Privacy Policy vs. Privacy Statement - Why the Differs Matters in NZ

Scroll through many organisations’ websites in New Zealand and you’ll find a link to something called a “Privacy Policy.” Nine times out of ten, though the content isn’t a policy at all it’s a privacy statement. And while the difference might seem like splitting hairs, in practice it reveals a lot about how seriously an organisation takes privacy and the level of privacy maturity.

Information Privacy Principle 3 (IPP3) of the Privacy Act 2020 requires organisations to let people know why their personal information is being collected, who it will be shared with, whether it’s compulsory to provide it, what happens if it isn’t, and how they can access or correct it later. This obligation is usually met through a privacy statement (sometimes called a notice).

Therefore, a privacy statement is generally the external-facing piece. It’s written for the people whose personal information you hold – your customers, clients, patients, or staff. It should be easy to read, transparent, and accessible, spelling out what you’re collecting and why in plain language.

A privacy policy, however, is something else entirely. That’s an organisation’s internal document that sets out how personal information is to be handled inside your organisation, who carries which responsibilities, and what practices and safeguards are in place, such as when is a privacy assessment required. It’s the document your staff refer to when managing personal information to ensure they comply with your organisation's requirements.

When an organisation posts a public-facing statement on their website and calls it a “policy,” it often signals that they don’t actually have a real internal privacy policy at all, or they have two documents with the same name which causes confusion. By contrast, organisations with a more advanced privacy culture make the distinction clear. They have an internal privacy policy that sets the rules of the game for staff. They have a public privacy statement that meets the obligations of IPP3 and explains to people how their data is used. And they ensure the two align, so that what they promise externally is backed up by practice internally.

Words matter because they reflect intent. Calling a privacy statement a policy might seem harmless, but it sends a signal to customers and staff about how deeply (or shallowly) privacy is embedded in the organisation.