The Government's Chief Digital Officer has recently published a Standard for providing non-government third parties with access to, or collection of, government-held personal information (Standard). The Standard has been introduced to address some of the issues identified in the Inquiry into the Protection of Personal Information released in February, which looked at the handling of personal information in connection with Census 2023 and COVID-19 vaccinations.
The new Standard applies from 1 July. We anticipate that, if they have not already done so, public sector agencies will be thinking about their risk exposure in terms of information that they contract third parties to collect to provide public services, and implementation of the Standard. Third parties who contract with public sector agencies will also be thinking about what the Standard's requirements may mean for them. We summarise below the key points agencies and their providers need to know.
Who does the Standard apply to?
The Standard is made under section 57 of the Public Service Act 2020, which means that compliance with the Standard is mandatory for public service agencies as defined in that Act. That includes departments, ministries, and interdepartmental agencies.
For other State service agencies (such as Crown entities), compliance with the Standard is not mandatory, but applies as guidance.
The Standard applies broadly but has some exclusions; it does not apply to information shared in accordance with Approved Information Sharing Agreements under the Privacy Act 2020, or information sharing under the Intelligence and Security Act 2017.
What does the Standard apply to?
The Standard applies to the collection or accessing of personal information by third parties who are not part of the State services to deliver or support the delivery of public services. It also applies to Māori data, which is described in the Standard as "…referring to data, information or knowledge (including mātauranga Māori) that is about, from or connected to Māori."
What do agencies need to do to comply?
The Standard contemplates a two-step process:
- A due diligence assessment of the information collection and sharing; and
- If necessary, entering into legally binding arrangements to ensure the protection of the information.
What does due diligence involve?
For new information collection and sharing, due diligence must take place before agencies give third parties access to the relevant information. Due diligence includes a risk assessment, in which agencies should seek clarity regarding:
- What kind of information is being shared?
- What's the justification and legal authority for sharing the information?
- How much information is being shared and how long for?
- Can the agency retain oversight of third party held information?
- What are the risks to Māori data, and how can they be mitigated?
- What's the third party’s capability to protect the information?
- What conflicts might arise with the third party – might they have a use for the information beyond the intended purpose?
- How well can the agency deal with non-compliance or suspected breaches?
If the risks identified as part of that assessment cannot be managed through agency and legislative controls, the Standard says that the agency must form a legally binding agreement with the third party. If there is any uncertainty as to whether that's needed, the Standard says an agency should enter into a legally-binding agreement. If an agreement is not used, the Standard says agencies should record the lawful basis for sharing information, along with the steps taken to protect the relevant information.
What does an agreement need to include?
The Standard sets out 11 things that must be addressed in the relevant agreement, many of which may already be a key feature of agencies' existing agreements with third parties who collect information as part of providing public services (which could be funding agreements, outcome agreements, or specific information sharing agreements):
- Purpose: agreements must describe the personal information, and why it is available to the third party – including what sort of uses are in and out of scope
- Safeguards: agreements must describe information-sharing safeguards in place, including requirements to declare conflicts, conflict of interest processes and subcontractor access, and security requirements
- Non-compliance: agreements must include provisions to address non-compliance, which could include the power to remove third party access, take action, and terminate the agreement
- Records: agreements should set out how agencies will comply with Public Records Act 2005 requirements as to security, storage, access, disclosure, notification and deletion/return or disposal.
New Zealand Government Procurement has also indicated that the Government Model Contract templates are not suitable agreements for the purposes of the Standard, and that that the New Zealand Government Procurement’s All-of-Government and Common Capability contracts fall outside the scope of the Standard (as they do not generally relate to the delivery of public services).
By when must agencies comply?
The Standard applies from 1 July 2025 and requires that:
- Agreements entered into from 1 July 2025 must meet the Standard
- Existing agreements must be updated or amended to meet the Standard’s requirements at the next scheduled review, or earlier if required based on risk.
Does the Standard go further than the Privacy Act?
The Standard reflects and reinforces privacy best practice and requirements for collection, use, storage, and sharing of information in the Privacy Act. However, in some respects the Standard includes more specific requirements. For example:
- The Standard specifically addresses Māori data, unlike the Privacy Act 2020, which does not make explicit reference to obligations regarding Māori data. If personal information involves Māori data, the Standard says agencies must ensure that their practices for accessing, sharing, and protecting such data respect and uphold Māori rights and interests in relation to their information.
- The Privacy Act has clear requirements as to "use" of personal information; with exceptions, personal information must be used only for the purposes for which is was collected. The Standard places greater emphasis on the need to address potential conflicts of interest to ensure that information is not misused, for example by requiring that agreements clearly describe the information being shared, why it is made available to a third party, and justify the purpose for which it is being used. Furthermore, the Standard requires that agencies ensure third parties take responsibility for appropriately managing conflicts of interest, including those involving subcontractors.
What next?
The Chief Digital Officer has published draft guidance on how agencies should implement the Standard, as well as information about definitions used in the Standard. Further guidance on types of agreements, tikanga, agency responsibilities, assurance, and legally binding agreements, will be provided at a later date.
We have extensive experience in agreements and arrangements for the provision of a wide range of public services, and in helping agencies and providers manage privacy risks that can arise. If you'd like help with implementing the new Standard, please talk to one of our team.
This article was co-authored with Stephen Jannink (law clerk).