Skip to main content

Guidance for the standard for providing non-government third parties with access to, or collection of, government-held personal information

This guidance explains how to implement this standard. All public service agencies must implement this standard from . This guidance is recommended for the wider State service.

This guidance is in development

As with guidance for all new standards, this guidance will be updated based on your questions and feedback. If you would like anything added or clarified, email the Government Chief Digital Officer (GCDO) team.

Email: gcdo@dia.govt.nz

Purpose

This guidance describes:

  • government agency’ responsibilities for personal information shared with third parties
  • the requirement for agencies to take a risk-based approach to assessing their information sharing
  • what an agency must do when information sharing requires a legally binding agreement
  • assurance measures for legally binding information sharing agreements
  • managing conflicts of interest non-government third parties may have
  • training and further guidance on sharing personal information.

This guidance aligns with other guidance material produced by authorities in this space. Where other guidance provides more detail on specific matters, this guidance will link to that material.

Agencies should be familiar with guidance from the Office of the Privacy Commissioner on working with third party providers and the ongoing responsibilities when sharing personal information.

Working with third-party providers — Office of the Privacy Commissioner

If there is any discrepancy between this guidance and legislation, the legislation will take precedence.

Refer to your agency’s guidance and policy for implementing the legislation in this event.

Privacy Act 2020 — New Zealand Legislation

Scope

This guidance covers information sharing between government agencies and non-government third parties that deliver, or support the delivery of, public services.

This guidance also covers those information sharing agreements where that agreement needs to be legally-binding.

Whether a legally binding information sharing agreement is needed is defined by the government agency conducting due diligence and a risk assessment.

Not in scope

This guidance does not cover:

  • information sharing between different parts of government
  • Approved Information Sharing Agreements (AISAs)
  • disclosure of information to individuals under the Privacy Act or the Official Information Act
  • disclosure of information to or from an intelligence and security agency under the Intelligence and Security Act .

Specific guidance topics

Links will be added to these topics when this guidance is available.

  • Definitions — specific definitions for words used in the standard.
  • Determine the type of agreement and tikanga
  • Agency responsibilities with personal information and third parties
  • Risk assessments
  • Assurance
  • Legally-binding agreements.

Contact us

For further information, to ask questions or give feedback, email the Government Chief Digital Officer (GCDO) team.

Email: gcdo@dia.govt.nz

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated