NZ Engine

Source: Privacy Commissioner

26 Nov 2024, 16:00

Download a printable A4 PDF version of this chart.

On this page:

Working with third-party providers
Who is this guidance for?
Your organisation is responsible for your personal information when stored or processed by a third-party provider
What do we mean by third-party provider?
Before using a third-party provider
Example of a section 11 situation
Protecting personal information once you’ve chosen a third-party provider
Other things to consider

Working with third-party providers: understanding your privacy responsibilities

Your responsibility for the personal information stored or processed by a third-party provider comes from Section 11 of the Privacy Act.

Personal information is any information which tells us something about a specific individual. People’s names, contact details, financial, health and purchase records can all be personal information. The information doesn’t need to name the individual, if they are identifiable in other ways, like through their home address or another identifier, or if their identity could be pieced together. Read more about what we mean by personal information.

Return to top.

Who is this for?

This guidance is for organisations who are thinking about using a third-party provider, or those who already do. If you use a third-party provider to store or process personal information on your behalf, you are still responsible for what happens to that information.

This guidance explains what you must think about when you are choosing a third-party provider and what your ongoing responsibilities are. We have a wider suite of guidance ‘Poupou Matatapu’ to find out more about how to ‘do privacy well’ and what good privacy practice looks like.

Return to top.

Your organisation is responsible for your personal information when stored or processed by a third-party provider

The key thing to remember is that you remain responsible for personal information that you send to a third-party provider.

What do we mean by third-party provider?

‘Third-party’ means an organisation external to your organisation.

‘Third-party provider,’ also known as a ‘third-party’ or ‘service provider,’ is a broad term that can be applied to a range of external organisations that provide services to your organisation, such as storing or processing information on your organisation’s behalf. Software as a Service (SaaS) or cloud service providers are a classic example. However, there is a wide range of other third-party providers you might contract with who may need to store or process personal information provided by your organisation to deliver their service to you.

For example, you might:

• Share employee pay information with an external payroll provider or accountant.
• Contract a company to collect information for a survey.
• Use another organisation to provide personalised services for your customers.
• Use an intermediary platform that shares the information with other third parties.

Return to top.

Before using a third-party provider

Before you engage a third-party provider, you need to understand:

• What types of personal information you’ll share with them, or they’ll collect on your behalf.
• What they will do with it.

Do they need personal information?

First, understand whether your organisation needs to provide personal information to the third-party provider at all. You should consider if you can achieve the results you want from a third-party provider without providing any personal information.

For example, your organisation might like to use a third-party marketing agency to provide advertising services. Marketing agencies can offer a range of services, from sourcing advertising on billboards or online advertising (which would not require any personal information), to using the information collected from an organisation’s existing customer database to create marketing strategies (which might require personal information, depending on the task).

Think about whether supplying aggregated, non-personal information might enable the marketing agency to perform the service adequately.

Please note: when changing the way you use clients’ or staff’s personal information, you need to assess the privacy risk and make sure you’re being transparent through your privacy statement to reflect any changes in use of personal information. We have guidance on how to improve your privacy transparency. We also have a PIA toolkit available to help assess the privacy risks.

What kind of personal information is it?

It’s important to understand the level of privacy risk that you’ll need to manage with your third-party provider. We have guidance on different kinds of personal information that may carry higher privacy risk, such as where the information is sensitive or confidential.

For example, an organisation might employ the use of a third-party software provider to manage their payroll. Information required to process payroll can be sensitive, such as bank account and IRD numbers. Appropriate security measures need to be in place. We have guidance on handling sensitive information.

Due diligence

You will need to be confident that the information is protected wherever it is, and whatever organisation is handling it. Ask questions that enable you to have that confidence (this is normally referred to as ‘due diligence’), and ask those questions early, before you commit to using the provider.

Any subsequent contract with that provider should satisfactorily reflect the key protections that you expect to be in place. It should also require the third-party to ensure that any subcontractors or support agencies will equally protect the information. Your organisation needs to know whether the third-party provider will use or disclose the personal information that you provide for its own business purposes. 

What will the third-party provider do with the information?

There are a range of services that third-party providers offer. Some third-party providers will merely store the information and some will process the information for you (for example, a service providing data analytics). Some may themselves use third-party services such as generative AI tools to store or process the information.

A key thing to understand is whether the third-party provider will use the information for their own purposes or not. Some examples of third parties using information for their own purposes could be when your information is used as AI training data or using the information you provide for services to other organisations.

If the third-party provider is storing or processing the information solely on your behalf (for example storing information as a cloud service) and will not use or disclose it for its own purposes, section 11 of the Privacy Act says that the third-party provider is not deemed to “hold” the personal information for the purposes of the Privacy Act. This also means that you are not “disclosing” the information to them, which means you do not need to worry about the Privacy Act’s disclosure principle (IPP 11). But as a result, your organisation remains fully responsible under the Privacy Act for what happens to that information. The third-party is “you” for the purposes of the Privacy Act.

If the third-party provider will use or disclose the information for its own purposes, as well as performing services for you, then both the third-party provider and your organisation will be deemed to “hold” that information for the purposes of the Privacy Act. That means you will both be responsible for the information in various ways depending on how it is being stored or used. Sharing personal information with that third-party provider could also be a “disclosure” and you will need to make sure that sharing the information is allowed under IPP11. IPP12 may also be relevant if the third-party provider is not based in New Zealand.

In addition, both your organisation and the third-party provider may be accountable if there is a privacy breach. This means that your organisation and the third-party provider need to have a plan to outline who will notify OPC and individuals affected in case there is a breach. We have guidance on who should notify OPC and affected individuals. 

Return to top.

Example of a section 11 situation: Wonder Bottling Ltd uses third-party Big Data Analytics

Wonder Bottling Ltd wants to use the third-party Big Data Analytics Ltd to run Wonder Bottling’s website. Big Data Analytics will store all website data, including personal information provided by customers to Wonder Bottling via web forms. It will also process the information stored and provided to the website to provide website analytics to Wonder Bottling Ltd.

Big Data Analytics is not using Wonder Bottling Ltd’s information for another purpose or service, such as using Wonder Bottling Ltd’s data insights to provide a service to another organisation. It is solely storing and processing information for Wonder Bottling Ltd. Under section 11, this means that Wonder Bottling Ltd is responsible for anything that happens to that information while it is being stored or processed by Big Data Analytics.

For instance, if Big Data Analytics is the subject of a notifiable privacy breach in relation to the personal information transmitted by Wonder Bottling, Wonder Bottling would be responsible for notifying the Office of the Privacy Commissioner (OPC) and affected individuals. In their agreement, Big Data Analytics should be required to inform Wonder Bottling about any breaches of that information so that Wonder Bottling can fulfil this requirement.

However, if Big Data Analytics were to change how it operates and start using that information for another purpose, Big Data Analytics would have its own obligations under the Privacy Act, such as responsibilities to make sure the information is accurate and fit for purpose under IPP8, and to use the information in line with IPP10. 

Return to top.

Protecting personal information once you’ve chosen a third-party provider

Since your organisation is legally responsible for anything that happens to the personal information that a third-party provider stores or processes for you (whether or not that third-party is also responsible), you should make sure that you have a robust agreement in place with them that requires them to keep the information safe and gives you a remedy when things go wrong.

What should be in an agreement with a third-party provider?

Security measures

An organisation needs to do everything within its power to prevent unauthorised use or disclosure of personal information. This means that your organisation needs to get assurances that the third-party provider has the appropriate security measures in place to protect any information it stores or processes on your behalf. The more sensitive the information is, the stronger those assurances may need to be.

Our guidance on security and access controls provides examples of the types of security measures the third-party provider should take to protect the personal information it stores. Your organisation may wish to seek regular reporting from the third-party provider on the effectiveness of the measures.

Individuals’ right to access and correct the information your organisation holds about them

The Privacy Act requires you to give people access to their personal information if they ask you to, and correct that information if it is wrong. There are also strict statutory timeframes for responding to requests. Those timeframes don’t change when the information is stored by a third-party rather than by you. You need to ensure that your agreement with the third-party provider includes provisions that make sure you can locate and retrieve information quickly, so you can meet your obligations.

Read our guidance on access and correction of personal information.

