Source: New Zealand Privacy Commissioner – Blog
The Privacy Act 2020 introduces a change when sending personal information overseas.
Under the new privacy principle 12, businesses and organisations will now be responsible for ensuring that any personal information they send to organisations outside New Zealand is adequately protected to comparable privacy safeguards.
To do this, they will now have an obligation to demonstrate that they have undertaken necessary due diligence before sending personal information across national borders.
One practical way for businesses and organisations to comply is to adopt contractual safeguards which make it clear to the recipient organisation overseas how it is expected to look after the personal information it is being entrusted with.
To assist organisations with this principle 12 requirement, our office has created model contract clauses which can be inserted into a contract between the New Zealand party and the offshore partner.
Model contract clauses are used in Europe under the General Data Protection Regulation (GDPR) and ensure privacy protections continue to apply to personal information when it is sent across national borders.
Our model contract clauses are tailored to the requirements of the Privacy Act 2020 and are designed to make it easier to comply with principle 12 – particularly for small and medium-sized businesses. The clauses can be modified to suit your needs or for you to use your own form of contract clauses, so long as the key privacy protections are included.
For example, here’s a clause about access:
Each individual has rights of access and correction
The Recipient agrees that each individual has a right to access, and to seek correction of, their personal information held by the Recipient that is included in the transferred information.
Our model contract clauses and guidance can be found here. We encourage you to familiarise yourself with them. We welcome any feedback you may have on them.
One important feature to note about this new requirement is that it will not apply to offshore cloud storage providers if these providers are not using the personal information for their own purposes, but simply holding it for their New Zealand client, or where the destination agency is independently subject to the New Zealand Privacy Act in their own right, for example by virtue of “carrying on business” in New Zealand.
