Confidential Information In New Zealand: What It Is and How To Protect It

In a small business, your edge often comes down to what you know (and what only you know).

It might be a customer list you’ve built over years, a supplier pricing arrangement, a new product formula, a process that saves you hours each week, or a proposal you’re about to pitch to a major client.

All of that can be confidential - and protecting it properly can be the difference between growing confidently and dealing with messy disputes later.

The tricky part is that “confidential” isn’t just a label you stick on a document. In New Zealand, whether information is confidential (and what you can do about it if it’s misused) depends on what it is, how you treat it, and what agreements you have in place.

Below, we’ll break down what confidential information typically looks like in a NZ business, how to protect it from day one, and when it’s OK (or necessary) to share it.

What Counts As Confidential Information In A NZ Business?

Broadly, confidential information is information that:

• is not generally known to the public,
• has value to your business because it’s not public, and
• you treat as confidential (i.e. you take steps to keep it private).

There isn’t one single “confidential information” statute in New Zealand that neatly defines every situation. Instead, confidentiality is usually dealt with through a mix of:

• contracts (like NDAs, employment agreements, contractor agreements, commercial agreements),
• equitable duties (a general legal obligation not to misuse information shared in confidence), and
• privacy laws when the information is personal information (more on this below).

Common Examples Of Confidential Information

From a small business perspective, confidential information often includes:

• Customer information (customer lists, buying patterns, key contacts, pricing terms)
• Supplier information (supplier lists, wholesale pricing, rebates, credit arrangements)
• Commercial and financial information (cashflow forecasts, budgets, profit margins, pricing strategy)
• Business plans and strategy (marketing plans, product roadmap, expansion plans)
• Trade secrets and know-how (formulas, recipes, systems, internal processes)
• Intellectual property in progress (unreleased designs, prototypes, product specs, source code)
• Deal information (terms being negotiated, offers, proposed partnerships, acquisition discussions)

Some of these categories overlap with other legal areas like IP, privacy, and competition law. That’s why it’s worth getting the confidentiality basics right early - so your contracts and policies work together instead of leaving gaps.

Is “Commercially Sensitive” The Same As Confidential?

They’re closely related, but not identical. “Commercially sensitive” usually means the information could harm your business if it was disclosed (for example, your pricing model or a pending contract negotiation).

In practice, commercially sensitive information is often treated as confidential, and you’ll usually protect it the same way.

What About Personal Information?

If the information is about an identifiable person (like a customer, employee, patient, or client), it may be personal information. In that case, how you collect, store, use, and disclose it is also regulated by the Privacy Act 2020 and its Information Privacy Principles.

That’s where having a clear Privacy Policy and privacy processes matters - because even if you consider data “confidential”, you still need to handle it in line with your privacy obligations.

Why Confidential Information Matters (Even When You’re Small)

When you’re running a small business, it’s normal to be focused on sales, delivery, and cashflow. Confidentiality can feel like something only big corporates worry about.

But confidentiality issues often hit small businesses harder because:

• key knowledge is often concentrated in one or two people,
• your systems may not be locked down yet, and
• relationships (suppliers, customers, staff) are often close and informal.

Here are some real-world scenarios where confidentiality becomes a “right now” problem:

• You hire a contractor, they get access to your client list, and later they start offering those clients a competing service.
• You share a product concept with a potential partner, and they launch something similar before you do.
• You’re selling your business and need to provide financials to serious buyers, but you don’t want your competitors to get the details.
• An employee leaves and takes internal templates, processes, or pricing information to a new job.

Getting your confidential information protections in place doesn’t just reduce risk - it can also make your business easier to grow, easier to fund, and easier to sell.

How To Protect Confidential Information From Day One

Protecting confidential information works best when you combine practical controls with the right legal documents. If you only do one without the other, you often end up with weak protection (or protection that looks good on paper but is hard to enforce).

1. Identify What Information You Actually Need To Protect

Start with a simple internal list. What information would genuinely hurt your business if it got out?

