Agency responsibilities

This guidance outlines the responsibilities of government agencies when sharing personal information with third parties, as part of the information sharing standard.

This guidance is in development

This guidance will be updated based on your questions and feedback. If you would like anything added or clarified, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz

Agency responsibilities

Personal information held by government agencies is often collected when an individual applies for a government service. The unique relationship this creates between individuals and government gives agencies significant responsibility to keep personal information safe.

When government agencies share personal information with the third party, the agencies must make sure they can satisfy the requirements in the information sharing standard.

Nine responsibilities that agencies must satisfy

  1. The agency has a clear purpose and legal authority for the information sharing.
  2. The agency is clearly accountable for the personal information it holds at all times.
  3. The agency has clearly identified and assessed the risks of sharing information.
  4. The risks can be mitigated (managed) to an acceptable level.
  5. The agency has assurance that personal information is adequately protected.
  6. The agency is aware of conflicts of interest and there are appropriate management processes in place.
  7. The agency can take action if a suspected security or privacy breach happens.
  8. The agency records and can report on the information sharing.
  9. All parties are aware of and understand their responsibilities.

Guidance on each of these responsibilities is given below.

Broader public sector responsibilities

The GCDO has more guidance on public sector responsibilities for personal information that go broader than sharing with third parties.

Public sector responsibility

Questions to help agencies meet the 9 responsibilities

Agencies must make sure they can carry out all 9 responsibilities. Agencies can test this by asking themselves the questions listed under each responsibility.

The questions provided here are not an exhaustive list. Agencies are encouraged to ask themselves more questions and adapt the questions here so they are appropriate for their specific situation.

To help an agency answer these questions, an agency may need to:

  • talk with the third parties to make sure the third parties understand the requirements
  • establish requirements in agreements that are specific to the risks that have been assessed
  • educate third parties with training to upskill where required.

1. Clear purpose and legal authority

Sharing personal information with the third party must have a specific purpose and be done under a legal authority.

  • The purpose for sharing will be linked to the delivery of public services that the third party is doing with the agency.
  • The legal authority can be under the Privacy Act or under specific legislation that an agency administers.

Having a specific purpose for collection and a legal authority to share are legal requirements under the Privacy Act .

Example questions for clear purpose and legal authority
  1. Is it necessary to share personal information to achieve the purpose?
  2. Is the purpose for sharing information clear?
  3. Is there a legal authority to share the information?
  4. If there is a legal authority, should the agency be sharing the information?
  5. Are there any ethical concerns or considerations about sharing the information?
  6. What are any other necessary requirements to protect personal information as part of the legal authority to share?
  7. Are those protections sufficient for the purposes of sharing personal information?

Get more guidance on purpose and legal authority:

2. Clear accountability

One of the aims for the standard is that agencies have accountability for the personal information they have responsibility for. This accountability includes when personal information is under the control of the third party.

Clear accountability means the agency makes sure the third party acts in line with their agreed responsibilities, and those responsibilities are clear to both parties. The third party demonstrates they understand the expectations by putting the necessary protections in place. This is on top of the third party’s own responsibility for using personal information under the Privacy Act .

Accountability does not mean the agency observes and approves every single case of personal information used by the third party. That expectation is not realistic and can cause a high burden for both the agency and the third party.

The most effective way for an agency to set clear expectations for accountability is to have a written agreement with the third party, when it is required.

Example questions for clear accountability
  1. What is an agency’s role in sharing the information?
  2. How will the agency maintain oversight and understanding of how the information will be used by the third party?
  3. How will that oversight and understanding be communicated to the third party?
  4. What training may be required for agency staff to ensure they are aware of their responsibilities?

The Office of the Privacy Commissioner has guidance on privacy responsibilities for agency accountability.

Your privacy responsibilities — Office of the Privacy Commissioner

3. and 4. Risk identification, assessment and mitigating risks

An agency working with the third party must identify and understand the risks when sharing personal information with the third party. The agency needs to do a proportional risk assessment.

