Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Standard for providing non-government third parties with access to, or collection of, government-held personal information

This standard outlines the requirements public service agencies must follow to protect personal information when providing access to, or collecting personal information from a non-government third party.

Forewords

Foreword from the Public Service Commissioner

As we move into an increasingly data-driven world, New Zealanders can rightly expect that government agencies will protect and manage their personal information. This is non-negotiable.

Protecting information and unlocking its potential to improve or measure delivery should not be seen as conflicting. Agencies that put integrity, privacy and transparency at the heart of their information management and service delivery will retain the trust and confidence of the public.

I welcome this new standard. It places clear expectations on all parties including those who receive funding and will support agencies to adopt stronger information security management and assurance practices.

Sir Brian Roche, Te Tumu Whakarae Mō Te Kawa Mataaho | Public Service Commissioner

Foreword from the Government Chief Digital Officer

As the Government Chief Digital Officer, I am 1 of 7 system leads appointed by the Public Service Commissioner.

This new standard has been developed in my role as the Government Chief Digital Officer. My thanks to the cross-agency working group for their collaboration and excellent work on this.

Public service agencies must do their due diligence and conduct risk assessments to inform the appropriate sharing agreements with non-government third parties.

In this way we maintain the trust and confidence of the public by ensuring that privacy and transparency are at the heart of how we manage personal information.

Paul James, Government Chief Digital Officer

Introduction

Government agencies are custodians of New Zealanders’ personal information. How they handle that information is essential to public trust and confidence.

Non-government third parties (third parties) can help government agencies to provide, improve and extend New Zealand’s public services. Where providing a service involves access to, or the collection of, personal information by a third party, agencies remain responsible for and must take all reasonable steps to ensure protection of that personal information.

Purpose

This standard establishes minimum expectations for public service agencies when arranging access to, or the collection of, personal information with a third party. It requires agencies to take a risk-informed approach, and where necessary form legally-binding agreements which allow them to take action if something goes wrong, over and above what is provided for in the Privacy Act 2020.

Application

This standard is issued by the Government Chief Digital Officer under section 57(1) of the Public Service Act 2020 (the Act). All public service agencies (as defined in section 10(a) of the Act) must comply. It is issued as guidance to other State services under section 57(6) of the Act.

Scope

This standard applies where personal information needs to be accessed by or collected through a third party to deliver or support the delivery of public services.

The standard does not apply to:

Approved Information Sharing Agreements (AISAs)
Information sharing under the Intelligence and Security Act 2017.

The standard has two parts:

Agencies’ responsibilities for personal information protection, including the requirement to undertake a risk assessment prior to sharing with a third party.
Minimum requirements for legally binding agreements, that must be applied when indicated by the outcome of the risk assessment.

Māori data and Te Tiriti o Waitangi

Under the Public Service Act 2020 the public service supports the Crown in its relationships with Māori under Te Tiriti o Waitangi. When sharing personal information which includes Māori data, agencies should consider how data access, sharing and protection practices reflect Māori rights over their information.

Intersection with legal requirements

If there is a discrepancy between the requirements of legislation and this standard, legislation will take precedence.

Agencies’ responsibilities when providing access to or authorising collection by third parties

When providing access to or authorising collection by, third parties, agencies must ensure that

there is clear purpose and legal authority for the information sharing;
they remain clearly accountable for personal information at all times;
they have clearly identified and assessed risks;
these risks can be mitigated to an acceptable level;
they can assure themselves that personal information is adequately protected;
they are aware of conflicts of interest and there are appropriate management processes in place;
they can take action in the case of a suspected security or privacy breach;
they record and can report on the information sharing; and
all parties are aware of and understand their responsibilities.

Agencies must undertake a risk assessment

Agencies must undertake due diligence processes before providing access to or collecting personal information from the third party. Due diligence must include a proportionate agency risk assessment that considers, at a minimum:

The need/purpose, reason and legal authority for sharing, including any legislative requirements or protections,
The type and content of personal information being shared,
Any additional risks if the personal information being shared is Māori data, and if additional mitigations are required as a result,
The length of term, frequency and quantity of access or collection,
The third party’s capability to protect the personal information (including processes, legal protections, conflicts of interest, codes of conduct)
The agency’s ability to retain oversight of the personal information while held by the third party, and their ability to assure themselves of this, and
The agency’s ability to take appropriate and proportionate action in the event of an issue, including a suspected privacy or security breach or potential non-compliance.

If risks cannot be mitigated to an acceptable level through agency and legislative controls (other than the Privacy Act 2020), agencies must form a legally binding agreement with the third party. If in doubt, agencies should implement a legally-binding agreement.

Agencies should use the risk assessment to decide if agreements of an ongoing nature should include a regular assurance and reporting cycle.

If a legally binding agreement is not used, agencies must document the mechanism/basis for sharing and the assurance and interventions that ensure they protect personal information. Agencies should adopt controls which align to this standard.

Legally binding agreements with third parties

A legally binding agreement must include the provisions, protections and assurances required by this standard. The form of this agreement should be informed by the risk assessment, and agencies’ privacy, security, legal and procurement policies and advice.

To be legally binding an agreement must take the form of:

A contract for services, or
A contract for services with an information sharing schedule, or
An information sharing deed which varies the terms of a contract, or
A standalone information sharing agreement that either includes reference to a consideration of benefit or detriment, or is executed as a deed.

Agencies should consider using a contract wherever possible.