For most small businesses, a good starting list is:

• customer lists and key contact details,
• pricing and margins,
• supplier terms,
• internal processes and templates,
• product/service development materials.

This sounds basic, but it helps you avoid a common mistake: trying to label everything as confidential. Overreaching can make it harder to enforce and harder for staff/contractors to know what they must protect.

2. Use Confidentiality Clauses In Your Key Working Relationships

In practice, your biggest confidentiality risks often come from people who legitimately need access to your information, such as employees, contractors, suppliers, and business partners.

That’s why confidentiality is commonly built into:

• Employment Contract (for employees who’ll access customer info, pricing, internal processes, etc.)
• Contractors Agreement (especially where contractors access your systems, clients, or IP)
• service agreements and supply agreements
• shareholder/founder documentation where sensitive commercial info is shared internally

Confidentiality clauses usually cover things like:

• what information is confidential,
• how it can be used (typically only for the purpose of the relationship),
• how it must be stored and protected,
• when it can be disclosed,
• what happens on termination (return/delete information, continued confidentiality obligations).

If your business has multiple owners, it’s also smart to set clear rules around access and use of sensitive business information in a Shareholders Agreement, especially where one shareholder is operational and another is more passive.

3. Use An NDA When You’re Sharing Information Before A Deal Is Final

An NDA (non-disclosure agreement) is useful when you’re sharing confidential information outside your business before you have a full commercial agreement in place.

Common situations where an NDA makes sense include:

• talking to a potential investor,
• exploring a joint venture or collaboration,
• testing a new supplier or manufacturer relationship,
• discussing a potential acquisition or business sale,
• bringing in a contractor before their full services agreement is signed.

If you need a formal agreement, a tailored Non-Disclosure Agreement can help clarify what information is being shared and what the other party can (and can’t) do with it.

One practical tip: NDAs work best when you’re also disciplined about what you share. If you don’t need to disclose the secret sauce yet, don’t.

4. Lock Down Access Internally (Yes, This Helps Legally Too)

Confidentiality isn’t only about documents. If you don’t treat information as confidential in practice, it can be harder to argue later that it was truly confidential.

Some simple controls that help:

• limit access to key folders (only staff who need it),
• use strong passwords and multi-factor authentication,
• separate “admin” accounts from day-to-day accounts,
• have clear offboarding steps (remove access immediately when someone leaves),
• mark sensitive documents as “Confidential” where appropriate.

If you’re collecting customer or client data, those security steps also tie into your Privacy Act obligations - because you’re expected to take reasonable steps to keep personal information secure.

5. Don’t Forget About Your Documents And Governance

If you’re operating through a company, your internal governance documents can also support good confidentiality practices. For example, rules around who can access certain information and how decisions are made can be reinforced through a Company Constitution.

This is especially relevant if you’re planning to raise capital, bring in new shareholders, or scale quickly - because more people usually means more access points to your confidential information.

When Can You Share Confidential Information (And When Should You Not)?

Most businesses need to share confidential information at some point. The goal isn’t to keep everything locked away forever - it’s to share it in a controlled way that protects your business.

When Sharing Is Usually OK

It’s often reasonable to share confidential information where:

• it’s necessary to deliver your services (e.g. giving a contractor access to data to complete the job),
• it’s required for a legitimate business purpose (e.g. due diligence in a business sale),
• the recipient is bound by confidentiality obligations (contractually or through their professional duties),
• you’ve limited the scope (only what they need, for a specific purpose), and
• you’ve considered privacy rules (if personal information is involved).

Common High-Risk Situations Where You Should Slow Down

Some scenarios deserve extra caution because they create the highest “leak” risk:

• Sharing with a competitor (even if they’re also a potential partner)
• Sharing before a contract is signed (verbals are risky and hard to prove)
• Sharing sensitive information in pitch decks without clear boundaries on use
• Sharing customer data without checking whether you have the right to disclose it under the Privacy Act
• Sharing inside a group of companies (people assume it’s “internal”, but legally it can still be a disclosure)

If you’re unsure, it’s often better to share in stages. Start with high-level information, then share deeper details once the relationship and paperwork are in place.

