Privacy is Not Just Security

The terms privacy and security are often spoken in the same breath, sometimes even as if they mean the same thing. Yet while they are deeply connected, they are not identical. Understanding the distinction between them is essential for any organisation that handles personal information in today’s digital environment.

Security is about protecting systems and information from unauthorised access, misuse, alteration, or destruction. It focuses on confidentiality, integrity, and availability, ensuring that data and systems remain reliable and resilient.

Privacy, by contrast, is about people: their rights, their expectations, and their ability to control how their personal information is collected, used, and disclosed. Privacy deals in fairness, transparency, consent, and respect.

A system can be perfectly secure and yet still breach the Privacy Act if it collects more information than necessary, uses it for a different purpose, or discloses it without the individual’s knowledge. Equally, an organisation can have noble privacy intentions but still fail if it cannot keep its information secure.

Too often, organisations invest heavily in security controls such as firewalls, encryption, intrusion detection, while neglecting the governance work that privacy demands: clear consent mechanisms, data minimisation, retention limits, and transparency about use. The result is a paradox: systems that are secure but not private. On the other hand, some agencies focus on compliance paperwork such as privacy impact assessments and policy documents but underinvest in the technical defences that make those policies meaningful.

The most resilient organisations recognise that both disciplines must operate in tandem, distinct yet interdependent. Privacy and security require different mindsets, skill sets, and accountabilities. Security is about building defences; privacy is about building respect. Security asks, “Can someone get in?” Privacy asks, “Should we have this data at all?”

The two should collaborate closely but never collapse into one another. The CISO and the Privacy Officer must each own their space, guided by shared risk frameworks that distinguish technical threats from ethical or legal misuse. Boards, too, should expect visibility of both. Reports should include not only security incidents but also privacy metrics.

Practical change starts with design. Security should be embedded by default through encryption, least privilege, segmentation, and layered defence. Privacy must also be designed from the outset by minimising collection, enforcing purpose limitation, managing consent, and anonymising data wherever possible.

Ultimately, New Zealand’s future digital trust will depend on this dual awareness. Organisations that understand the difference, and act on it, will not only comply with the law but also earn the confidence of the people they serve. Recognising that privacy and security are siblings, not twins is the first step toward that trust.