Reporting notifiable privacy breaches

The reporting of notifiable privacy breaches also needs to be factored into your agreement with a third-party provider, including how it will notify you of any breaches it has, and whether it will notify you of all breaches or only ones that it considers are notifiable. We strongly recommend that the contract requires the third-party provider to notify you of all breaches that affect the personal information it is storing or processing on your behalf, so that you can then decide what to do.

Your organisation will be responsible under the Privacy Act for reporting notifiable privacy breaches to the Office of the Privacy Commissioner so you need to be satisfied that the third-party provider will promptly notify you of breaches. The Office of the Privacy Commissioner generally expects to be told about notifiable breaches within 72 hours of the breach becoming known. That period starts when the third-party provider knows about the breach, not when they tell you, so it is important to make sure that you are told as soon as possible.

Poupou Matatapu has more information on notifiable privacy breaches, including the obligation to notify affected individuals. 

Third-party compliance with the Privacy Act

Your agreement should make sure there are contractual obligations on the third-party provider to comply with all applicable privacy laws.

Disposal of personal information during and after the agreement

Organisations must not keep personal information for longer than they need. It’s important that your agreement outlines how long the third-party provider will store the personal information on your behalf. In short, the third-party provider should only retain the information for as long as you want it to and are permitted to yourself. Ideally, you should be able to delete the information yourself as retention periods are reached or your circumstances change.

The agreement should also outline what will happen to the information at the end of the agreement. Will it be transferred back to you? How will it be disposed of? Can the third-party provider give you assurances that the information has been permanently deleted (including from backups)? Poupou Matatapu has more guidance on retention and disposal in the Know your Personal Information Pou.

Assurance that the third-party provider will only use the personal information for delivering the services

Your agreement should include an assurance that the third-party provider will only use the personal information it stores or processes on your behalf to deliver the services you have requested, as outlined in the agreement. Remember, that if the third-party provider will be using or disclosing the information for its own purposes, the third-party will have its own obligations under the Privacy Act.

Checklist for what should be in your agreement with a third-party service provider:

1. Appropriate security measures.
2. Facilitation of access and correction requests.
3. Process and time frame for notifying you of privacy breaches, especially notifiable breaches.
4. Compliance with relevant privacy laws.
5. The third-party’s use of the information you provide.

Return to top.

Other things to consider

• If you’re sending personal information to a third-party provider to process, store, or use on your behalf, you need to make sure you are transferring the information securely. Poupou Matatapu has information on security and internal access controls.
• Use a Privacy Impact Assessment to assess and record the privacy risks associated with using a particular third-party provider. We have a PIA toolkit available to help.
• If you’re using a third-party provider based in another country, consider your practical ability to control your personal information and ensure it is being handled in line with the New Zealand Privacy Act.
• Consult with stakeholders or affected communities if the personal information is particularly sensitive, or where there are Māori data sovereignty implications.

Download a PDF version of this guidance.

Return to top.

Source: New Zealand Government

Prime Minister Christopher Luxon has congratulated the 2025 recipients of King’s Birthday Honours.

“Every person on this list has made New Zealand a better place. 

“Locally, regionally, nationally, and internationally they are the proof that individual actions build a strong and thriving country.

“I am inordinately proud that twice every year, we can easily find dozens of outstanding citizens to honour this way, and I would like to thank all of the New Zealanders on this list for their service and achievements.

“To our new Dames and Knights, carry your Honour with the pride with which it was given,” Mr Luxon says.

Appointed as Dames Companion of the New Zealand Order of Merit are Ranjna Patel, Emeritus Distinguished Professor Alison Stewart, and Catriona Williams.

“Dame Ranjna Patel has made a lasting impact across New Zealand in her service to ethnic communities, health and family violence prevention. She founded Mana for Mums for young Māori and Pacific women in South Auckland, co-founded a multi-cultural community centre, and co-founded Tāmaki Health, which has grown to become New Zealand’s largest privately owned primary healthcare group. In doing so, Dame Ranjna has helped hundreds of thousands of New Zealanders,” says Mr Luxon.

“Dame Alison Stewart is an internationally renowned plant scientist with a 40-year career focused on sustainable plant protection, soil biology and plant biotechnology. She reinforces New Zealand’s stellar reputation in science and is an example of how our science community will continue to lead the world,” Mr Luxon says.

