How New Zealand Businesses Should Address Sensitive Information in a Privacy Policy

If your business collects health details, identity documents, criminal history, biometric data, or other high-risk personal information, a generic privacy policy will not do the job. A common mistake is treating all personal information the same, even though sensitive information creates higher trust, compliance, and reputational risks. Another is collecting more than you need, then failing to clearly explain why you need it, who sees it, and how long you keep it. A third is copying wording from an overseas template that does not fit New Zealand law or the way your business actually operates.

For New Zealand startups and SMEs, this issue often comes up before you launch online, before you onboard staff or contractors, or before you sign with a software provider that stores customer records. The main question is not just whether you need a privacy policy. It is whether your privacy policy accurately explains your handling of sensitive information in a way that matches the Privacy Act 2020 and your real business practices.

This guide explains what sensitive information means in practice, when your policy needs to deal with it, and the practical steps that help you avoid the mistakes founders make most often.

Overview

New Zealand businesses should address sensitive information in a privacy policy with extra clarity, specificity, and care. If you collect information that could cause serious harm or embarrassment if misused, your policy should explain exactly what you collect, why you collect it, how you store it, who you share it with, and what rights people have.

The policy also needs to match your actual systems, forms, contracts, and internal processes. If your business says one thing in its privacy policy but your staff or software do something else, that gap creates risk.

• Identify whether you collect sensitive or high-risk personal information, even if New Zealand law does not use that exact label in every context.
• Explain the purpose for collection in clear business terms, not vague wording copied from a template.
• State when collection is optional, when it is required, and what happens if a person does not provide it.
• Describe storage, access controls, retention periods, and security practices in a realistic way.
• Disclose third party service providers, overseas storage or access, and any related cross-border privacy issues.
• Make sure your website forms, onboarding documents, employment contracts, and customer terms align with the policy.
• Review whether consent, authority, or another lawful basis is appropriate for the way you collect and use the information.
• Have a process for access requests, correction requests, and privacy breach response.

What Privacy Policy Sensitive Information Means For New Zealand Businesses

Sensitive information is personal information that carries a higher level of risk if mishandled. New Zealand’s Privacy Act 2020 does not create a single standalone category called “sensitive information” in the same way some overseas laws do, but in practice some kinds of personal information clearly need more careful treatment than others.

For a business owner, the practical point is simple. The more private, intrusive, or potentially harmful the information is, the more specific your privacy policy and data handling practices should be.

What kinds of information are usually treated as sensitive?

Many businesses collect high-risk data without initially realising it. That often happens when a founder adds an application form, a booking questionnaire, or an identity check process before spending money on setup, then forgets that the form asks for more than basic contact details.

Sensitive or higher-risk information can include:

• health and medical information
• disability information or accessibility needs
• ethnicity or cultural background where collected
• religious or philosophical beliefs
• sexual orientation or intimate personal details
• criminal convictions or police vetting information
• government identifiers, such as passport or driver licence details
• financial account details or credit-related information
• biometric data, such as facial recognition or fingerprints
• children’s personal information
• location tracking data where it reveals patterns about a person’s life or movements

Not every item on that list will be relevant to every business. A physiotherapy clinic, recruitment business, childcare provider, e-commerce platform with identity checks, and software company using facial recognition all face different risks. Your privacy policy should reflect your actual data use, not a general list that sounds impressive but tells readers nothing useful.

Why your privacy policy needs extra detail

A privacy policy is a transparency document. It tells customers, users, workers, contractors, and other individuals what happens to their information. When the information is sensitive, broad statements like “we may collect personal information to improve our services” are usually too thin.

Your policy should answer questions a real person would ask, such as:

• Why do you need this information at all?
• Is collection mandatory or optional?
• Will a person be refused service or employment if they do not provide it?
• Who inside the business can see it?
• Is it stored in New Zealand or overseas?
• How long do you keep it?
• Will you use it for profiling, screening, or automated decision-making?
• Can the person ask for access or correction?

This matters legally and commercially. Under the Privacy Act 2020, agencies in New Zealand generally need to be open about the collection, use, storage, and disclosure of personal information. The more intrusive the information is, the more likely poor communication will look unfair, unexpected, or misleading.

Privacy policy wording is not enough on its own

Your privacy policy cannot fix a bad data practice. If you collect excessive health information for a low-risk service, or store passport copies in an unsecured shared drive, the problem is not just your drafting.

