealand?

In New Zealand, confidentiality obligations can come from a few overlapping places. Most businesses will be dealing with more than one of these at the same time.

1) Privacy Act 2020 (Personal Information)

If you collect, store, use, or disclose personal information, you’ll usually have obligations under the Privacy Act 2020. This is a big one for client confidentiality because it’s not limited to “sensitive” industries - it applies broadly to businesses and organisations (with limited exceptions).

At a high level, privacy law expects you to:

• Collect personal information for a legitimate purpose
• Only collect what you actually need
• Tell people why you’re collecting it (and who might receive it)
• Store it securely and limit access
• Use it only for the purpose you collected it for (unless another lawful basis applies)
• Allow people to request access to (and correction of) their personal information

If you collect personal information through your website or systems, a properly drafted Privacy Policy is usually a key part of your legal foundations.

2) Confidentiality In Your Contracts

A lot of client confidentiality is contractual. This might be:

• a confidentiality clause in your client terms
• a standalone NDA you sign before receiving information
• a services agreement that sets strict rules about confidentiality

When confidentiality is contractual, it’s not just about “best practice” - it becomes an enforceable promise. If you breach it, you could be exposed to claims for losses, termination of the contract, or (in serious cases) urgent court action.

In many service businesses, confidentiality obligations sit inside a broader Service Agreement, which also covers scope, fees, timelines, IP ownership, and liability.

3) Industry Rules And Professional Duties

Some industries have extra confidentiality requirements (for example, health providers, counsellors, financial services, education providers, and others). These may come from:

• professional bodies or codes of ethics
• sector regulations
• contractual requirements set by funders or agencies

If you’re in a regulated space, you’ll want to be especially careful to align your privacy documents, processes, and contracts with those extra duties.

4) Common Law And “Confidential Information” Principles

Even without a written contract, NZ law can protect certain kinds of confidential information where it has the “quality of confidence” and has been shared in circumstances that imply it should be kept confidential.

That said, relying on implied duties is risky. From a small business point of view, it’s usually far safer to have confidentiality clearly written into your client-facing terms and contractor agreements.

How The Privacy Act 2020 Shapes Client Confidentiality (In Plain English)

If “client confidentiality” is the principle, the Privacy Act 2020 is often the rulebook - at least when the information is personal information.

Here are some practical Privacy Act concepts that often come up for small businesses.

“Personal Information” Is Broad

Personal information is information about an identifiable individual. That doesn’t just mean passports or medical notes.

It can include:

• an email address that identifies a person
• customer notes in your CRM
• a recorded phone call where someone states their name and issue
• a photo of a client
• IP addresses or device identifiers (depending on context)

If your business collects “just the basics”, you’re still likely handling personal information.

You Need A Clear Reason To Collect And Use It

A simple way to think about this is: don’t collect data “just in case”. Collect what you need to provide your services, run your business, and meet legal obligations.

Then, make sure you use that data consistently with the reason you collected it for. If you want to use it for something else (like marketing), you may need to clearly tell clients and give them appropriate choices (for example, opt-outs).

You Must Protect It With Reasonable Security

Client confidentiality isn’t only about who you choose to tell - it’s also about whether your systems are secure enough to prevent accidental access, loss, or leaks.

Reasonable security steps for many small businesses include:

• multi-factor authentication on email and key tools
• strong password practices (including password managers)
• locking down admin permissions (only give access to those who need it)
• encryption on devices (especially laptops used outside the office)
• a process for staff offboarding (removing access promptly)
• secure disposal of paper records

Data Breaches Can Trigger Notification Obligations

Privacy breaches happen - especially for small businesses with limited IT support. Under the Privacy Act, you only need to notify affected individuals and the Privacy Commissioner if the breach is a notifiable privacy breach (which broadly means it has caused, or is likely to cause, serious harm to affected individuals).

This is one reason it’s smart to have a plan in place before anything goes wrong (who investigates, who contacts clients, what you say, and what steps you take to prevent it happening again).

Common Client Confidentiality Risks For Small Businesses (And How To Prevent Them)

Confidentiality issues don’t always come from bad intentions. In many businesses, they come from fast growth, messy systems, or unclear responsibilities.

Here are some of the most common client confidentiality risk points we see for SMEs.

Email, Messaging, And Accidental Disclosure

Common examples include:

• CC’ing instead of BCC’ing a client mailing list
• sending an invoice to the wrong person
• forwarding an email chain that includes private details
• sharing screenshots that include a client’s name or data

How to reduce the risk: create a simple internal checklist for client communications, limit who sends bulk emails, and train staff on what counts as confidential information.

Using Contractors Without Clear Confidentiality Terms

If you outsource marketing, admin, software development, bookkeeping, customer service, or design, your contractors may be handling client information on your behalf.

If you don’t have a proper agreement in place, you can end up with:

• unclear ownership of client data and work product
• no clear restrictions on what they can do with client information
• weak enforcement options if something goes wrong

How to reduce the risk: use a tailored Contractor Agreement that includes confidentiality obligations, privacy handling expectations, and clear return/deletion requirements when the engagement ends.

