How the standard applies

The standard for providing non-government third parties with access to, or collection of, government-held personal information was issued by the (GCDO) under section 57(1) of the Public Service Act 2020 on 1 May 2025.

This guidance has been published to help public service and State services agencies implement the standard.

From 1 July 2025, all public service agencies must implement this standard.

All State services agencies are encouraged to use this guidance and implement this standard.

The purpose of this guidance

This guidance outlines the best practice approach for government agencies to implement the standard and meet the standard’s requirements.

Implementing the standard will ensure that information sharing agreements to share personal information between a government agency and a non-government third party will:

• protect personal information
• have appropriate controls in place.

Guidance topics for this standard

The guidance includes:

• definitions for words used in this specific context
• agency responsibilities for personal information and how to meet those responsibilities
• agency responsibilities when sharing Māori data
• factors to inform an agency’s due diligence process
• what a risk-informed approach with a proportional agency risk assessment should consider
• the assurance measures required for an information sharing agreement
• what a legally binding agreement is and the type of agreements that are available
• a template of model clauses for an information sharing agreement.

Some guidance topics are still being prepared and will be available soon.

Advice from other experts

Guidance for this standard includes advice from other experts such as the:

• Office of the Privacy Commissioner
• New Zealand government System Leads responsible for data and information security
• government agencies responsible for specific laws.

Links to their advice is included where appropriate.

Agencies should already be familiar with the Office of the Privacy Commissioner’s advice on working with third party providers and agencies’ ongoing responsibilities when sharing personal information.

Working with third party providers — Office of the Privacy Commissioner

If there is any discrepancy between this guidance for the standard and a law that has specific requirements about sharing personal information, the law and any guidance for implementing that law takes precedence. Refer to your agency’s own guidance and policy on those laws in this situation.

Scope

This guidance will help government agencies create information sharing agreements with non-government third parties who deliver (or support the delivery of) public services — where personal information is necessary to deliver those public services.

The scope for this guidance also covers information sharing agreements that must be legally binding to ensure adequate controls are in place to protect personal information.

Out of scope

For some specific cases of sharing personal information the standard and this guidance does not apply.

For example, this guidance does not cover:

• sharing personal information between government agencies
• Approved Information Sharing Agreements (AISAs)
• giving an individual their own personal information as required under the Privacy Act 2020 or the Official Information Act 1982
• disclosure of information to or from an intelligence and security agency under the Intelligence and Security Act 2017.

Contact us

For further information, to ask questions or give feedback, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz