Difference Between Privacy And Confidentiality In Australia

If you handle customer details, employee records or sensitive business information, you’ve probably wondered: what’s the difference between privacy and confidentiality?

They sound similar, but they’re not the same. In Australia, privacy is about how you collect, use and store personal information under the law. Confidentiality is about keeping specific information secret under a contract or duty of confidence.

Understanding both will help you stay compliant, build trust and reduce risk. In this guide, we’ll break down the key differences, when each one applies, and the practical documents and processes you’ll need to protect information in your business.

What’s The Difference Between Privacy And Confidentiality?

At a high level, privacy deals with personal information and your legal obligations under the Privacy Act 1988 (Cth). Confidentiality deals with any information that needs to be kept secret (not just personal information) and is driven by contracts and equitable duties.

Privacy: About Personal Information And Legal Obligations

• Scope: Personal information about an identified person (or reasonably identifiable person). This can include names, emails, phone numbers, payment details, IP addresses, health information and more.
• Laws: The Privacy Act and the Australian Privacy Principles (APPs) set rules for collecting, using, disclosing and securing personal information, and for providing access/correction rights.
• Who it applies to: Australian Government agencies and many private sector organisations (“APP entities”). Most small businesses under $3 million turnover are exempt, but there are important exceptions (for example, health service providers, businesses trading in personal information, and some contractors to Government).
• Transparency: You need to tell people how you’ll use their personal information and handle it consistently with your policy and notices.

Confidentiality: About Keeping Certain Information Secret

• Scope: Any information that is confidential to a party and not in the public domain. This can include trade secrets, source code, pricing, supplier terms, business strategies and customer lists (even if they don’t contain personal information).
• Protection: Usually created and enforced through contracts (for example, Non-Disclosure Agreements, employment contracts, supplier agreements) and equitable duties of confidence.
• Who it applies to: Anyone who receives information under a duty of confidence (employees, contractors, suppliers, partners, investors) or obtains it in circumstances importing confidence.
• Need-to-know principle: Access is restricted to people who need the information for legitimate business purposes.

In short: privacy protects individuals and regulates personal information. Confidentiality protects a business’s sensitive information (which might or might not include personal information) through contracts and duties of confidence.

When Do Privacy Laws Apply In Australia?

Even if you’re a small business, privacy may apply to you. Ask yourself these questions.

Are You An APP Entity?

Private sector organisations with over $3 million annual turnover generally need to comply with the APPs. Some businesses under this threshold must also comply, including health service providers, those that sell personal information, and some Government contractors.

Do You Collect Personal Information?

If you collect names, emails, phone numbers, payment details, or online identifiers, you’re handling personal information. Online businesses, apps and service providers often fall into this category.

What Documents Show Compliance?

Transparency is key. Most APP entities publish a clear, accessible Privacy Policy and give customers a Privacy Collection Notice at or before collection, explaining what data is collected, why and how it will be used or disclosed.

Do You Use Third-Party Processors?

If a cloud provider or outsourced service processes personal information on your behalf, put in place a Data Processing Agreement with clear security and data handling obligations.

How Will You Respond To Incidents?

Data security is an APP requirement. It’s smart to have a Data Breach Response Plan so your team knows how to assess and manage incidents, including when notifiable data breach reporting could be required.

When Does Confidentiality Apply In Business?

Confidentiality applies whenever someone has access to information they shouldn’t share. You’ll typically create and manage confidentiality obligations using contracts and internal practices.

Common Confidentiality Relationships

• Employees and contractors: Your Employment Contract should include clear confidentiality and IP clauses. Contractors should sign services agreements with equivalent protections.
• Prospective partners or investors: Use a Non-Disclosure Agreement before sharing pitch decks, financials or product roadmaps.
• Suppliers and distributors: Make sure supply and distribution contracts contain confidentiality terms, limits on use, return/destruction obligations and remedies for breach.
• Agencies and freelancers: Creative briefs, pricing and client lists should be covered by confidentiality obligations in your services agreements.

What Counts As Confidential Information?

You’ll usually define it in the contract. It commonly includes business plans, pricing, customer data, technical information, internal processes and any other information marked or treated as confidential. Exclusions often apply for information that is public, independently developed or lawfully obtained from another source.

How Long Does Confidentiality Last?

It depends on the contract. Some obligations end after a certain period; others continue indefinitely (especially for trade secrets). Think carefully about what’s appropriate for your business.

Practical Scenarios: Privacy Vs Confidentiality

1) Onboarding A New Customer

You collect their name, email and mobile number to create an account. Privacy applies because you’re handling personal information and need to be transparent about your collection and uses. Publish a clear Privacy Policy and give a Privacy Collection Notice during onboarding.

