Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Legally binding agreements

Learn about legally binding agreements and existing or planned contracts when implementing the information sharing standard.

This guidance is in development

This guidance will be updated based on your questions and feedback. If you would like anything added or clarified, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz

When to use a legally binding agreement

A government agency can decide if a legally binding agreement is needed.

An agency is responsible for personal information when it is shared with a non-government third party. An agency may need a legally binding agreement with a third party to carry out this responsibility.

Responsibility and safeguards

Agencies have responsibilities when sharing personal information. An agency must make sure that an agreement to share personal information with a third party has safeguards.

For example, personal information that is shared may need protection against unauthorised:

access
use
modification
disclosure of the personal information.

These safeguards help the agency to protect personal information when it is held by a third party — as if it is held in the agency’s own systems.

Safeguards in information sharing agreements provide assurance to agencies that the personal information is adequately protected.

Investigating a third party

One of the safeguards for an agency’s assurance may be the agency’s ability to investigate the third party.

An investigation may be necessary if the agency suspects the third party has breached an agreement.

Having the safeguard to do an investigation may require a legally binding agreement between the agency and the third party.

Seek legal advice

An agency’s legal and procurement advisors should be involved when an information sharing agreement is created. These advisors can say how an agreement can be made legally binding.

The outcome of a risk assessment will help to determine the areas an agreement needs to focus on.

Risk assessment guidance

What is a legally binding agreement

A legally binding agreement must be a contract or an information sharing deed or agreement that includes a consideration of benefit or detriment. This is the value exchanged between both parties in an agreement. For example, a contract where a non-government third party delivers public services in exchange for payment by the government agency.

The legally binding agreement can be executed (signed and delivered) as a deed. An information sharing deed can also be used to vary existing contracts for delivering public services.

Agencies may use whichever type of legally binding agreement that best suits their purposes. A contract is recommended as the simplest and easiest agreement to manage.

Legally binding agreements have two-way responsibilities

These are:

agencies work in good faith with third parties
agencies and third parties cooperate where necessary
agencies and third parties work through due process in the spirit of partnership.

The protection of personal information must have priority. This is why the ability to suspend access to or stop the collection of personal information must be an option in a legally binding agreement.

If an information sharing agreement exists alongside a contract for services, the requirements in the information sharing standard must be set out consistently across both documents.

It is up to the agency to determine whether an agreement should be legally binding or not. It is not necessary to state that the contract is legally binding when it is already clear that this is the legal position.

Existing or planned contracts

A contract (or a planned contract) to deliver public services between an agency and a third party may need the third party to have access to, or collect, personal information.

An agency must make sure that the contract complies with the standard.

A contract for delivering public services does not exempt an agency from doing a risk assessment. This assesses the:

level of risk when sharing personal information
controls that are needed to manage the risk.

The contract for services itself is not enough of a control to manage the risks and provide assurance for an agency.

Risk assessment guidance

Existing contracts from 1 July 2025

Existing contracts or agreements are not expected to comply with the standard immediately from 1 July 2025.

Agencies must:

check their contracts when they are renewed or reviewed
follow the normal review process that has already been agreed with the third party.

For ongoing contracts with no agreed end or review date, the agency should set a date to review it. Any new controls and changes required from the standard can be introduced then.

A contract’s renewal does not need to be brought forward if the changes were only to meet the standard.

Alternatives to a legally binding agreement

An agency may choose to use an alternative to a legally binding agreement.

Alternatives may include:

another legal framework
a code of conduct
other mechanisms.

These alternatives can give an agency an equivalent right or ability to do the due diligence, assurance or audit activities that are necessary to protect personal information held by a third party.

At a minimum, agencies must be able to assure themselves that personal information is being protected while held in the care of a third party.

Agencies must note what their alternative protections are as part of their due diligence and record keeping processes.

The due diligence guidance will help agencies to decide what assurance and protection safeguards are needed for their information sharing.

Keeping a record of an agreement

Agencies need to make a record of what has been agreed to and any changes that are made over time.

These records must include the:

risk assessment for the information sharing activity
legally binding agreement for that access and collection of personal information
situations where sharing personal information with a third party happens without an agreement in place.

An ongoing record could be a register, a database or some other record.

Agencies are expected to have a clear understanding of:

when and how they share personal information with third parties
how they manage their relationships with third parties.

Template of model clauses

A template of model clauses is available to help agencies create a legally binding agreement to share personal information with a third party.

The model clauses can also be used by an agency to add to their own templates, contracts and deeds.

Using this template is optional. Each agency can decide how their agreement is created.

An agency’s procurement and legal advisors should be involved when any information sharing agreement is created.

Template of model clauses

Contact us

For further information, to ask questions or give feedback, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 03 September 2025

Legally binding agreements

This guidance is in development

When to use a legally binding agreement

Responsibility and safeguards

Investigating a third party

Seek legal advice

What is a legally binding agreement

Legally binding agreements have two-way responsibilities

Existing or planned contracts

Existing contracts from 1 July 2025

Alternatives to a legally binding agreement

Keeping a record of an agreement

Template of model clauses

Contact us

Utility links and page information