Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Guidance for the standard for providing non-government third parties with access to, or collection of, government-held personal information

This guidance explains how to implement this standard. All public service agencies must implement this standard from 1 July 2025. This guidance is recommended for the wider State service.

This guidance is in development

As with guidance for all new standards, this guidance will be updated based on your questions and feedback. If you would like anything added or clarified, email the Government Chief Digital Officer (GCDO) team.

Email: gcdo@dia.govt.nz

Purpose

This guidance describes:

government agency’ responsibilities for personal information shared with third parties
the requirement for agencies to take a risk-based approach to assessing their information sharing
what an agency must do when information sharing requires a legally binding agreement
assurance measures for legally binding information sharing agreements
managing conflicts of interest non-government third parties may have
training and further guidance on sharing personal information.

This guidance aligns with other guidance material produced by authorities in this space. Where other guidance provides more detail on specific matters, this guidance will link to that material.

Agencies should be familiar with guidance from the Office of the Privacy Commissioner on working with third party providers and the ongoing responsibilities when sharing personal information.

Working with third-party providers — Office of the Privacy Commissioner

If there is any discrepancy between this guidance and legislation, the legislation will take precedence.

Refer to your agency’s guidance and policy for implementing the legislation in this event.

Privacy Act 2020 — New Zealand Legislation

Scope

This guidance covers information sharing between government agencies and non-government third parties that deliver, or support the delivery of, public services.

This guidance also covers those information sharing agreements where that agreement needs to be legally-binding.

Whether a legally binding information sharing agreement is needed is defined by the government agency conducting due diligence and a risk assessment.

Not in scope

This guidance does not cover:

information sharing between different parts of government
Approved Information Sharing Agreements (AISAs)
disclosure of information to individuals under the Privacy Act 2020 or the Official Information Act 1982
disclosure of information to or from an intelligence and security agency under the Intelligence and Security Act 2017.

Specific guidance topics

Links will be added to these topics when this guidance is available.

Definitions — specific definitions for words used in the standard.
Determine the type of agreement and tikanga
Agency responsibilities with personal information and third parties
Risk assessments
Assurance
Legally-binding agreements.

Contact us

For further information, to ask questions or give feedback, email the Government Chief Digital Officer (GCDO) team.

Email: gcdo@dia.govt.nz

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 01 May 2025