Taking a break and relaxing over the holidays is a Kiwi tradition, but that doesn’t mean you should forget about protecting your privacy, Privacy Commissioner Michael Webster says.
“The holiday period can be a time of letting things slide, which can mean it’s also the time privacy issues strike, like phishing scams, dodgy online stores, and invasive kids’ toys.
Christmas shopping can be stressful, it’s time dependent and unfortunately scammers can take advantage of people through fake online shopping sites, or scam emails about parcel deliveries or special offers.
“With multiple things being ordered online, it can be tempting to click on a link about parcel deliveries and end up falling for a common phishing scam,” says Mr Webster.
Even presents can have privacy implications, with an increasingly number of things having AI included, for
example there are even air-fryers with built in AI cameras. Kids’ toys are not immune either, with many ‘smart’ presents available.
“The key thing is about being aware the present you bought has AI included and being comfortable with the pros and cons of that. Good questions to ask are how much personal information it needs, where are these details going and who owns that information?
“You may be fine with using your own personal information to make something work, but are you so comfortable with having a family member, including potentially a young child, give away their personal details?
“It’s no fun to think about privacy when you’re shopping for kids’ toys, but you’d avoid a toy that presents a health risk, so you should probably also avoid toys that present privacy risks.”
Another good privacy tip is if you’re buying from a website you’ve never used before, make sure it’s a site you can trust. You can look up online reviews of the store to check their reliability and reputation. If you see a deal too good to be true, it really might be.
“It takes a wealth of personal information to order online, so make sure you only give information to websites you trust, as things can quickly go bad if it’s not a legitimate site.
“It’s important to pause and take a moment to think about the situation. Get a second opinion, check online and follow the guidance from trusted sources like Netsafe.
Road toll texts are another common phishing scam over the holidays. It can be difficult recalling when and where you were on a toll road, so it might seem real, but the most important thing is knowing Waka Kotahi will never send you a text message with a link in it, so don’t click it, delete it.
“We’re not trying to be killjoys, we just want Kiwis to stay safe over summer whether that’s on the roads, under the sun, or online with their privacy.”
“Don’t let the phishing grinches steal your details,” the Commissioner says. “This is your friendly reminder to keep privacy in mind over Christmas.”
The Privacy Commissioner has announced his intention to issue a Biometric Processing Privacy Code of Practice and is calling for submissions on the draft Code. Links to review documents
Read the Biometric Processing Privacy Code (opens to PDF, 200Kb) – we are seeking feedback on this. Read our consultation document (opens to PDF, 563Kb) – we are seeking feedback on this. Our draft Biometric Processing Privacy Code guidance (opens to PDF, 1. 1MB) – we are seeking feedback on this. Remind yourself of the history of our biometrics project.
NOTE: While our newly established OPC Mori Reference Panel have been provided with the Code consultation pack, they have not had input in to its development to date as a Panel. As part of this consultation, we will be seeking their views.
The Privacy Commissioner has today announced his intention to issue a Biometrics Code. He is releasing the Biometric Processing Privacy Code of Practice for consultation and is calling for submissions on the draft Code from the public and any agencies the code would apply to. The code will help agencies implement the technology, while giving people confidence its being done safely and fairly, Privacy Commissioner Michael Webster says. New Zealand doesnt currently have special rules for biometrics. The Privacy Act regulates the use of personal information in New Zealand, including biometric information, but biometrics needs special protections especially in specific circumstances.
Biometric processing is the use of technologies, like facial recognition technology, to collect and process peoples biometric information to identify them or learn more about them.
Over some of summer our staff wont be working. You can still tell us about your privacy complaint or notify a breach (if youre a business or organisation) and receive a confirmation that weve received it. But we wont action anything immediately. Our 0800 803 909 phone line will be open until 3pm on Friday 20 December 2024. We will start answering calls again at 10am on Monday 13 January 2025. Check whether weve already answered your question
Ask Us is our list of more than 600 questions and answers about privacy. Its used by more than 16,000 New Zealanders every month so might be able to help you too. Search your question in Ask Us.
Our brochure covers New Zealanders privacy rights, what to do if your personal information is taken, and how to make a complaint to us. It also includes our contact details. We find these are popular with GP clinics, Citizens Advice Bureau outlets, and libraries. These brochures can be printed from a home or office computer. They are double sided, with an English translation on one side.
Please note, we are unable to provide professionally printed versions of this brochure. View professionally printed options. Download our privacy brochure in Traditional Chinese (PDF, 1. 78MB)
Download our privacy brochure in Simplified Chinese (PDF, 1. 76MB)
New Zealanders made a record 1003 privacy complaints to the Office of the Privacy Commissioner last financial year. That could signal that New Zealanders are more aware of their privacy rights, but more likely it’s poor privacy practices across the motu, given agencies (business and organisations) also reported 864 privacy breaches.