Once these risks are identified, the agency must have assurance that the risks can be managed and controlled, before personal information is shared. This process is called risk mitigation.

Example questions for risk identification, assessment and mitigating risks
  1. What due diligence has been done on the third party, either by the agency or another party?
  2. How will an agency work with the third party to understand risks?
  3. What level of risk assessment is required?
  4. How will an agency record the risks?
  5. How much personal information is being shared, when is it being shared, and for how long?
  6. What is the agency’s risk framework and tolerance for risk?
  7. How will an agency review risk frameworks provided by third parties?

Guidance on assessing risk

The Office of the Privacy Commissioner has information and resources to help you do a privacy impact assessment (PIA). (Links to the PIA resources are at the bottom of the page.)

Privacy Impact Assessments (PIA)

See the guidance on this website:

The Department of Corrections has developed a risk-framework template for third parties that agencies can use to create their own risk framework.

Privacy risk and assurance framework — Privacy Foundation NZ (PDF 94.5KB)

5. Assurance that personal information is protected

When the third party holds personal information that has been shared by an agency, the third party needs to protect that information in a way that is practically similar to how the agency would protect it.

This means third parties need to have controls for the security and privacy of the personal information they hold. The agency is responsible for identifying the controls the third party has and to have assurance that those security and privacy processes are adequate.

Example questions for assurance that personal information is protected
  1. What due diligence has been done on the third party, either by the agency or another party?
  2. What processes or formal procedures does the third party have in place?
  3. Does the third party have access to datasets from different agencies, and if so, what steps are in place to prevent unauthorised merging or aggregation of that information?
  4. What systems are in use at the third party?
  5. What security, privacy and access policies does the third party have in place?
  6. What subcontractors do the third party use that need access to the personal information being shared?
  7. Does an agency need to provide training or support for third parties?
  8. Can the third party regularly report back to the agency?

The Office of the Privacy Commissioner and the Protective Security Requirements (PSR) have guidance on protecting personal information.

Public Records Act

Protecting personal information includes the agencies’ requirements for information storage and disposal under the Public Records Act . The third party may not be aware of the agency’s requirements under this Act.

Archives New Zealand is responsible for the Public Records Act and issued the Information and records management standard in .

Key obligations and the standard — Archives New Zealand

Subcontractors and agreement for approval

The third party may need to provide a subcontractor with the personal information that the agency shared with the third party. As a result, the personal information could be used and held by a subcontractor that the agency did not know about, when it agreed to share the personal information with the third party.

This situation can be avoided if the agency’s agreement with the third party includes provisions about sharing personal information with subcontractors. The provisions might include, for example:

  • the agency must approve the third party’s subcontractors before the subcontractor can access the personal information
  • steps to take if the agency-approved subcontractor is changing, after the subcontractor has had access to the personal information.

6. Conflicts of interest and management processes

Third parties and the individuals that work or volunteer for them often have a wide range of interests. It’s normal for a third party to have conflicts of interest with their local community.

Identifying and managing conflicts of interest properly helps to build and maintain public trust. Conflict of interest management is an active process which includes keeping good records and monitoring changing circumstances.

The third party is responsible for identifying and managing its conflicts of interest, including with the agency-approved subcontractors it uses.

Before information is shared or collected:

  • agencies and third parties must discuss any interests relevant to the information sharing that could give rise to possible conflicts
  • both the agency and the third party must agree and record in writing how any conflicts will be managed
  • the agency must have confidence that the third party’s policies and process are in place and conflicts are well-managed by the third party.
Example questions for conflicts of interest and management processes
  1. When and how will agencies and third parties discuss interests of relevance?
  2. Who will have access to the information?
  3. What are the responsibilities and roles of individuals within the third party when they access personal information that’s to be shared?
  4. What interests do the individuals within the third party have at work or outside of work that could lead to a potential conflict of interest?
  5. How does the third party manage subcontractors and their interests?
  6. How will third parties record and share changes to their staff, interests and conflicts?
  7. What will happen if the third party does not disclose, cannot manage, or is not managing a conflict of interest to the satisfaction of the agency?

