Privacy vs. Confidentiality

“What’s the difference between privacy and confidentiality??” It’s a question I’ll often ask when leading developer training, or when talking to potential job candidates. At first they seem very similar! Isn’t privacy just about keeping things private, and confidentiality about keeping things confidential? I like to draw a distinction that goes like this:

Confidentiality is about any piece of information, and restricting its access to only those who have a valid need. It could be personal information, or business plans, or code. It could be open to everyone, restricted to a set of people, or just one person.

Privacy is about information on individuals, and is defined in Aotearoa by the Privacy Act. It’s about collecting as little as you need, storing it securely and for only as long as needed, and only using it for what you said you’d use it for.

Below I provide a brief introduction to the Privacy Princples. You’ll see that Privacy is broader than Confidentiality, but that Confidentiality encompasses parts of “Principle 5 - Storage and security” and “Principle 11 - Disclosure”, and even “Principle 6 - Access” and “Principle 10 - Use”. Privacy and Confidentiality are like overlapping Venn diagrams.

Privacy Principles

Our Privacy Act breaks these out in 12 (soon to be 13) Privacy Principles:

• Principle 1 - Purpose for collection - only collect what you need
• Principle 2 - Source of information - collect it directly if you can
• Principle 3 - What to tell an individual - why you need it, and what you’ll do with it
• Principle 4 - Manner of collection - don’t collect it sneakily
• Principle 5 - Storage and security - keep it safe
• Principle 6 - Access - people must have a way to see what you’ve collected about them
• Principle 7 - Correction - people should be able to spot and fix inaccuracies
• Principle 8 - Accuracy - you should make sure the data is accurate before using it
• Principle 9 - Retention - don’t keep it longer than needed / legally allowed
• Principle 10 - Use - only use it for the reasons you told them about
• Principle 11 - Disclosure - don’t share a person’s information with others unless you’re allowed
• Principle 12 - Unique identifiers - don’t make people give you unique IDs (drivers licence, IRD number, etc) unless you need it for one of its intended purposes

The new privacy principle will be about only sending personal information overseas (e.g. to most cloud hosting services) if you have ensured the receiving party will safeguard it.

The Office of the Privacy Commissioner has some great written content, free online training, and how project teams can understand privacy obligations with a Privacy Impact Assessment. Check it out!