Due diligence guidance

Due diligence before sharing

The information sharing standard requires government agencies to do due diligence before sharing personal information with a non-government third party.

Due diligence means understanding the:

• environment that the agency operates in with respect to personal information
• relationship between the agency and the third party
• risks when sharing personal information with a third party.

Legally binding agreements and record keeping

Legally binding agreements require both parties to cooperate and protect personal information. These agreements also give the agency assurance that the third party is using the information as agreed and keeping it safe and protected.

An agency’s due diligence work needs to be recorded. This information may be requested if there is an investigation.

Legally binding agreements

Risk assessment

There are several things that can impact the level of risk when sharing personal information. To understand the risk, a risk assessment must be done before personal information is shared.

Some sharing activities may be impacted by legal requirements and use cases. This may mean that an agency can meet the standard without needing a legally binding agreement. Completing a risk assessment will help to determine these impacts.

Risk assessment guidance

Due diligence factors

These are the legal requirements and use cases that may impact risk when agencies share personal information with third parties. These factors can change depending on the environment and the relationship with a third party.

These factors can help to reduce risk. Some factors may not have a direct risk impact. It is still important to consider and record the factors involved when sharing personal information.

Some of the most common and impactful due diligence factors are described below. This is not a complete list of all due diligence factors that can impact risk. Agencies may have factors that are specific to them and the third parties they share personal information with.

Legislative due diligence factors

A legislative due diligence factor is how New Zealand laws may impact the environment, relationships and risks when sharing personal information with a non-government third party.

Three specific laws are mentioned here, but there may be other laws that could be relevant for an agency doing its due diligence.

Section 11 of the Privacy Act 2020

Section 11 of the Privacy Act 2020 outlines how personal information is to be treated when it is held by a third party who will not use it for their own purposes and hold the personal information for or on behalf of another agency.

This section of the act describes when:

• personal information is provided to the third party that is acting as a representative or agent, or for safe custody or processing
• the third party does not use or disclose the information they hold for their own purposes
• the government agency is still responsible for the personal information and other obligations under the Privacy Act 2020. The agency cannot contract out its privacy responsibilities to the third party acting as a representative or agent holding the personal information.

The Office of the Privacy Commissioner has guidance on personal information that is stored or processed by a third-party provider.

• Working with third-party providers — Office of the Privacy Commissioner
• Privacy Act 2020: section 11 — New Zealand Legislation

All of Government Digital Contracts

The GCDO establishes and manages the All of Government (AoG) Digital Contracts that agencies use to directly engage with digital service suppliers. The GCDO has reviewed the AoG Digital Contracts against the mandatory requirements of the Standard and agencies using the AoG Digital Contracts automatically inherit the protection in those Contracts.

The GCDO Contracts require AoG digital suppliers to adhere to the Privacy Act. Additionally, all GCDO Certified digital products and services require suppliers to declare third parties. Third parties are subject to the same access and information management requirements as the supplier who is audited annually.

For high use/high risk services, the GCDO also undertakes foundational security certification and assurance work to ensure those services are secure. All GCDO Certified products already meet the requirements of the Standard as part of the GCDO security certification and assurance process.

This Certification includes ensuring third parties are identified and assessed, and their access to information is carefully managed. It is important to note that the AoG Digital Contracts focus on access to data that is needed to run a service, such as a help desk or contact centre software, not outsourcing business delivery tasks.

Agencies consuming products and services outside of the AoG Digital Contracts must ensure compliance with the Standard.

An agency’s own legislative protections

Government agencies operate under their own legislation. These laws may contain powers to collect personal information from individuals and to use or share this information in specific ways.

Agencies with these powers to collect and use personal information may:

• already have the ability to investigate a third party’s use of personal information that’s been shared with them
• have a level of assurance that is equal to or better than what the standard requires
• assess their due diligence and risk assessment differently than agencies who do not have powers and protection of personal information in their laws
• take a different approach to manage risk and get assurance to meet the objectives of this standard.

An agency’s own legislation is only 1 of the ways that an agency’s due diligence and risk assessment will depend on their situation.

Supplying information to reduce harm to individuals

New Zealand has specific laws that enable or require personal information to be shared to government agencies and others to reduce harm to individuals. The other agencies include for example, a family violence agency or a care and protection co-ordinator.

The information sharing standard does not override those laws and the protections those laws give individuals and third parties, when personal information is shared to reduce harm.

Personal information can be shared under these laws without needing any new requirements or additional steps from the standard. These requirements include for example, a legally binding information sharing agreement.

Agencies should keep a record of the personal information that is shared.

Two of these laws and their protections when sharing personal information are the:

• Family Violence Act 2018 — New Zealand Legislation
• Oranga Tamariki Act 1989 — New Zealand Legislation.

Guidance on how personal information can be shared to reduce harm under those Acts is available from:

• Information sharing guidance — Ministry of Justice
• Guidance for sharing information — Oranga Tamariki.

This guidance should be read before implementing anything in this standard if personal information may be accessed or collected under these Acts.

Use case due diligence factors

A use case due diligence factor is how a reason for sharing personal information may impact the environment, relationships and risks.

Three specific use cases are mentioned here, but there may be other use cases that could be relevant for an agency doing its due diligence.

Personal information used for research purposes

Some third parties will access and collect personal information from an agency for research purposes. This research can help an agency to understand how it can better deliver public services.

Personal information shared for research purposes can be made anonymous. If not, it might be possible for an unauthorised person or other third party to identify an individual.

Agencies can manage the risk of re-identifying an individual from anonymised research datasets before the personal information is shared.

To manage risk, an agency can:

• decide in advance, before the personal information is shared, what the information sharing requirements will be
• require that the datasets the agency provides to the third party are returned to the agency
• make sure the third party does not keep a copy of the personal information after the research has finished.

Restricting the timely delivery of services

Fully implementing the information sharing standard may restrict the timely delivery of services. Agencies may need to give priority to delivering services over fully recording and implementing agreements as the standard requires.

When this happens, agencies must make sure that agreements to share personal information will be compliant with the standard at the earliest possible opportunity. This includes documenting the due diligence and risk.

Authority of the individual and transparency

An individual may share their personal information with an agency and authorise the agency to use it for a specific purpose. This is often called ‘consent’.

Under the Privacy Act 2020, an agency must tell the individual when their personal information is being collected — at the time of collection or as soon as possible afterwards.

Privacy Act 2020 — New Zealand Legislation

More transparency guidance

The Office of the Privacy Commissioner’s Poupou Matatapu: doing privacy well framework has guidance about achieving meaningful transparency using privacy notices and statements.

• Poupou Matatapu: doing privacy well — Office of the Privacy Commissioner
• Transparency — Office of the Privacy Commissioner

The Data Protection and Use Policy has 4 guidelines to build respect, trust and transparency. The Transparency and Choice Guideline helps people to understand why their personal information is needed.

Transparency and Choice Guideline

Contact us