Cross-border disclosure privacy principle on the way
The Office of the Privacy Commissioner has provided background on a new privacy principle contained in the Privacy Bill which will impose a series of controls on the disclosure of personal information to foreign agencies or persons.
It says new privacy principle 12 is noteworthy because of the reliance that many businesses have upon cloud-based service providers, and the importance of free-flowing data globally.
The Office says the broad intent of the new controls is to ensure that personal information being sent out of New Zealand will be subject to privacy safeguards that are comparable to ours.
"Agencies will now be accountable for the international disclosure of personal information and will need to demonstrate that they have carried out the necessary due diligence checks required under the new privacy principle."
Clause 19 of the Privacy Bill establishes the new information privacy principle 12 - Disclosure of personal information outside New Zealand.
There is already a current principle 12, which deals with unique identifiers. This will become principle 13.
The Office says the new principle 12 will mean that an agency disclosing personal information to foreign persons or entities may only make that disclosure if it reasonably believes the foreign person or entity meets at least one of the following criteria:
- is carrying on business in New Zealand and is subject to the Privacy Act
- is subject to privacy laws that overall, provide comparable safeguards to those in the Privacy Act, or
- is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act (for example, by agreement between the agencies)
- is subject to the privacy laws of a country, province or State, or is a participant in a binding scheme for international disclosures of personal information that has been prescribed in regulations by the New Zealand Government as providing comparable safeguards to the Privacy Act.
"Sending information to another organisation to hold or process on your behalf (as your agent), will not be not treated as a disclosure under the new Privacy Act (see clause 8). This could be, for example, when an agency is providing cloud storage services on behalf of the NZ based client.
"The principal organisation will be responsible for ensuring that the agent handles the personal information in accordance with the New Zealand Privacy Act."
Last updated on the 4th March 2020