This is where founders often get caught. They focus on getting a website policy live before launch, but the real compliance work sits underneath it:

• what your forms ask for
• what your staff are trained to collect
• what your software vendors can access
• what your contracts say about confidentiality and data handling
• what happens when someone asks to see or correct their information

When This Issue Comes Up

This issue comes up as soon as your business collects personal information that goes beyond ordinary contact or transaction details. For many startups and SMEs, that happens earlier than expected.

Customer onboarding and bookings

Health, wellbeing, education, childcare, financial services, and specialist professional services often ask customers to complete intake forms. These forms may collect medical background, support needs, identity documents, or other information that needs special care.

If your website lets customers upload files or answer detailed questions before you provide a quote or booking, your privacy policy should explain that clearly before the information is submitted.

Employment and recruitment

Businesses often collect sensitive information from job applicants and workers, especially where roles involve background checks, work eligibility, health disclosures, referees, or police vetting. If you are hiring as part of your growth plans, your privacy policy may need to work alongside recruitment notices, employment contracts, and workplace policies.

This is especially relevant before you sign with a recruiter, HR software platform, or payroll provider that will process applicant or employee information on your behalf.

Identity verification and fraud prevention

Online businesses, marketplaces, fintech operators, and some service providers ask for copies of passports, driver licences, or selfies to verify identity. That can be commercially sensible, but it increases risk immediately.

Where this process exists, your privacy policy should cover:

• why identity checks are required
• what documents are collected
• whether a third party verification provider is used
• how long identity records are kept
• whether images or data are used for future verification or fraud prevention

Health, disability, and support services

Businesses in healthcare, fitness, insurance-adjacent services, wellness, disability support, and aged care may collect some of the most sensitive data held by SMEs. A short generic privacy statement is rarely enough in these settings.

Even if you are a small provider, your customers will expect clear answers about privacy. If you collect notes about treatment, mobility, diagnoses, medications, or support requirements, you should explain your practices plainly and carefully.

Apps, platforms, and software products

Tech businesses sometimes assume privacy compliance can wait until later. That is risky if your product captures location data, user-generated content, photos, messages, behavioural analytics, or information about minors.

Before you launch online, check whether the product itself prompts users to share sensitive information, even informally. A chatbot, health tracker, community platform, or booking app can collect high-risk information without having a field labelled “sensitive information”.

Business sales, investment, and due diligence

Sensitive information also becomes an issue before you sign a deal. If you are raising capital, selling the business, or entering a major supply or software contract, another party may ask what personal information the business holds and how it is managed.

A weak privacy policy can raise broader concerns about governance, contracts, security, and regulatory compliance. Investors and buyers often look for consistency between your public policy, your internal processes, and your supplier agreements.

Practical Steps And Common Mistakes

The best approach is to draft your privacy policy from your actual data flows, not from a generic template. Start with what your business really collects, where it goes, and why you need it.

1. Map the sensitive information you collect

You need a clear internal picture before you can explain anything publicly. Many SMEs skip this step and end up with a privacy policy that is vague because nobody has documented the real process.

Map out:

• what information you collect
• where you collect it, such as website forms, phone calls, in person onboarding, apps, contracts, or third party referrals
• why you collect it
• who receives it internally
• which service providers store or process it
• whether any information is accessed or stored overseas
• how long it is retained
• how it is deleted or de-identified

This exercise often reveals unnecessary collection. If a field is not needed for your service, compliance process, or contractual obligation, remove it.

2. Explain purpose with enough detail

Your privacy policy should say why you collect sensitive information in terms a customer or applicant can understand. Avoid broad statements that make it sound like you can use the information for any purpose you like.

Better examples include:

• to assess whether a service is suitable or safe for the customer
• to verify identity and reduce fraud risk
• to comply with legal obligations or industry requirements
• to process an application for employment or engagement
• to provide adjustments or support requested by the individual

Specificity matters because people are more likely to trust collection when the reason is concrete and proportionate.

3. Be honest about optional and mandatory fields

People should be able to tell whether they must provide the information. If some information is optional, say so. If the information is required to deliver the service, complete verification, or consider an application, explain that too.

A common mistake is silently making sensitive questions compulsory in a form, while the privacy policy says nothing about the consequences of not answering.

4. Match the policy to your real storage and security practices

If you say information is secure, that should reflect a real process. You do not need to publish every technical control, but your policy should not promise more than your business actually does.

In practice, this means checking:

• whether access is limited by role
• whether files are encrypted where appropriate
• whether paper records are locked away
• whether staff use personal devices to access records
• whether vendors have adequate privacy and security commitments
• whether old records are actually deleted when no longer needed

The main risk is overpromising. If your policy says information is stored only in New Zealand, but your CRM or cloud provider processes it offshore, the statement may be wrong.

5. Cover third party providers and overseas disclosure properly

Many NZ businesses use offshore software for customer relationship management, email marketing, cloud storage, recruitment, payroll, analytics, or identity verification. If sensitive information passes through those providers, your policy should say enough for individuals to understand that.

You do not always need a long technical explanation. You do need to be transparent about the categories of providers involved and whether information may be stored or accessed outside New Zealand.

This is also a contract issue. Before you sign with a software provider, review confidentiality, data use, storage location, subcontracting, breach notification, and deletion terms.

6. Think about collection from children and vulnerable individuals

If your business targets schools, families, youth services, health support, or community services, the expectations around transparency are higher. Sensitive information about children can create significant harm if handled badly.

Your privacy policy may need to explain:

• whether a parent or guardian provides the information
• how consent or authority is handled
• what information is required for enrolment or participation
• who information may be shared with
• how long children’s records are kept

7. Set up a process for access, correction, and complaints

A privacy policy should not just describe collection. It should also tell people how they can contact you to request access to their information, ask for corrections, or raise privacy concerns.

If your business deals with sensitive information, staff should know who handles these requests and what the internal process is. A good policy with no operational follow-through can still create legal and customer problems.

Common mistakes founders make

Most privacy policy problems are not dramatic. They are everyday mismatches between what the business says and what it actually does.

• Using an overseas template that refers to foreign law instead of New Zealand law.
• Failing to mention health, identity, screening, biometric, or children’s data collected through forms or apps.
• Collecting more sensitive information than the business really needs.
• Bundling customer, employee, and applicant information into one unclear section.
• Ignoring overseas cloud providers and data access arrangements.
• Promising security standards the business cannot evidence.
• Leaving old records sitting in inboxes, shared drives, or dormant software accounts.
• Assuming a privacy policy alone solves the issue without updating contracts, internal procedures, and training.

If you are building a new business, this often sits alongside other setup work such as choosing a business structure, Companies Office registration, trade mark planning, website terms, customer contracts, contractor arrangements, and sector-specific legal requirements. Privacy should be treated as part of the setup, not as a last-minute website task.

FAQs

Does New Zealand law have a special legal definition of sensitive information?

Not in the same way some overseas privacy laws do. Under the Privacy Act 2020, the focus is on personal information generally, but some types of information are clearly higher risk and need more careful handling.

Do all businesses need to mention sensitive information in their privacy policy?

No. If your business does not collect high-risk personal information, your policy may not need a dedicated section on it. But if you collect health details, identity documents, criminal history, biometric data, or children’s information, your policy should address that clearly.

Can I use one generic privacy policy for customers, staff, and job applicants?

You can, but it often becomes too vague. Many businesses are better off using one main privacy policy supported by separate collection statements, recruitment notices, or internal documents for specific contexts.

Do I need consent to collect sensitive information?

Sometimes consent will be appropriate, but not every collection issue turns on consent alone. You also need to consider whether collection is necessary, fair, transparent, and consistent with your stated purpose and legal obligations.

What if my software provider stores sensitive information overseas?

Your policy should be transparent about overseas storage or access where relevant. You should also review your provider contract and privacy settings before you rely on the platform for sensitive information.

Key Takeaways

• Sensitive information needs more careful handling than ordinary personal details, even where the Privacy Act 2020 does not use one fixed label for every situation.
• Your privacy policy should clearly explain what high-risk personal information you collect, why you collect it, how you use it, who you share it with, and how long you keep it.
• A policy should match your real business practices, including website forms, apps, staff processes, software providers, and contract arrangements.
• Common risk areas include health information, identity verification, recruitment records, biometric data, children’s information, and overseas cloud storage.
• The strongest approach is to review collection practices, reduce unnecessary data gathering, align contracts and internal procedures, and update your policy before you launch online or sign key supplier deals.

If your business is dealing with privacy policy sensitive information and wants help with privacy policy drafting, data collection wording, software and supplier contract review, compliance checks, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.