Can I send information overseas?
Yes, but you need to check who you are sending the information to, and whether this complies with principle 12 in the Privacy Act 2020.
Principle 12 aims to ensure that personal information sent overseas is subject to privacy safeguards that are similar to those in New Zealand.
A business or organisation may disclose personal information to another organisation outside New Zealand if the receiving organisation:
- is subject to the Privacy Act because they are a New Zealand agency (with an overseas office) or they are an overseas agency doing business in New Zealand;
- agrees to protect the information in such a way, e.g. by using model contract clauses; or
- is subject to privacy laws that provide comparable safeguards to the Privacy Act.
There are also exceptions for emergency situations if the disclosure is necessary for law enforcement purposes or to prevent a serious threat to health or safety and it is not reasonably practicable to comply with principle 12.
If none of the above criteria apply, a business or organisation may disclose information overseas with the permission of the person concerned. The person must be expressly informed that their information may not be given the same protection as provided by the New Zealand Privacy Act.
Note that principle 12 doesn’t limit sending personal information to a cloud, or service provider storing or processing information on your behalf (see section 11(external link)).
Read our one-page information sheet for a brief overview of principle 12 here [PDF, 510 KB].
For more detailed information about your principle 12 responsibilities, and to access our model contract clauses, see our principle 12 guidance here.
Updated December 2020