One of the key changes in the Privacy Bill is a new privacy principle 12.

This adds new controls on the disclosure of personal information to foreign agencies or persons.

Agencies will now be accountable for the international disclosure of personal information and will need to demonstrate that they have carried out the necessary due diligence checks required under the new privacy principle.

The practical way for agencies to comply with the new principle is to adopt contractual safeguards when disclosing personal information to a foreign counterpart or business. These contractual clauses will make it clear to the recipient how they are expected to look after the personal information that they are being entrusted with.

This approach is also used in the UK and Europe under the GDPR as a way to ensure privacy protections apply to personal information when it is sent across national borders.

The goal is to make sure that the privacy protections that individuals can reasonably expect under New Zealand’s Privacy Act continue to apply when their information is disclosed and used in a foreign jurisdiction operating under different privacy standards.

To make this easy, the Office of the Privacy Commissioner is working on developing a model set of contract clauses for New Zealand agencies. We are seeking expressions of interest from experienced lawyers to help us come up with a simple but comprehensive set of clauses that will protect Kiwis’ data overseas.

Once we have a suitable set of clauses, we will publicly consult on these in August 2020 and there will be a chance to comment before they are finalised.

Of course, parties can instead use their own clauses – it’s not mandatory to use the model clauses. The model clauses will create a benchmark for the relevant matters that should be addressed when making sure there are reasonable privacy safeguards when personal information is disclosed overseas.

International