Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Information Privacy Principle 12 (IPP 12) was introduced in the Privacy Act 2020. Under IPP 12, businesses and organisations must ensure that personal information transferred overseas is adequately protected. Read more about IPP 12 here.
The Office of the Privacy Commissioner has produced step-by-step guidance and two online tools to help businesses and organisations understand and fulfil their IPP 12 responsibilities.
Our Principle 12 Decision Tree tool will help you work out if IPP 12 applies to you and if so, if you comply with at least one of its conditions for disclosing personal information overseas.
Use the IPP12 Decision Tree tool
One practical way to comply with your IPP 12 responsibilities when sending personal information overseas is to have an agreement that establishes privacy safeguards for the personal information shared between you and the overseas parties, which are comparable to those available in New Zealand. Our model contract clauses online agreement builder will help you generate such an agreement. It does not constitute legal advice.
Our online tool has in-built tips and guidance to help you fill it out. We have also produced a model clauses guidance document to help step you through it, along with a couple of example agreements.
Create an agreement using our agreement builder
See our step-by-step principle 12 guidance, model contract clauses and example agreements below.
These FAQs should be treated as general guidance and do not constitute legal advice. Please speak to your professional advisors for matters specific to you and your organisation, or find a professional advisor on our directory of privacy professionals.
What is the model contract? Who is it for?
IPP 12 relates to an agency (a Discloser) disclosing personal information to a foreign person or entity (a Recipient).
Under IPP 12, a Discloser may only disclose personal information to a Recipient if the Discloser believes, on reasonable grounds, that the Discloser will (or is required to) protect the information in a way that provides comparable safeguards to those in the New Zealand Privacy Act.
One way in which the Discloser can be reasonably confident of this is by entering into an agreement with the Recipient that contains the necessary privacy safeguards. Our office has commissioned the law firm Chapman Tripp to develop an ‘off the shelf’ set of clauses that ensure that the Recipient puts in place privacy safeguards for the personal information shared between you and the overseas parties which are comparable to those provided in New Zealand.
The Discloser is already required to have these safeguards in place due to its obligations under the Privacy Act, so the model contract ensures that the Recipient must do the same – even if they are based overseas and don’t carry on business in New Zealand.
Our model contract tools are especially designed to make this task easier for small to medium enterprises in New Zealand. You can adopt the clauses wholesale, or you can pick and choose specific clauses as required. If you make changes to the clauses, you might need expert advice to make sure you are still complying with IPP 12.
Do we need to enter into this agreement?
Not necessarily. IPP 12 does not apply to all circumstances. You can find the circumstances in which personal information can be disclosed in IPP 11(1). Therefore, IPP 12 may not even apply to you!
If IPP 12 does apply, you still might not need to enter into an agreement with the Recipient – an agreement is just one of many ways for an agency to comply with IPP 12. Check out our decision tree for more information – your level of confidence will help confirm that the information you are disclosing will be protected in a comparable way to the New Zealand Privacy Act.
The advantage of using the agreement is that you can be confident that the personal information you’re disclosing overseas will be subject to a set of privacy safeguards for individuals.
We store personal information using a cloud service provider whose servers are held outside New Zealand. Do we need to enter into an agreement with the cloud service provider which incorporates the model clauses?
In most circumstances, no – you aren’t required by law to enter into such an agreement. This is because, for the purposes of the Privacy Act, you will (in most circumstances) remain responsible for the personal information that you put in the cloud servers.
Under section 11 of the Privacy Act, if an agency (Agency A) holds personal information as an agent for another agency (Agency B) (for example, the information is held by Agency A on behalf of Agency B for safe custody or processing), that personal information will be treated as being held by Agency B – not Agency A.
However, the personal information will be treated as being held by Agency A and Agency B if Agency A uses or discloses the information for its own purposes.
This means that, in most circumstances, you’ll be responsible for the personal information that you put in the cloud – not the cloud service provider.
Would a Recipient be willing to give the assurances in the agreement?
The question as to how willing a Recipient would be to give any assurance under the model contract (or any similar agreement) will depend on your commercial relationship and the circumstances specific to the parties.
What we can say is that, due to IPP 12, the onus is on you as the Discloser to ensure that the personal information is safeguarded.
Remember that, as the Discloser, the requisite test under IPP 12 is whether you believe on reasonable grounds that the Recipient is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act.
The model contract is just that – a set of ‘model’ clauses. Parties are free to negotiate and modify the clauses as they see fit, so long as you (as the Discloser of the personal information) are satisfied on reasonable grounds that the Recipient will provide comparable safeguards to that personal information.
If you can’t get the Recipient to agree to the safeguards, you might need to review what personal information you disclose and see if you have other options.
How do we enforce the agreement if the Recipient is overseas?
The practical issue of enforcing contracts is very real, and this issue becomes even more difficult if the other party isn’t in New Zealand. This will depend on a myriad of factors (so please consult your legal advisers), but the most important consideration will be your commercial relationship with the Recipient. At the very least, a serious breach of contract by a provider will likely prompt a decision to move to a different provider – a loss of trust is a loss of business.
The key point for you as the Discloser is having a basis for believing the disclosure that complies with IPP 12. The model agreement would provide that basis and provide individuals with the option of enforcing their rights against the Recipient under New Zealand law.
If the Recipient is obliged to collect and use information in accordance with clause 1.1, what is the purpose of clause 1.2 (limits on use and disclosure)?
Clause 1.2 specifies the lawful purposes for which personal information may be collected and used which are specific to the relationship between (and agreed by) the Discloser and the Recipient.
Have a look at our example agreements for an idea of what a lawful purpose might be. One example is for travel, where one of the permitted lawful purposes is specified to be facilitating bookings with accommodation and tourism providers.
What is the purpose of clause 1.4 (accuracy)? Can the Recipient not rely on the Discloser (who has those same obligations under the Privacy Act 2020) to provide it with appropriately accurate information?
Not necessarily. Information can become out of date before it is used by the Recipient, or that information can be used more than once.
If personal information has been disclosed to the Recipient and is therefore now also being held by the Recipient, the Discloser won’t necessarily be in a good position to ensure that the personal information held by the Recipient remains accurate and up to date when the Receiver uses the information – especially if there is a time lag between disclosure and use.
How does clause 6 (rights of individuals if there is a breach of the agreement) relate to the obligations under IPP 12?
Clause 6.1 is designed to ensure that, if the Recipient breaches its obligations under the model contract and that breach is an ‘Interference with Privacy of an Individual’ (as that term is defined in the model contract), the individual in question has the same right to seek a remedy against the Recipient as they would against the Discloser in the same manner set out in Part 5 of the Privacy Act. The individuals concerned may also ask the Discloser to bring a claim against the Recipient on their behalf, though the Discloser isn’t necessarily required to do so (clause 6.3). Clause 6.2 confirms that individuals have this right even though they aren’t a party to the agreement.
Clause 6 of the model contract mirrors section 102 of the Privacy Act (remedies in respect of interference with privacy), so it looks to satisfy IPP 12 in this regard.
Last updated June 2021