“Dame Catriona Williams’ legacy in spinal cord injury goes back more than 20 years. This remarkable woman has been the founder and driving force behind the CatWalk Spinal Cord Injury Trust since its establishment in 2005. She has inspired countless people by her example of courage and determination in the face of adversity. Dame Catriona dedicates her time to engage with people who have experienced a spinal cord injury and are new to life in a wheelchair,” says Mr Luxon. 

This year’s Knights Companion are The Honourable Mark Cooper, Brendan Lindsay, and Ewan Smith.

“Sir Mark Cooper’s service to the judiciary is distinguished and longstanding. He became President of the Court of Appeal after being a Court of Appeal Judge from 2014 and a High Court Judge from 2004.  Sir Mark was Chairperson of the Royal Commission of Inquiry into Building Failure caused by the Canterbury Earthquakes and his detailed findings and recommendations avoided delay to the Canterbury rebuild and provided a sense of resolution to the community at a time it was critical,” Mr Luxon says.

“Businessman and philanthropist Sir Brendan Lindsay built a global brand producing sustainable and recyclable storage products stamped ‘Made in New Zealand’. Sistema was sold to an American firm in 2016, with the buyer committing in writing to keep production in New Zealand for 20 years. That business acumen has created a philanthropic legacy that has helped countless charities including Pet Refuge, Starship National Air Ambulance Service, New Zealand Riding for the Disabled and Assistance Dogs New Zealand Trust,” Mr Luxon says.

“Sir Ewan Smith is legendary in the Cook Islands. The founder of Air Rarotonga, he has grown the business to become the largest private sector employer in the Cook Islands. However, it is his passion and loyalty to his people that distinguishes him further. During the COVID-19 pandemic, he ensured no Air Rarotonga employee was made redundant, and the airline maintained essential cargo and medevac services throughout the Cooks. Everyone including himself was placed on a minimum wage and he provided mentorship, counselling and budget advice to staff. Sir Ewan exemplifies what it is to be a good employer and an outstanding citizen.

“I would like to congratulate all 188 recipients of this year’s King’s Birthday Honours. We are proud of you, and we celebrate the example you set for others,” Mr Luxon says.

Source: NZCTU

The Minister for Workplace Relations and Safety’s announcement today on gutting WorkSafe’s enforcement capability signals a return to a failed approach, that will weaken our health and safety system, said the New Zealand Council of Trade Unions Te Kauae Kaimahi.

“A soft approach to poor health and safety was a critical failing that led to the Pike River mine disaster, one of the worst health and safety failings in New Zealand history,” said NZCTU President Richard Wagstaff.

“Brooke van Velden continues to systematically gut WorkSafe to help protect businesses from enforcement of breaches of the law, rather than protecting the workers who suffer huge rates of injury and fatality as a result of work.

“WorkSafe was established in the wake of the Pike River mine disaster. It was clear that we needed a well-resourced, effective, and strong regulator, that was prepared to prosecute where necessary, as this was clearly lacking.

“Every week a worker is killed on the job on average in New Zealand, and 17 more are killed from the impact of work-related illnesses and diseases. Every year there are over 30,000 injuries suffered that require more than a week away from work. Nothing in these announcements will have a positive effect on these numbers.

“In the past few years, WorkSafe has endured cuts to the tune of millions of dollars, resulting in fewer staff. Since it was established the WorkSafe inspectorate has reduced from 8 per 100 thousand employees to 6.5, amongst cuts to the wider WorkSafe staffing levels.

“The Minister’s decision to gut WorkSafe is a reflection of a government that is prioritising profits over people,” said Wagstaff.

Source: New Zealand Police

Night shift staff pursued a lead that led to a great catch for Mt Wellington Police this morning.

At around 3.20am, units were patrolling near Penrose Road when they stopped a vehicle.

“Once stopped the officers noticed a strong smell of cannabis coming from inside,” Auckland City East Area Prevention Manager, Inspector Rachel Dolheguy says.

“A search of the vehicle was invoked and resulted in a guitar case containing an unloaded military style pump action shotgun was located in the boot.”

Also found were four shotgun shells, a small amount of cannabis and cannabis paraphernalia.

“This was great proactive police work by our officers, which has resulted in a high-powered weapon being removed from our community,” Inspector Dolheguy says.