Can You Share Confidential Information With Your Accountant, Lawyer, Or Adviser?

Often, yes - and many advisers have professional obligations to keep information confidential.

But you should still:

• confirm their engagement terms cover confidentiality,
• only share what’s necessary, and
• be extra careful if the information includes personal information (because privacy rules may apply).

This comes up a lot when small businesses are raising capital or selling, where financials and customer details might need to be reviewed carefully before being shared widely.

Confidentiality Vs Privacy: What’s The Difference For Business Owners?

This is an area where small businesses can accidentally get it wrong, even with the best intentions.

Confidentiality is about keeping sensitive information secret and restricting its use or disclosure.

Privacy is about personal information - information about identifiable individuals - and your obligations under the Privacy Act 2020 (including how you collect, store, use, and disclose it).

Why This Matters In Practice

You might treat your customer database as “confidential”, but that doesn’t automatically mean you’re allowed to share it with a third party. If it contains personal information, you generally need to disclose it in line with the Privacy Act’s Information Privacy Principles (for example, ensuring the disclosure is connected to the purpose it was collected for, or another permitted reason).

This is why having the right privacy settings, contracts, and public-facing documents matters. A well-drafted Privacy Policy is a good start, but you also need the behind-the-scenes processes to match what your policy says.

What About Confidential Employee Information?

Employee information (like payroll details, performance issues, medical information) is typically both confidential and personal information. That means you should manage it carefully and restrict access internally.

If you’re dealing with health-related information, be especially cautious - it’s often treated as sensitive information and should be handled with extra care.

What If Someone Misuses Your Confidential Information?

If confidential information has been misused, it can feel personal - but the best response is a calm, practical one.

Your options depend on the facts, including what was taken, who has it, what agreements exist, and what harm is occurring (or likely to occur).

Step 1: Gather Evidence And Contain The Issue

Before you fire off angry emails, take a moment to:

• identify exactly what information was misused,
• work out how it was accessed,
• preserve documents and records (emails, access logs, messages),
• remove or limit access if the person still has access to systems.

Often, early containment reduces damage significantly.

Step 2: Check Your Contracts

Your next question is usually: “Do we have anything in writing?”

This could include:

• an employment agreement or contractor agreement with confidentiality clauses,
• an NDA signed during negotiations,
• a services agreement, supply agreement, or other commercial contract.

If your agreement is clear and tailored, it’s much easier to enforce. If it’s vague or based on a generic template, you might still have rights - but enforcement can get harder and more expensive.

Step 3: Consider Your Legal Remedies

Depending on the situation, remedies may include:

• requesting the return or deletion of the information,
• formal letters of demand requiring them to stop using or disclosing the information,
• injunctions (court orders to prevent use/disclosure),
• claims for loss if the misuse caused measurable damage.

If personal information is involved and there’s been unauthorised access or disclosure, you may also need to consider whether this is a notifiable privacy breach under the Privacy Act 2020 (including whether you need to notify the Office of the Privacy Commissioner and affected individuals).

Because the “right” response depends heavily on context, it’s usually worth getting tailored advice early - especially if the disclosure is ongoing or time-sensitive.

Key Takeaways

• Confidential information is generally information that’s not public, has value to your business, and is treated as confidential in practice.
• Common examples include customer lists, pricing, supplier terms, internal processes, financials, and product development materials.
• The strongest protection comes from combining good operational controls (limited access, security, offboarding) with well-drafted legal documents (confidentiality clauses, NDAs, and tailored contracts).
• If the information includes personal information, you also need to comply with the Privacy Act 2020 and its Information Privacy Principles - “confidential” doesn’t automatically mean you can share it.
• You can often share confidential information for legitimate business purposes, but it’s safest to do it in stages and under clear confidentiality obligations.
• If confidential information is misused, act early: contain the issue, preserve evidence, check your contracts, and get legal advice on next steps.

If you’d like help protecting confidential information in your business (including NDAs, contractor agreements, employment contracts, or privacy documents), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.