Office of the Privacy Commissioner | New guidance for sending personal information overseas
The Office of the Privacy Commissioner (OPC) has created two new interactive online tools to help organisations and businesses understand what they need to do if they are sending New Zealanders’ personal information overseas.
The Privacy Act 2020 introduces a new principle 12 that has new requirements when disclosing personal information to a foreign person or entity.
Principle 12 aims to ensure that personal information sent overseas is subject to privacy safeguards that are similar to those in New Zealand.
Businesses and organisations must be able to demonstrate that they have undertaken necessary due diligence before making a cross-border disclosure. They may disclose personal information to another organisation outside of New Zealand if the receiving organisation:
- is subject to the Privacy Act because they do business in New Zealand
- is subject to privacy laws that provide comparable safeguards to the Privacy Act – or they agree to protect the information in such a way, e.g. by using model contract clauses
- is subject to the privacy laws of a country prescribed by the New Zealand Government (none have yet been prescribed)
- is only going to an organisation, such as a cloud services provider which will not make any independent use of the information.
Principle 12 Decision Tree
A new tool – the Principle 12 Decision Tree – is simple to use and is designed to help businesses and organisations, especially small to medium sized enterprises (SMEs), easily work out if principle 12 applies to information they are disclosing overseas and whether they have to comply with it. You can try the Principle 12 Decision Tree here.
Model Contract Clauses Agreement Builder
If principle 12 does apply to the disclosure of information, the best and most practical way to comply with it might be to have an agreement with your foreign person or entity that provides for comparable safeguards to New Zealand's Privacy Act.
Businesses and organisations now use the Office of the Privacy Commissioner’s Model Contract Clauses Agreement Builder to generate an agreement.
Principle 12 guidance
You can find both the Principle 12 Decision Tree and the Model Contract Clauses Agreement Builder here on the OPC website.
More information about principle 12 and other resources and guidance, can be found on the OPC’s Privacy Act 2020 resources page.