A 34-year-old male will appear in the Auckland District Court this morning charged with possessing a firearm and possessing cannabis.

ENDS.

Amanda Wieneke/NZ Police

Source: New Zealand Police

Police are urging members of the Wellington community to be aware of recent card skimming incidents, taking thousands of dollars from victims.

Wellington District Operations Manager, Acting Inspector Tim McIntosh says Police have seen an increase in the number of victims losing large amounts of money due to card skimming incidents.

“In the last week alone, we have received around 12 reports of this offending, where in some cases victims have lost over $5,000.”

Card skimming is where an offender will install a device with a camera on an ATM or POS (point of sale) terminal to capture card data and record PIN numbers.

Offenders will then use the obtained information to create fake payment cards and make unauthorised purchases or withdraw funds to steal from victim’s accounts.

“We urge the public to be aware of this type of offending to ensure they can take the proper precautions to keep their data and finances safe,” says Acting Inspector Tim McIntosh.

“Thankfully, there are many ways to help prevent being a victim of card skimming when using your cards.”

• Always double check an ATM or POS terminal. Look out for signs of damage or tampering, loose or unattached pieces, or a different colour variation on the device.
• Block your PIN number. When entering your PIN number, use your other hand to block any camera that may be recording.
• Trust in what you know. A large majority of card skimming takes place at non-bank ATM machines due to increased security and cameras around bank ATMs.
• Follow your instinct. If you feel something is off or suspicious about an ATM or POS terminal, check-in with a bank or store staff member.
• Regularly check on your accounts. This will not only allow you to keep track of where you have spent your money, but will also ensure you can act quickly in the case your money has been stolen.

If you believe you have been victim to card skimming, please contact your bank immediately and cancel your cards and accounts.

Police also urge you to gather as much information as you can and make a report through 105.police.govt.nz or call 105.

You can also provide information anonymously through Crime Stoppers at 0800 555 111.

For more information on card skimming, head to Westpac’s guide to card skimming or Southern Cross Travel Insurance.

ENDS

Issued by Police Media Centre

Source: New Zealand Police

A teenager’s tearing up of a rugby club’s fields has taken a turn for the worst.

The 19-year-old has swapped the keys to his new pride and joy for a court appearance.

Kumeū Police got onto the case after locals awoke to the Kumeū Rugby Club fields torn up early on Saturday morning.

“A furore ensued on the community grapevines given a prized community asset had been damaged,” Sergeant Graham Bennett says.

“Information was quickly passed onto Police which was followed up and a vehicle of interest was identified.”

After ongoing attempts to speak with the driver, Kumeū Police have since interviewed him.

Sergeant Bennett says the 19-year-old Hobsonville man has been charged with intentional damage as well as other driving offences.

“The driver has had his newly purchased vehicle impounded.”

He will appear in the Waitākere District Court at a later date.

Sergeant Bennett says: “Police would like to thank those involved in the rugby club and members of the public for their assistance in supplying information which led to this apprehension.

“It’s a reminder about consequences, and we will not tolerate this behaviour in the community given the risks posed and damage created.”

ENDS.

Jarred Williamson/NZ Police

Source: Green Party

The Greens welcome the open letter from world-leading climate scientists to the Prime Minister, urging his Government to abandon any plan to water down climate targets.

“Christopher Luxon must end any further speculation that his Government is on the climate denial bandwagon. After wasting a year playing around with the mythical ‘no additional warming’ idea, international alarm bells are ringing,” says Green Party co-leader and Climate Change spokesperson, Chlöe Swarbrick.

“The Climate Change Commission is clear that any entertainment of ‘no additional warming’ from agricultural gasses would mean households and businesses across the rest of the economy carrying a far higher burden.

“International experts are rightfully calling out this accounting trick. It’s about fixing numbers on a page while the real world burns.

“While the Government doesn’t tend to show any care for people and the planet, perhaps they would understand that pushing ahead with this agenda poses huge risks for our international exports, climate and trade agreements.

“The Greens have shown how we can reduce real-world emissions five times faster than the Government’s ‘plan,’ while reducing the cost of living and improving our quality of life.

“New Zealanders deserve so much better than this Government’s low ambitions for our country,” says Chlöe Swarbrick.

* The Green Party has raised this issue multiple times. Please see some examples below