Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
A significant change in the Privacy Bill is a new privacy principle containing a series of controls on the disclosure of personal information to foreign agencies or persons. This is noteworthy because of the reliance that many businesses have upon cloud-based service providers, and the importance of free-flowing data globally.
Is this an unusual step?
New Zealand is following international trends by providing more comprehensive statutory controls on cross-border disclosures.
The European General Data Protection Regulation (GDPR) has established new global benchmarks and has a similar provision. See, for instance:
Guide to the General Data Protection Regulation (GDPR) - International transfers.
The Council of Europe’s Data Protection “Convention 108” permits transfers to non-party states only where personal data is sufficiently protected.
The Australian Privacy Act has a similar provision.
New Zealand’s current Privacy Act 1993 already provides some protection through transfer prohibition notices that the Commissioner might issue in appropriate circumstances (see Part 11A).
What is the aim of the cross-border controls?
The broad intent of these new controls is to ensure that personal information being sent out of New Zealand will be subject to privacy safeguards that are comparable to ours. Agencies will now be accountable for the international disclosure of personal information and will need to demonstrate that they have carried out the necessary due diligence checks required under the new privacy principle.
The cross-border controls are established by a new information privacy principle 12 – Disclosure of personal information outside New Zealand. See clause 19 of the Privacy Bill.
(You might also remember that we already have a principle 12 in the Privacy Act. Under the Bill, the current principle 12 dealing with ‘unique identifiers’ becomes principle 13.)
So how does new principle 12 work?
An agency disclosing personal information to foreign persons or entities may only make that disclosure if it reasonably believes the foreign person or entity meets at least one of the following criteria:
What about cloud storage?
Sending information to another organisation to hold or process on your behalf (as your agent), will not be treated as a disclosure under the new Privacy Act (see clause 8). This could be, for example, when an agency is providing cloud storage services on behalf of the NZ based client.
The principal organisation will be responsible for ensuring that the agent handles the personal information in accordance with the New Zealand Privacy Act.
Authorisation of the individual
Principle 12 enables a New Zealand agency to ask for authorisation from the individual concerned. If an agency wishes to rely on individual authorisation, it must have expressly informed the individual that the foreign entity or person may not be required to protect the information in a way that, overall, provides comparable safeguards.
Urgent disclosures
Principle 12 also enables disclosure of personal information overseas if it is necessary to avoid prejudice to the maintenance of the law (including the prevention, detection, investigation, prosecution and punishment of offences) or to prevent or lessen a serious threat to public health or safety or the life or health of an individual.
Guidance
The Office of the Privacy Commissioner is developing guidance to help agencies understand how they can apply this new principle. This will include simple contractual clauses that agencies can adopt to ensure that personal information will be subject to ongoing protections.
We are planning to have this guidance available after the Privacy Bill has been passed by Parliament. We are expecting the Bill to have a 6-month transitional period before it takes effect.
Back