The Public Service Commission has reissued the Conflicts of interest model standard and guidance for that standard.

7. Take action with security or privacy breaches

Agencies are accountable for the personal information that’s shared with third parties. They must be able to intervene and support the third party in the event of a suspected or actual security or privacy breach. Agencies must also investigate the breach if required.

Agencies need to make sure the third party knows:

  • who to contact in the agency if there has been a breach
  • how to report a privacy breach to the Office of the Privacy Commissioner and potentially to the National Cyber Security Centre.

Notifying the Office of the Privacy Commissioner of a privacy breach as soon as practically able is a legal requirement in the Privacy Act . The Office of the Privacy Commissioner has an expectation that a notifiable privacy breach should be made to their Office no later than 72 hours after the agency or third party is aware of the breach.

Any investigation by an agency about a notifiable breach with the third party should never delay notifying the suspected or actual privacy breach to the Office of the Privacy Commissioner.

Example questions for taking action with security or privacy breaches
  1. If there is a suspected breach, will the agency and the third party be able to work openly and honestly, and in a timely fashion?
  2. What investigation can the agency do regarding the breach?
  3. What powers of audit does the agency have, if it is not possible to do an investigation?
  4. Is the personal information easily retrievable by the agency?
  5. Can the third party’s access to the personal information be cut off?

Resources on reporting breaches:

The GCDO has resources on how to maintain a privacy incident register, response plan, and learning from privacy breaches.

Privacy incidents and breaches

8. Record and report on information sharing

Agencies must keep a central record of information sharing agreements and be able to provide details about them when requested by an appropriate government authority.

These authorities are the:

  • Public Service Commission
  • Government Chief Data Steward
  • Government Chief Digital Officer.

Records of information sharing agreements may be requested if there is an investigation by the Privacy Commissioner. The Privacy Commissioner has the legal ability to investigate both the agency and the third party if it has received a complaint or on their own initiative.

The information an agency should record and be able to report on includes:

  • the risk assessment approach the agency has used, and the number of proportional agency risk assessments done
  • details of information sharing agreements such as the number of information sharing agreements entered and reviewed, and how many of those agreements are legally binding or have legally binding agreements attached
  • the details of individual information sharing agreements such as the signed original copy between the agency and the third party.
Example questions for recording and reporting on information sharing
  1. Do agreements have accurate details of the third party?
  2. Do agreements record the details of the personal information being shared, including the methods of sharing and any technical specifications?
  3. Are risk assessment outcomes and the controls identified, recorded and filed in such a way that the agreement and the risk assessment can be easily located and always be seen together?
  4. Do agreements have clear review dates if required?
  5. What is the most appropriate position in the agency to receive requests for providing details of agreements to government authorities?

9. Being aware of and understanding responsibilities

Third parties may not have the privacy or security resources and experience that is needed to adequately protect the personal information that is shared with them.

The agency has a responsibility to engage with the third party to make sure the third party understands and can protect the personal information that has been shared.

Example questions for being aware of and understanding responsibilities
  1. Is there a realistic and practical list of expectations that the agency can provide to third parties?
  2. What conversations are needed with the third party?
  3. Is additional training required internally for the agency and the third party?
  4. Does an agency need to provide training or support for the third party?

Your privacy responsibilities — Office of the Privacy Commissioner

The Office of the Privacy Commissioner has free e-learning modules about:

Information privacy principles, Privacy Act and specific privacy topics.

Contact us

For further information, to ask questions or give feedback, please email the Government Chief Digital Officer (GCDO) team.

Email: gcdo@dia.govt.nz

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated