NZ adopts new privacy principle to protect personal information

As of 1 December 2020, New Zealand businesses and organisations that send personal information overseas will need to comply with a new privacy principle in the Privacy Act 2020, which adds new controls on the disclosure of personal information to overseas organisations and businesses.

Privacy Commissioner John Edwards said the goal of principle 12 is to ensure New Zealanders can expect comparable privacy protections to those under New Zealand’s Privacy Act when their information is disclosed and used in a foreign jurisdiction. Edwards noted that principle 12 will not apply to offshore cloud providers.

“Using cloud providers or other agents to store or process personal data is not treated as a disclosure under principle 12, so long as the agent or cloud provider is not using that information for any of their own purposes,” said Edwards.

A business or organisation will be accountable for the international disclosure of personal information, and will need to demonstrate that it has carried out the necessary checks required under the new privacy principle.

“This is the approach taken in Europe, where the General Data Protection Regulation (GDPR) ensures privacy protections apply to personal information when it is sent across national borders,” said Edwards.

To comply with the new principle, businesses and organisations can adopt contractual safeguards. Edwards recommends using the model contract clauses developed by the Office of the Privacy Commissioner, which are designed to assist agencies to comply with principle 12 and reduce the compliance burden for agencies.

Edwards said these contractual clauses make it clear to the recipient how they are expected to look after the personal information they are being entrusted with. The model contract clauses are tailored to the requirements of the Privacy Act 2020 and to make it easier for small and medium-sized businesses to comply with principle 12.

Organisations can modify them, or use their own form of contract clauses, so long as the key privacy protections are included. The Office of the Privacy Commissioner has also produced guidance to help organisations and businesses understand the respond to the new principle 12 obligations.

The Office will issue further guidance related to the new principle 12 obligations shortly.

Image credit: ©stock.adobe.com/au/Vitalii Vodolazskyi