Skip to main content

Privacy of the information

Questions 23 to 27 — complete a privacy impact assessment if your data has personal information.

Questions 23 to 27 — privacy of the information

Table 1 lists who is responsible for answering each question.

Context and help for questions 23 to 27

Record your answers to these questions in either:

Questions to answer

  1. Does the data that will be stored and processed by the cloud service include personal information as defined in the Privacy Act 2020?
  2. Has a privacy impact assessment been completed that identifies the privacy risks associated with the use of the cloud service together with the controls required to effectively manage them?
  3. Is the service provider’s use of personal information clearly set out in its privacy policy?
    1. Is the service provider’s privacy policy consistent with the agency’s business requirements?
  4. Does the service provider notify its customers if their data is accessed by, or disclosed to, an unauthorised party?
    1. Does service provider notification of unauthorised customer data access or disclosure include providing sufficient information to support cooperation with an investigation by the Privacy Commissioner?
  5. Who can the agency, its staff and customers complain to if there is a privacy breach?

Table 1: Who answers each question

Entity Questions to answer
Government organisation 23, 24, 25a, 26a
Service provider 25, 26, 27

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 23 to 27

The following guidance gives you context and help for answering questions about the privacy of your information.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at

Why government organisations must check the privacy of the information

Public cloud services make it easier for government organisations to share information with other government organisations.

Example — public cloud services make it easier to share information

Your government organisation needs to share personal information with another government organisation.

Rather than having to implement a system-to-system interface to exchange information, you could use a Software as a Service (SaaS) to create user accounts with the appropriate permissions for security.

Balance technical benefits and privacy

Public cloud services lower the technical barriers to sharing information, but government organisations need to make sure they appropriately manage access to personal information.

Your privacy responsibilities — Privacy Commissioner

Adopt the Data Protection and Use Policy (DPUP)

The New Zealand social sector developed DPUP to establish best practices for:

  • respectfully using people’s information
  • building trust and confidence between people and agencies.

The Data Protection and Use Policy: Data systems — Social Wellbeing Agency

Who uses DPUP

In the NZ social sector, government organisations and non-governmental organisations should use DPUP. Organisations in other sectors should consider adopting DPUP whenever they are collecting and using personal information.

Learn about DPUP

Meet the Privacy Act 2020 requirements

The privacy policies from the providers of public cloud services you want to use might have different terms, definitions and standards than the Privacy Act 2020. Government organisations need to make sure New Zealanders’ personal information is safe and respected. Meet the Privacy Act 2020 requirements.

Privacy Act 2020 — New Zealand legislation

Example of meeting the Privacy Act 2020

American providers of public cloud services usually have privacy policies that distinguish between personally identifiable information and non-personal information.

Both of these types of information are considered personal information in the Privacy Act 2020. For this reason, government organisations must review and consider the implications of accepting any provider’s privacy policy for public cloud services.

Answer the privacy questions

The classification level of the information you’re planning to use helps you to know which questions to answer. However, always consider any aspects of the information that make it personal information — the Privacy Act 2020 is concerned with the content of information, which means personal information can be in many different types of media.

What is personal information? — Privacy Commissioner

If you’re not sure, ask your organisation’s privacy officer for help.

Privacy officers — Privacy Commissioner

Unclassified information — question 23

If your information has personal information, reclassify it.

Classify information

If you’ve properly classified your information and answered ‘no’ to question 23, move on to deciding if you need a risk discovery.

Decide if you need a risk discovery before using a public cloud service

In-confidence, sensitive and restricted information — questions 23 to 27

These classification levels can have personal information in them. If your information does, complete a privacy impact assessment so you can answer questions 24 to 27.

Privacy impact assessment toolkit — Privacy Commissioner

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated