“What’s the difference between privacy and confidentiality??” It’s a question I’ll often ask when leading developer training, or when talking to potential job candidates. At first they seem very similar! Isn’t privacy just about keeping things private, and confidentiality about keeping things confidential? I like to draw a distinction that goes like this:
Confidentiality is about any piece of information, and restricting its access to only those who have a valid need. It could be personal information, or business plans, or code. It could be open to everyone, restricted to a set of people, or just one person.
Privacy is about information on individuals, and is defined in Aotearoa by the Privacy Act. It’s about collecting as little as you need, storing it securely and for only as long as needed, and only using it for what you said you’d use it for.
Below I provide a brief introduction to the Privacy Princples. You’ll see that Privacy is broader than Confidentiality, but that Confidentiality encompasses parts of “Principle 5 - Storage and security” and “Principle 11 - Disclosure”, and even “Principle 6 - Access” and “Principle 10 - Use”. Privacy and Confidentiality are like overlapping Venn diagrams.
Our Privacy Act breaks these out in 12 (soon to be 13) Privacy Principles:
The new privacy principle will be about only sending personal information overseas (e.g. to most cloud hosting services) if you have ensured the receiving party will safeguard it.
The Office of the Privacy Commissioner has some great written content, free online training, and how project teams can understand privacy obligations with a Privacy Impact Assessment. Check it out!24 October 2020