Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Chapter 4: Privacy and confidentiality

Privacy and confidentiality both play a part in protecting learners’ information.

Often these terms are used interchangeably, but they are distinct concepts and should be considered separately. 

On this page:

Download a PDF of the guidance on this page (PDF, 351KB).

Privacy

The rights of a learner to exercise some control over the collection, use and disclosure of their personal information.

Privacy is about a person’s right to control their information, activities and personal space. With respect to information, privacy is about a person’s right to determine what personal information about them is collected, used, and shared by others.

Privacy is not just about keeping information private, it’s about respecting a learner’s mana, and protecting their information from unauthorised intrusion.

The Privacy Act sets out obligations on all organisations that collect, use and share personal information to ensure personal information is respected and protected. 

Confidentiality

An education provider’s obligation to protect certain information from unauthorised access and disclosure.

We use confidentiality to mean:

  • the ethical duty that someone might have because of their profession
  • the legal duty that someone might have because of their profession
  • the contractual duty someone might have because of their contract with an education provider. 

These duties require that certain information is protected from unauthorised access, use and disclosure. Confidentiality is particularly relevant in certain professional settings e.g. between a counsellor and their patient, a teacher and a learner, a social worker and a client, or a lawyer and their client.

Back to top.

Confidential information

Confidential information can include personal and non-personal information. Confidential information that is personal information will also be covered by the Privacy Act.

There isn’t a definition of confidential information. It will be defined differently across different organisations, businesses, professions and sectors. For example:

  • From an employment perspective, employees have a general duty to keep their employer’s information confidential, but employment contracts will often contain clauses that define how that information will be managed and how confidentiality will apply even after an employee no longer works for that employer. 
  • When delivering education-related services to learners, terms and conditions related to the delivery of that service will state what information collected will be treated as confidential information and how it will be managed. 
  • Industry Codes of Conduct or Codes of Ethics may also define what information is considered confidential and place obligations on professionals working in that industry to ensure that information is protected from unauthorised access and disclosure. 

Maintaining confidentiality is not just a legal or ethical obligation – just like protecting privacy, it is a fundamental aspect of building and maintaining trust. Learners and their parents will feel more comfortable sharing personal information when they understand when it will be kept confidential.

Back to top.

Confidentiality and the Privacy Act 2020

Where personal information is also confidential information, often the obligations to protect that information will reflect the obligations set out in the Privacy Act, or in the case of health information, those set out in the Health Information Privacy Code 2020

Read more about health information in Chapter 9: Health and learning support information.

However, confidentiality is typically narrower in scope – it involves specific agreements, industry codes or policies to protect information deemed to be confidential from unauthorised access and disclosure. Therefore, obligations of confidentiality may restrict access to, and disclosure of, confidential personal information further than the exceptions set out in information privacy principle (IPP) 11 of the Privacy Act.

This table sets out the legal framework, the type of information, and authority to share information that applies with respect to both privacy and confidentiality. 

 

Privacy

Confidentiality

Legal framework

Privacy Act 2020

Contracts, Code of Professional Conduct

Type of information

Personal Information

Personal and non-personal information

Legal authority to share

IPP11 Exceptions

  • Serious threat
  • Law enforcement
  • Authorisation (consent)
  • Other IPP 11 exceptions

Exceptions to Confidentiality, which might include: 

  • Serious risk to a person’s health or life
  • Required by law
  • Consent

Children play on a playground in a city. Exceptions to confidentiality

There may be situations where you need to share confidential information. An exception to confidentiality must have a legal authority that permits the sharing of that information.

Common exceptions to confidentiality include:

  • where there are significant health or safety concerns for the learner (e.g. the IPP 11 serious threat exception, section 66C of the Oranga Tamariki Act or section 20 of the Family Violence Act)
  • where the learner has authorised (consented) to the information being shared (e.g. the IPP 11 authorisation exception)
  • where the sharing of the information is required by another law.

You’ll generally find exceptions to confidentiality reflected in professional codes (e.g. Code of Ethics or Codes of Conduct) or contracts to provide services.

When advising a learner (or their parents where appropriate) that specific information, or categories of information, will be kept confidential you should always clearly inform them of the exceptions to that confidentiality i.e. the circumstances in which you may share that information.

Back to top.

Privacy and confidentiality in practice

The following section covers a number of codes that operate within the education sector that include obligations of confidentiality. 