Storing Client Data In Too Many Places

Many small businesses accidentally create “data sprawl”:

• client details in email inboxes
• files in cloud drives
• notes in a CRM
• invoices in accounting tools
• messages in social media DMs

The more places data lives, the harder it is to keep secure - and the harder it is to respond properly to access requests or breaches.

How to reduce the risk: choose a primary system of record, document where data is stored, and set retention/deletion rules (even simple ones).

Marketing And Testimonials Without Proper Consent

Small businesses love testimonials and case studies - and they’re powerful marketing tools. But if you publish identifying client information without permission, you can run into privacy complaints or contractual issues.

How to reduce the risk: get clear written consent (especially where a client can be identified), and check whether your contract restricts publicity or use of client names/logos.

What Should You Put In Your Agreements And Policies To Protect Client Confidentiality?

One of the best ways to manage client confidentiality is to build it into your legal documents and internal processes from the start. This helps set expectations with clients, staff, and contractors - and gives you enforcement options if something goes wrong.

Confidentiality Clauses In Client Terms Or Service Agreements

For most service-based businesses, confidentiality is best handled directly in your client agreement (rather than relying on informal understandings).

Well-drafted confidentiality terms often cover:

• What is confidential information? (and what’s excluded, like publicly available information)
• How it can be used (only to provide the services, not for unrelated purposes)
• Who it can be disclosed to (staff, contractors, professional advisers, and only where necessary)
• Security and storage expectations
• Return or destruction of confidential information when the relationship ends
• Timeframes (how long confidentiality obligations continue)

Depending on your business model, you might also want to align this with your standard Business Terms so confidentiality works seamlessly alongside payment terms, limitations of liability, and dispute resolution.

Privacy Documents That Match What You Actually Do

Many privacy documents fail because they’re copied from a template and don’t reflect reality. That’s risky - because if your practices don’t match what you tell customers, you can end up exposed to regulatory complaints and reputational damage.

A good Privacy Policy typically explains:

• what personal information you collect
• why you collect it and how you use it
• who you may disclose it to (including overseas providers)
• how you store and protect it
• how clients can request access/correction
• how complaints are handled

If you’re an online business, your website terms can also play a role in setting expectations around your platform use, customer accounts, and content. For many businesses, Website Terms and Conditions are part of the overall “confidentiality and trust” picture.

Employment And Contractor Documentation

If you have employees, confidentiality should be clearly addressed in your employment documentation and internal policies.

In many businesses, the first line of protection is a well-drafted Employment Contract that covers confidentiality, privacy expectations, and post-employment obligations (where appropriate).

You’ll also want internal guidance on day-to-day handling of client information (for example, whether staff can use personal devices, how files should be named, or rules about discussing client matters in public places).

NDAs For Early Discussions (Where Needed)

Sometimes you’ll need to discuss confidential information before you’ve signed a full service agreement - for example, during a proposal stage, a tender, a collaboration pitch, or an outsourced project scoping phase.

This is where an NDA can help. The goal isn’t to “paper over” risk - it’s to set clear rules at the point confidential information is first shared.

Just keep in mind: an NDA only helps if it’s actually fit for purpose (mutual vs one-way, correct parties, realistic scope, enforceable terms). This is a classic area where tailored legal drafting can save you headaches later.

When Can You Share Client Information? (Exceptions, Permissions, And Practical Scenarios)

A common question for small businesses is whether client confidentiality means you can never share client information. In reality, there are legitimate situations where sharing is allowed - but it needs to be handled carefully.

Common examples include:

• With the client’s consent (for example, they ask you to share information with their accountant or family member)
• With service providers and contractors where it’s necessary to deliver your services (and they’re bound by confidentiality/privacy obligations)
• To comply with the law (for example, where disclosure is required by a court order, statutory requirement, or other lawful authority - and you’ve checked it applies)
• For billing and administration (sharing limited information with payment processors or accounting providers)

Here’s the practical business-owner test: if you’d feel uncomfortable explaining the disclosure to the client, pause and check the legal basis first.

Also, if you’re ever in doubt, it’s worth getting legal advice before you disclose - because once private information is shared, you usually can’t undo the damage.

Key Takeaways

• Client confidentiality is a practical and legal issue for most NZ businesses, not just “confidential professions”, because many businesses handle personal and commercially sensitive information.
• Your confidentiality obligations often come from a combination of the Privacy Act 2020, your contracts, and (in some industries) additional professional or regulatory rules.
• Privacy compliance isn’t only about policies - it’s also about reasonable security, good internal processes, and limiting access to client data.
• Common confidentiality risks for small businesses include accidental email disclosures, managing contractors without clear terms, storing data in too many places, and using testimonials or case studies without consent.
• Strong legal foundations usually include a tailored Privacy Policy, clear client terms or a Service Agreement, and confidentiality obligations in your Employment Contract and contractor documentation.
• If you’re unsure whether you can disclose client information in a specific situation, it’s safer to get advice early - confidentiality issues can escalate quickly once information has been shared.

This article is general information only and does not constitute legal advice. If you need advice about your specific situation, it’s best to speak with a lawyer.

If you’d like help setting up the right confidentiality and privacy protections for your business - including contracts and privacy documents that reflect how you actually operate - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.