If a separate agreement is used in addition to a contract, the requirements in this standard must be set out consistently across both documents.

Agreements with third parties must include:

1. The legal authority for access or collection

The agreement must clearly state the legal authority under which access to or collection of personal information by a third party is allowed, for each different purpose.

2. The purpose(s) for access or collection, details of the information that will be shared, and under what terms

An agreement must contain:

clearly defined and justified purpose(s) for third party access to, or collection of, the personal information
a description of the personal information accessed or collected, limited to what is reasonably necessary to achieve the purpose(s),
a prohibition of use beyond these purposes,
how and when
- access to personal information is provided by the agency, and/or
- personal information collected by the third party is provided to the agency,
how personal information will be treated, and who it will be shared with by the third party;
how Māori data interests will be honoured in the agreement including culturally safe treatment and use of the personal information with reference to the agency’s Te Tiriti o Waitangi responsibilities,
details of any subcontractors, and how the third party will manage the relationship,
how long the third party will need to access the personal information, and
what will happen to the personal information when it is no longer required.

Any use of personal information by the third party for another purpose after the agreement has been established must be agreed with the agency, and the agreement must be amended to reflect this.

3. The status of the agreement

The agreement must explicitly state that the provisions are legally binding on the parties. The binding nature of the agreement will ensure that provisions relating to assurance are legally actionable and enforceable.

4. Safeguards for identifying and managing conflicts of interest

An agreement must confirm that any potential, perceived or real conflicts of interest have been disclosed, that conflicts of interest will be appropriately managed by the third party, and that the third party has processes for ongoing disclosure of new conflicts.

If the agency has approved the use of subcontractors, the agreement must be clear that the third party is responsible for the identification and management of any conflicts of interest the subcontractors have.

In the case of doubt, agencies must assure themselves by engaging directly with the third party and advising them if necessary.

5. The role of sub-contractors

All use of subcontractors by the third party must be agreed with the agency prior to access being granted. Changes to subcontracting relationships must be approved by the agency.

Any agreement must be clear about the purpose of subcontractors, and the responsibilities of each party in managing those subcontractors.

6. Safeguards for the protection of personal information

Agencies must comply with Public Records Act 2005 requirements. This responsibility extends to any personal information held by the third party. At minimum, an agreement must contain provisions for:

Secure transfer and storage of information
Authorised access including by subcontractors
Protection against unauthorised access, use, modification or disclosure
Notification when the information is no longer needed for the specific purpose
Deletion/disposal/return (including versions and metadata)

Agencies must ensure any agreement contains appropriate and reasonable controls for these provisions, including with subcontractors, during the period for which the personal information is required.

Agencies must be able to assure themselves that third parties understand and can comply with any security requirements that accompany their access to or collection of personal information, which may require additional security controls.

7. Processes for responding to privacy and security incidents

An agreement must set out agreed steps to be taken in the event of a suspected or actual privacy and/or security incident, including obligations relating to notifiable privacy and security breaches.

Those obligations must include an agreed position on:

The process to assess if a potential breach is notifiable,
Working together in good faith to investigate incidents and potential breaches, and
Timeframes and responsibilities for notifying breaches.

8. Provisions for assurance

An agreement must include provisions that enable agencies to assure themselves that the third party is handling personal information responsibly, including provisions to monitor activity if required. Agreements must include the right to audit the third party’s treatment of the personal information, on-demand.

Assurance provisions must include agreement for:

Confirmation of compliance
Documentation
Regular reporting
Good faith co-operation to resolve issues
Dispute resolution processes
The ability for agencies to assure or audit on-demand.

9. Provisions to address issues and non-compliance

In addition to the provisions for assurance, agreements must include a range of legally-enforceable provisions that allow the agency to take action if third parties do not comply or cannot provide satisfactory assurance of compliance with the agreement. This must include:

The agency’s right to pause or remove access to information.
Acknowledgement that the agency reserves the right to take legal action for breach of the agreement.
Notification of any statutory-specific enforceability options an agency has.
Provisions for termination of the agreement.

Agencies may add further provisions appropriate to the relationship or operating context.

Adequate provision must be made for the preservation, return and/or disposal of any third-party held personal information in the case of a breach.

10. Review of information sharing agreement

When an agreement supports ongoing access to or collection of personal information, it must include an appropriate agreement review cycle.

11. Provisions to end the agreement

An agreement that is not of an ongoing nature must specify when the agreement will end such as on a particular date or at the completion of specified activities. This must confirm how retention and disposal provisions apply to the third party at the conclusion of an agreement and how confirmation will be provided by the third party.

The agreement must include provisions for the early termination of personal information sharing. This applies equally to termination in the case of a breach of the agreement.

Implementation

The standard will apply from 1 July 2025 where agencies allow access to or collection of personal information by third parties.

Agreements entered into from 1 July 2025 must meet the standard. Existing agreements must be replaced or amended so they meet the requirement of the standard at the next planned point of review in the existing agreement, or sooner if required, based on risk.

Chief Executives must ensure that the agency they lead implements the standard (section 57(5) of the Public Service Act).

Agencies must keep an ongoing record of their compliance with this standard, including but not limited to risk assessments and agreements, and must provide this on request from the Government Chief Digital Officer, the Government Chief Data Steward and/or Te Kawa Mataaho Public Service Commission.

Guidance

Read the guidance on how to implement this standard.

Contact us

For further information please email the Government Chief Digital Officer (GCDO) team.

Email: gcdo@dia.govt.nz

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 01 May 2025