Personal Information Vs Sensitive Information: What’s The Difference? (2026 Updated)

If you run a business, you probably collect “personal information” every day - customer names, delivery addresses, staff bank details, even CCTV footage.

But not all personal information is treated the same. Some information is considered more sensitive, meaning it carries higher privacy risk and usually needs extra care in how you collect, use, store, and share it.

This (2026 updated) guide breaks down the difference between personal information and sensitive information in a practical, plain-English way, so you can make confident decisions and build privacy into your business from day one.

What Is Personal Information Under New Zealand Privacy Law?

In New Zealand, privacy compliance is primarily governed by the Privacy Act 2020.

In simple terms, personal information is information about an identifiable individual. If you can reasonably work out who someone is from the information (either on its own or combined with other data you hold), it’s personal information.

Common Examples Of Personal Information

Personal information can be obvious (like someone’s name), but it can also be less obvious (like an identifier that links back to a person). Examples include:

• Name, email address, phone number
• Home or work address
• Date of birth
• Customer account numbers or membership IDs
• Order history or purchase behaviour linked to a person
• Photos and videos where a person is recognisable (including CCTV footage)
• IP addresses and device identifiers (where they can reasonably identify a person)
• Employee records (payroll details, performance notes, leave records)

Why This Definition Matters For Your Business

Many business owners assume privacy law only applies to “big tech” or medical providers. In reality, most small businesses handle personal information - especially if you:

• sell online and deliver products
• run a loyalty program
• use email marketing
• hire staff or contractors
• use CCTV or record calls

Once you’re handling personal information, you’re expected to take reasonable steps to comply with the Privacy Act 2020 - including following the Information Privacy Principles (IPPs), such as collecting only what you need, being transparent, keeping it secure, and not using it for unrelated purposes.

What Counts As Sensitive Information (And Is It A Legal Category In NZ)?

Here’s where things get confusing: the Privacy Act 2020 doesn’t use one single label like “sensitive information” the way some overseas laws do.

That said, in practice, certain types of personal information are clearly more sensitive because misuse, disclosure, or loss could seriously harm the individual (for example, discrimination, identity theft, reputational harm, safety risks, or financial loss).

So when people say “sensitive information” in NZ, they usually mean personal information that needs extra care because of its nature and the higher privacy risk.

Some businesses also refer to this as Sensitive Personal Information, which is a helpful concept for building stronger privacy practices (even where the law doesn’t rely on that exact label).

Examples Of Information That’s Usually Considered Sensitive

• Health information (injuries, diagnoses, prescriptions, mental health notes)
• Biometric data (face scans, fingerprints, voiceprints used for identification)
• Financial information (bank account details, credit card details, income, debts)
• Government identifiers (passport number, driver licence number, IRD number)
• Information about children (especially where it could create safety risks)
• Precise location data (real-time tracking, frequent location history)
• Criminal history (convictions, background checks, allegations)
• Sexual orientation or sex life
• Ethnic or racial origin (where collected or inferred)
• Union membership (in an employment context)

Sensitive Doesn’t Always Mean “Secret”

A useful way to think about it is:

• Personal information = identifies a person.
• Sensitive information = identifies a person and creates higher risk if mishandled.

For example, a customer’s name might be personal information, but not highly sensitive on its own. Their name plus their medical condition, or name plus bank details, is a different story.

Personal Information Vs Sensitive Information: The Practical Differences That Matter

The difference isn’t just academic - it changes what “reasonable” privacy practice looks like for your business.

Even though the Privacy Act 2020 applies broadly to personal information, the level of security and care you’re expected to use often depends on how sensitive the information is and what harm could result if something goes wrong.

1. Collection: “Do You Really Need This?” Gets Stricter

If you collect sensitive information, you should be able to clearly explain:

• why you need it (your purpose)
• how you’ll use it
• who you might share it with
• how long you’ll keep it

If you can deliver your service without collecting sensitive data, it’s usually safer not to collect it at all. Less data often means less risk (and fewer compliance headaches later).

2. Security: Higher Sensitivity Usually Means Stronger Controls

The Privacy Act expects organisations to take “reasonable” steps to keep personal information secure. What’s reasonable depends on the risk.

For sensitive information, stronger controls often include:

• multi-factor authentication (MFA) for systems holding the data
• access controls (only staff who need it can see it)
• encryption for stored files and transfers
• secure disposal processes (not just deleting a file and hoping for the best)
• clear internal policies on handling and sharing

3. Disclosure: Mistakes Become More Serious, More Quickly

If sensitive information is accidentally disclosed, the harm to the individual can be much higher - and so can the consequences for your business.

That includes a higher chance the incident becomes a notifiable privacy breach (meaning you may need to notify affected individuals and the Privacy Commissioner).

4. Trust: Your Reputation Is Often On The Line

People are generally more forgiving if their delivery address is mishandled than if their health information is leaked or their identity documents are exposed.

Good privacy practice isn’t just compliance - it’s part of your brand and customer trust. This is also where understanding the difference between privacy and confidentiality matters, because privacy obligations often require specific systems and transparency, not just “keeping it quiet”.

How Do You Handle Sensitive Information Safely In A Small Business?

Most privacy problems don’t happen because a business owner “doesn’t care”. They happen because privacy processes don’t get built in early - and then the business grows, adds staff, adds tools, and suddenly the data is everywhere.

Here are practical steps you can take to protect your business and the people whose information you hold.

Be Clear On What You Collect (And Where It Goes)

Start with a quick data map. List:

• what personal information you collect (customers, leads, staff, suppliers)
• what might be sensitive (health info, ID docs, bank details)
• where it’s stored (email inboxes, CRM, spreadsheets, paper files, cloud drives)
• who can access it (owners, admin staff, contractors, offshore support)
• who it’s shared with (payment providers, couriers, accountants, marketing tools)

This sounds simple, but it’s one of the fastest ways to spot risk - like sensitive documents sitting in a shared folder that “everyone” can open.

Use A Privacy Policy And Collection Notices That Match Your Reality

If you collect personal information from customers via your website, booking forms, online store, or email, you’ll usually want a Privacy Policy that clearly explains what you collect and why.

For sensitive information, it’s even more important that your disclosures are accurate and easy to understand - not buried in legalese. The goal is that a normal customer can read it and go, “Yep, that’s fair - I understand what’s happening here.”

Limit Access Inside Your Business

A common privacy trap for growing businesses is giving too many people access “just in case”.

Instead:

• limit staff access to what they need for their role
• use separate admin logins (avoid shared passwords)
• remove access quickly when someone leaves
• keep sensitive HR or medical records restricted

Have A Plan For Requests To Access Or Delete Information

Individuals often have the right to request access to their personal information and request correction. In some contexts, people also ask businesses to delete information.

While NZ doesn’t use the same “right to be forgotten” framework as some other countries, it’s still useful to understand the right to be forgotten concept because customers increasingly expect transparency and control over their data.

A practical approach is to set internal steps for:

• how requests are received (email, form, support ticket)
• who handles them
• how you verify identity (especially where sensitive data is involved)
• your timeframes and record-keeping

Be Extra Careful If You Buy, Sell, Or Share Customer Data

If your business model involves lead lists, data partnerships, data enrichment, or monetising audience data, you’ll want to be particularly careful about consent, transparency, and purpose limitations.

This is where the risks around trading in personal information can catch businesses off guard - especially if you assume “we bought the list, so it must be fine”.

Even if something feels normal in marketing, it still needs to align with NZ privacy obligations and what customers were told would happen with their data.

Common Scenarios Where Businesses Accidentally Mishandle Sensitive Information

You don’t have to be a hospital to handle sensitive information. Here are a few real-world situations where small businesses often trip up.

Recording Calls With Customers

Many businesses record calls for “training and quality assurance” - which can be legitimate, but the recording can capture sensitive information (health details, payment details, family issues, complaints).

Before you hit record, make sure you understand the rules around call recording, and consider:

• how you notify callers the call is being recorded
• how long you keep recordings
• who can access them
• how recordings are securely stored and deleted

CCTV, Staff Monitoring, And Workplace Privacy

CCTV footage is personal information, and depending on the context, it can become sensitive (for example, footage of an incident, alleged misconduct, or a medical emergency).

If you’re installing cameras, don’t treat it as just a security purchase - it’s also a privacy compliance issue. The rules about cameras in the workplace matter, particularly around transparency, signage, and appropriate use.

Collecting Medical Or Health Details From Staff

Health information is one of the clearest examples of sensitive information. Even a simple sick leave email can include sensitive details.

As an employer, you may have legitimate reasons to hold certain health-related information (for example, supporting leave, workplace adjustments, or health and safety). But you should:

• only collect what’s needed
• avoid oversharing internally (managers don’t always need the details)
• store it securely and separately where possible
• be thoughtful about how it’s used in performance management

Where possible, it’s also a good idea to reflect privacy expectations in your Employment Contract and workplace policies, so everyone understands what information is collected and how it’s handled.

Payment And ID Verification

If you collect or store copies of passports, driver licences, or card details, you’re handling highly sensitive information.

In many cases, you don’t need to keep copies long-term. For example, you might only need to verify something once, then record that verification was done (without storing the full document). This is a good “privacy by design” habit: keep the minimum data for the minimum time.

Using Third-Party Apps And Offshore Providers

CRMs, booking systems, email marketing tools, and cloud storage are great for efficiency - but they can introduce privacy risk if you don’t know where your data is going.

Ask practical questions like:

• Where is the data stored (NZ, Australia, US, elsewhere)?
• Who can access it?
• Do you have control over retention and deletion?
• What happens if the provider has a breach?

If you’re working with external service providers who handle personal information for you, it’s worth putting proper contracts and privacy clauses in place, especially where sensitive information is involved.

Key Takeaways

• Personal information is information about an identifiable individual, and most NZ businesses handle it in day-to-day operations.
• Sensitive information isn’t always a formal label in NZ law, but it’s a practical category for higher-risk personal information like health, biometric, financial, and identity document data.
• The more sensitive the information, the higher the expectations are around collection limits, secure storage, controlled access, and careful disclosure.
• Common small business risk areas include call recordings, CCTV, employee records, and storing ID or payment details.
• A clear Privacy Policy, sensible internal access controls, and a plan for privacy requests and breaches can help you stay compliant and build customer trust.
• If your business model involves buying, selling, or sharing data, get advice early - this is an area where well-meaning businesses can accidentally breach privacy obligations.

If you’d like help getting your privacy settings right - whether that’s your Privacy Policy, customer collection wording, internal privacy processes, or contracts with service providers - reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.