When using offshore providers New Zealand businesses need to ensure that personal information being sent out of the country will be subject to privacy safeguards that are comparable to ours. By Privacy Commissioner Michael Webster.
Google, Adobe, Slack, Microsoft, Dropbox and Zoom are just some of the services delivered by offshore providers, yet New Zealand businesses using them are often unaware of their privacy responsibilities.
Under the Privacy Act, businesses are accountable for the international disclosure of personal information and they need to demonstrate they’ve carried out the necessary due diligence checks to help make sure that the information being disclosed is covered by adequate privacy provisions.
…more and more businesses are using overseas-based third party vendors…
The international nature of business means it’s important for data and information to flow freely around the globe. And more and more businesses are using overseas-based third party vendors to make that happen.
The broad intent of having controls when using offshore providers is to ensure that personal information being sent out of New Zealand will be subject to privacy safeguards that are comparable to ours.
The goal is to make sure that the privacy protections people can expect under New Zealand’s Privacy Act continue to apply when their information is disclosed and used in a foreign jurisdiction operating under different privacy standards.
Privacy regulation supports the digital economy, with the Privacy Act being the only statute that requires data security safeguards to be in place; as well as keeping your business safe, it underpins our relationships with key trading partners, which is crucial for any global operator.
An example of that is New Zealand’s $400 million video and computer games sector, which is enabled by good data protection standards.
What does this mean for my organisation?
A business disclosing personal information to foreign people or entities may only do that if it reasonably believes the foreign person or entity meets at least one of the criteria under privacy principle 12 of the Privacy Act.
Principle 12 also covers rules around urgent disclosures relating to maintaining the law, or preventing or lessening a threat to the health, life, or safety of an individual or the public.
What about cloud storage?
Sending information to another organisation to hold or process on your behalf (as your agent), is not treated as a disclosure under the Privacy Act. This could be, for example, when a business is providing cloud storage services on behalf of the New Zealand-based client.
If your business is using overseas cloud suppliers (or other service providers), you need to check that the supplier has undertaken not to use the personal information you’re sending them for their own purposes. A good way to do this is to be clear about it in your contract with the supplier.
How to comply
The practical way to comply is to adopt contractual safeguards when disclosing personal information to a foreign counterpart or business. These contractual clauses will make it clear how foreign businesses are expected to look after the personal information that they are being provided.
The Office of the Privacy Commissioner has developed guidance and model contractual clauses to help understand how to apply principle 12. You can find out more information at privacy.org.nz and search ‘Privacy Act 2020’.
Michael Webster is New Zealand’s Privacy Commissioner.