It is important to note that codes can be created by legislation or voluntarily by an industry organisation.

Back to top.

Codes created by legislation

Some codes are created under legislation (i.e. they are secondary legislation), which means everyone subject to the code must comply with it. 

Codes created by legislation in the education sector include:

  • Teachers Code of Professional Responsibility (section 485, Education and Training Act 2020)
  • Code of Conduct for State Board Members (section 166, Education and Training Act 2020)
  • Social Workers Registration Board (SWRB) Code of Conduct (section 105, Social Workers Registration Act 2003).

Teachers Code of Professional Responsibility

The Teachers Code of Professional Responsibility sets out the ethical behaviour expected of every teacher. The Code applies to all certificated teachers and those who have been granted a Limited Authority to Teach, in every role and teaching context. 

The Teachers Code of Professional Responsibility is supported by a set of Standards. The Standards are a benchmark of how to comply with this code. Because the Standards are not legislation, they do not limit the Privacy Act. 

Read more about the Teachers Code of Professional Responsibility.

Code of Conduct for State School Board Members

All state and state-integrated school board members are required to comply with the Code of Conduct for State School Board members. 

Objective 11 of this code requires all board members to maintain confidentiality when they receive non-public information gained in the course of their duties, and can only use the information for the purposes for which it was obtained.

Objective 11 reflects the requirements of the Privacy Act around the use and disclosure of personal information but provides specific restrictions on the use and disclosure of all information obtained by school board members, whether it is personal information or non-personal information. The Code of Conduct for State School Board Members does not replace or change the requirements of the Privacy Act.

Read more about the Code of Conduct for State School Board Members.

Example – Media Inquiry to school board member

M is a school board member for XYZ Primary School. The school has recently experienced issues with tensions between local gang members at school pick up time. These tensions have created a number of safety issues for the school, learners, and parents/caregivers waiting to pick up their children. The school board is currently with working with local Police to deescalate the tensions and keep everyone safe. 

M is out shopping when they are approached by a local reporter. The reporter asks M for information about the gang tensions, whether the gang members have children at the school, and what the school is doing to keep learners and others safe during school pick up times.

Can M share information with the reporter?

The Privacy Act applies to personal information, which would include information relating to any learners who are children of the gang members. In the circumstances, there are no exceptions to IPP 11 requirements that would apply so M cannot share any personal information about learners with the reporter.

M is also subject to the Code of Conduct for State School Board Members. The Code makes it clear that M must comply with all statutory requirements relevant to their role, which includes responsibilities under the Privacy Act. The Code also provides that all non-public information M obtains through their role as a board member must be kept confidential. This means that in the circumstances, M cannot share any information about the gang tensions or any discussions between the school and the Police with the reporter unless M has been authorised to do so by the Board. 

The Board will have a process for responding to media requests, and M should refer the reporter to that process. 

Social Workers Registration Board Code of Conduct

The Social Workers Registration Board (SWRB) Code of Conduct sets out the minimum standards of integrity and conduct that apply to registered social workers. 

Principle 7 of this code (Respect the client’s privacy and confidentiality) provides that all registered social workers are expected to:

  • protect the privacy of the client’s personal information
  • make it clear that all information gained in the course of the social worker/client relationship is confidential
  • inform clients of the extent of confidentiality and the situations where information may need to be shared.

The SWRB Code of Conduct’s requirements reflect the requirements of the Privacy Act and Health Information Privacy Code – they don’t replace or change the requirements of the Privacy Act. 

The SWRB Code of Conduct’s requirements don’t override the information sharing provisions set out in section 66C of the Oranga Tamariki Act or section 20 of the Family Violence Act.

Read more information about sharing information for the protection of children and young people.

Read more about the SWRB Code of Conduct.

Example – Social Worker in Schools (SWiS) 

G is registered social worker employed by a Non-Government Organisation (NGO) as a Social Worker in Schools (SWiS) social worker. G works with a number of high-risk learners across different primary and intermediate schools. Each learner that G works with has been referred to them with the consent of the learner’s parent.

When getting consent to provide a service to the learner, learners (and their parents) are informed that all information shared with them will be kept confidential but that certain information about the learner may be share with:

  • the school to assist the school to provide appropriate learning supports
  • relevant agencies and organisations if the learner’s safety and wellbeing is at risk. 

During a meeting with a learner, G also notices that the learner has bruising on their arms and legs. G asks the learner about the bruises, and the learner discloses to G that their parents get a bit angry with them sometimes.

Can G share the information the learner has disclosed to them?

The Family Violence Act 2018 provides the legal authority to share personal information to help ensure that a person is protected from family harm. Sharing information for one of the specified purposes under the Family Violence Act would not result in a breach of the Privacy Act or the SWRB Code of Conduct.

Under the SWRB Code of Conduct the information the learner has disclosed to G is considered confidential personal information because it has been described as confidential to the learner and their parents in the consent to provide services process. However, as part of the consent process, the learner and their parents were also informed that the obligation of confidentiality is not absolute. If there are concerns for the learner’s safety and wellbeing, the social worker can share this information with appropriate agencies and services – in this case, using section 20 of the Family Violence Act.

In this case, G could share relevant personal information about the learner with an appropriate family violence agency to help protect the learner from further harm.

Read more about the SWRB Code of Conduct.

Back to top.

Industry codes

Some codes are created by industry organisations, where members of that organisation are required to comply with the code as part of their membership with that organisation.

Members codes created by industry organisations in the education sector include the New Zealand Association of Counsellors (NZAC) Code of Ethics.

New Zealand Association of Counsellors Code of Ethics

The NZAC Code of Ethics states that counsellors shall treat all communications between a counsellor and client as confidential unless the client gives consent to particular information being shared. The Code of Ethics is a voluntary code for counsellors who choose to become members of NZAC. It does not limit or change the Privacy Act.

The NZAC Code of Ethics also says that limits to confidentiality should only be made to reduce risk to the client, and then states what those exceptions are.

The confidentiality rules in this code reflect the requirements of the Privacy Act (and for any health information, the Health Information Privacy Code) but narrow the range of exceptions for when information collected from a client can be shared e.g. only with consent of the individual or when there is significant risk to the individual. 

The NZAC Code of Ethics requirements don’t override the information sharing provisions set out in section 66C of the Oranga Tamariki Act or section 20 of the Family Violence Act.

Read more about the NZAC Code of Ethics.

Example – School guidance counsellor

K is a guidance counsellor employed by a High School. K has been meeting with 14-year-old J regularly over the last six months. J has been experiencing difficulties in their home life which have impacted their ability to concentrate at school and develop relationships with other learners. There is currently no immediate risk of danger to J’s safety or wellbeing. J has also made it clear to K that they do not want any of the information they have shared with K disclosed to other people within the school.

J’s teacher has approached K to seek information about J. J’s teacher believes that if they understand what was happening for J, they would be able to provide better support to J in the classroom.

Can K share any information about J with J’s teacher?

Under the Privacy Act, K is not able to share any personal information with J’s teacher unless one of the exceptions in IPP11 (or Rule 11 for health information) apply. In the circumstances set out above, there is no exception to IPP11 (or Rule 11) that applies. 

As a member of the New Zealand Association of Counsellors, K also needs to consider the obligations set out in the NZAC’s Code of Ethics. The NZAC Code of Ethics makes it clear that any information (including non-personal information) shared between K and J is confidential information and can only be shared with another person if one of the exceptions in the Code of Ethics applies. 

In this case, J is not at immediate risk and has not consented to their information being shared, so none of exceptions in the Code of Ethics apply. K is not able to share any information that they hold about J with J’s teacher. 

The fact that K is employed by the school, rather than providing counselling services through a contracted service provider, does not change the fact that K cannot share information about J with J’s teacher. The duty of confidentiality under the NZAC Code of Ethics is on K, not the school, as K is the person who has received and shared information with J as part of delivering the counselling services. 

What if there were concerns about J’s wellbeing or safety?

If there were concerns about J’s wellbeing and safety, this would override the obligations of confidentiality set out in the Code of Ethics. In that case, K could consider section 66C of the Oranga Tamariki Act to share relevant information about J with people at the school that were in a position to help J (so long as the purpose of sharing was for one of the purposes set out in section 66C) but would need to consider J’s view that they did not want the information to be shared. 

If there were serious concerns about J’s health or safety, and none of the purposes under section 66C applied, K could share the information with appropriate people under IPP11 for the purposes of preventing or lessening a serious threat to J’s health or safety, or the safety of others.

Read more information about sharing information in Chapter 7: Sharing information and Sharing information to protect the wellbeing and safety of children and young people.
Back to top