Privacy of the information
Questions 23 to 27 — complete a privacy impact assessment if your data has personal information.
Questions 23 to 27 — privacy of the information
Table 1 lists who is responsible for answering each question.
Context and help for questions 23 to 27
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Does the data that will be stored and processed by the cloud service include personal information as defined in the Privacy Act 2020?
- If no, skip questions 24 to 27.
- Privacy Act 2020 — New Zealand legislation
- Has a privacy impact assessment been completed that identifies the privacy risks associated with the use of the cloud service together with the controls required to effectively manage them?
- Is the service provider’s use of personal information clearly set out in its privacy policy?
- Is the service provider’s privacy policy consistent with the agency’s business requirements?
- Does the service provider notify its customers if their data is accessed by, or disclosed to, an unauthorised party?
- Does service provider notification of unauthorised customer data access or disclosure include providing sufficient information to support cooperation with an investigation by the Privacy Commissioner?
- On case-by-case and project-specific bases, the Government Chief Privacy Officer can provide advice on what ‘sufficient information’ is.
- Does service provider notification of unauthorised customer data access or disclosure include providing sufficient information to support cooperation with an investigation by the Privacy Commissioner?
- Who can the agency, its staff and customers complain to if there is a privacy breach?
| Entity | Questions to answer |
|---|---|
| Government organisation | 23, 24, 25a, 26a |
| Service provider | 25, 26, 27 |
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Independent assurance reports — New Zealand Information Security Manual
Context and help for questions 23 to 27
The following guidance gives you context and help for answering questions about the privacy of your information.
Why government organisations must check the privacy of the information
Public cloud services make it easier for government organisations to share information with other government organisations.
Example — public cloud services make it easier to share information
Your government organisation needs to share personal information with another government organisation.
Rather than having to implement a system-to-system interface to exchange information, you could use a Software as a Service (SaaS) to create user accounts with the appropriate permissions for security.
Balance technical benefits and privacy
Public cloud services lower the technical barriers to sharing information, but government organisations need to make sure they appropriately manage access to personal information.
Your privacy responsibilities — Privacy Commissioner
Adopt the Data Protection and Use Policy (DPUP)
The New Zealand social sector developed DPUP to establish best practices for:
- respectfully using people’s information
- building trust and confidence between people and agencies.
The Data Protection and Use Policy: Data systems — Social Wellbeing Agency
Who uses DPUP
In the NZ social sector, government organisations and non-governmental organisations should use DPUP. Organisations in other sectors should consider adopting DPUP whenever they are collecting and using personal information.
Meet the Privacy Act 2020 requirements
The privacy policies from the providers of public cloud services you want to use might have different terms, definitions and standards than the Privacy Act 2020. Government organisations need to make sure New Zealanders’ personal information is safe and respected. Meet the Privacy Act 2020 requirements.
Privacy Act 2020 — New Zealand legislation
Example of meeting the Privacy Act 2020
American providers of public cloud services usually have privacy policies that distinguish between personally identifiable information and non-personal information.
Both of these types of information are considered personal information in the Privacy Act 2020. For this reason, government organisations must review and consider the implications of accepting any provider’s privacy policy for public cloud services.
Answer the privacy questions
The classification level of the information you’re planning to use helps you to know which questions to answer. However, always consider any aspects of the information that make it personal information — the Privacy Act 2020 is concerned with the content of information, which means personal information can be in many different types of media.
What is personal information? — Privacy Commissioner
If you’re not sure, ask your organisation’s privacy officer for help.
Unclassified information — question 23
If your information has personal information, reclassify it.
If you’ve properly classified your information and answered ‘no’ to question 23, move on to deciding if you need a risk discovery.
Decide if you need a risk discovery before using a public cloud service
In-confidence, sensitive and restricted information — questions 23 to 27
These classification levels can have personal information in them. If your information does, complete a privacy impact assessment so you can answer questions 24 to 27.
Privacy impact assessment toolkit — Privacy Commissioner
Utility links and page information
Last updated