2) Sharing A Sales Pipeline With A Potential Investor

You export a spreadsheet with lead sources, close rates and future pricing strategy. Privacy may or may not apply (depending on whether it contains personal information), but confidentiality definitely does. Send it only under a Non-Disclosure Agreement and restrict who can access it.

3) Outsourcing Email Marketing To An Agency

Your agency will access your CRM to run campaigns. Privacy applies because they’ll process personal information on your behalf. Put a Data Processing Agreement in place, maintain strong access controls, and ensure your Website Terms and Conditions and privacy notices align with what actually happens.

4) Employee Leaves And Downloads Files

An employee downloads client lists and pitch templates before resigning. That’s a confidentiality issue. Strong contractual obligations in the Employment Contract, offboarding procedures and prompt access revocation reduce the risk and improve your position if you need to act.

5) Data Incident In Your E-Commerce Store

A vulnerability exposes order history and email addresses. Privacy applies, and you’ll need to follow your Data Breach Response Plan to assess, contain and, if required, notify affected individuals and authorities. Confidentiality terms with your developers and hosting providers may also be relevant to remediation and liability.

What Documents And Policies Do You Need?

Getting your privacy and confidentiality foundations right doesn’t need to be complicated. Here are the core documents most Australian businesses should consider.

Privacy Documents (Legal Compliance And Transparency)

• Privacy Policy: Public-facing statement explaining what personal information you collect, how you use and disclose it, and how people can access/correct their data.
• Privacy Collection Notice: Short notice provided at or before collection detailing the purposes for collection, key uses/disclosures and how to contact you.
• Data Processing Agreement: Contract with processors (e.g. SaaS platforms, agencies) covering security, permitted use, sub-processing, international transfers and deletion/return of data.
• Cookie or tracking disclosures: If your site uses analytics, cookies or pixels, ensure your disclosures are accurate and consistent with your Privacy Policy and website terms.
• Data Breach Response Plan: Internal playbook for identifying, assessing and responding to data incidents quickly and lawfully.
• Retention and deletion rules: Set practical timelines to keep and delete data consistently; this aligns with the APPs and your obligations under data retention laws.

Confidentiality Documents (Commercial Protection)

• Non-Disclosure Agreement: Use before sharing sensitive information with prospective partners, investors or suppliers.
• Employment Contract: Include strong confidentiality, IP ownership and post-employment obligations for staff.
• Supplier and contractor agreements: Ensure they include clear confidentiality clauses, data security standards and return/destruction obligations.
• Website Terms and Conditions: Set rules for users, platform conduct, acceptable use and IP ownership - helpful when your business model relies on proprietary content or software.

Having these tailored to your operations helps ensure your day-to-day practices match what your legal documents say you do - a common gap that leads to risk.

How To Manage Breaches And Complaints

Even with the best controls, mistakes can happen. What matters next is how you respond.

1) Activate Your Incident Playbook

For privacy incidents, follow your Data Breach Response Plan to contain, assess and document the incident, including whether it meets the threshold for notifiable data breach reporting. For confidentiality breaches, investigate scope, identify contractual rights and take steps to stop further disclosure.

2) Communicate Clearly And Lawfully

If notification is required or appropriate, communicate early, share what happened and what you’ve done to reduce harm, and provide a contact point for questions. Keep records of your decisions and actions.

3) Remediate And Prevent Recurrence

Update access controls, rotate credentials, roll out targeted training and tighten your contracts (for example, refining your Data Processing Agreement or NDA terms). Review your retention rules against your data retention laws obligations so you’re not keeping more than you need.

4) Build A Culture Of Respect For Information

Privacy and confidentiality work best when people know what to do. Train staff on your Privacy Policy and confidentiality expectations from day one, and refresh training regularly - it’s one of the simplest and most effective safeguards.

Key Takeaways

• Privacy is about personal information and legal rights under the Privacy Act, while confidentiality protects sensitive business information through contracts and duties of confidence.
• Many Australian businesses need a clear Privacy Policy, a practical Data Breach Response Plan and strong data handling terms with processors via a Data Processing Agreement.
• Use contracts to protect secrets: an Non-Disclosure Agreement for external discussions and an Employment Contract with confidentiality and IP clauses for staff.
• Be transparent with customers via a Privacy Collection Notice at or before collection, and make sure your practices match your promises.
• Plan ahead for incidents, keep only what you need in line with data retention laws, and build a culture where privacy and confidentiality are part of everyday work.

If you’d like a consultation on privacy and confidentiality for your Australian business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.