“No one should be happy we received over 1000 privacy complaints. That demonstrates to me that people are concerned that their privacy has been harmed in some way, and it’s often in quite significant ways,” says Privacy Commissioner Michael Webster.
OPC dealt with 724 complaints as “fast resolve” files, which means we acted swiftly to help people resolve their privacy concerns or provided agencies with information about how to comply with their obligations.
We investigated 279 complaints, where the harm threshold was reached, or an agency hadn’t provided access to personal information. Of those investigation files, 6.5% resulted in financial compensation.
“Thousands of times each day New Zealanders provide their personal information in exchange for goods and services. That could be face-to-face with a small business or online with a large government department. All these exchanges involve privacy,” says Mr Webster.
OPC’s investigations team are highly trained lawyers who take a dispute resolution approach where possible, which often means being the moderator or conciliator between the person who has made a privacy complaint and the business or organisation who has breached their privacy.
“People are complaining to my Office, often in times of great distress, and it’s my team’s job to listen, investigate, and respond with clarity and compassion.
Two thirds (66%) of complaints in the last financial year related to access to personal information.
Under the Privacy Act people have a right to ask whether an agency holds information about them and to request access to their own personal information. If an agency fails to provide it, the Privacy Commissioner can issue an access direction requiring its release.
“Having access to your own information is an important privacy right and it’s disappointing agencies are often unwilling or unable to provide this.”
“Of course, part of addressing, and reducing, privacy harm is ensuring that New Zealand businesses and are organisations are doing privacy well. Right now, not everyone is,” said Mr Webster.
Over the last financial year, the Office of the Privacy Commissioner received 864 privacy breach notifications and 414 of these were serious.
In the November 2024 issue we cover the publishing of OPC’s Annual Report, a heads up about a biometrics announcement coming soon, an update on the Children’s Privacy Project, our appearance before the Justice Select Committee, and a statement in response to Inland Revenue’s updated hashing information. We also confirm the dates and theme for Privacy Week 2025, and two vacancies at OPC.
Working with third-party providers: understanding your privacy responsibilities
Your responsibility for the personal information stored or processed by a third-party provider comes from Section 11 of the Privacy Act.
Personal information is any information which tells us something about a specific individual. People’s names, contact details, financial, health and purchase records can all be personal information. The information doesn’t need to name the individual, if they are identifiable in other ways, like through their home address or another identifier, or if their identity could be pieced together. Read more about what we mean by personal information.
Return to top.
Who is this for?
This guidance is for organisations who are thinking about using a third-party provider, or those who already do. If you use a third-party provider to store or process personal information on your behalf, you are still responsible for what happens to that information.
This guidance explains what you must think about when you are choosing a third-party provider and what your ongoing responsibilities are. We have a wider suite of guidance ‘Poupou Matatapu’ to find out more about how to ‘do privacy well’ and what good privacy practice looks like.
Return to top.
Your organisation is responsible for your personal information when stored or processed by a third-party provider
The key thing to remember is that you remain responsible for personal information that you send to a third-party provider.
What do we mean by third-party provider?
‘Third-party’ means an organisation external to your organisation.
‘Third-party provider,’ also known as a ‘third-party’ or ‘service provider,’ is a broad term that can be applied to a range of external organisations that provide services to your organisation, such as storing or processing information on your organisation’s behalf. Software as a Service (SaaS) or cloud service providers are a classic example. However, there is a wide range of other third-party providers you might contract with who may need to store or process personal information provided by your organisation to deliver their service to you.
For example, you might:
Share employee pay information with an external payroll provider or accountant.
Contract a company to collect information for a survey.
Use another organisation to provide personalised services for your customers.
Use an intermediary platform that shares the information with other third parties.
Return to top.
Before using a third-party provider
Before you engage a third-party provider, you need to understand:
What types of personal information you’ll share with them, or they’ll collect on your behalf.
What they will do with it.
Do they need personal information?
First, understand whether your organisation needs to provide personal information to the third-party provider at all. You should consider if you can achieve the results you want from a third-party provider without providing any personal information.
For example, your organisation might like to use a third-party marketing agency to provide advertising services. Marketing agencies can offer a range of services, from sourcing advertising on billboards or online advertising (which would not require any personal information), to using the information collected from an organisation’s existing customer database to create marketing strategies (which might require personal information, depending on the task).
Think about whether supplying aggregated, non-personal information might enable the marketing agency to perform the service adequately.
Please note: when changing the way you use clients’ or staff’s personal information, you need to assess the privacy risk and make sure you’re being transparent through your privacy statement to reflect any changes in use of personal information. We have guidance on how to improve your privacy transparency. We also have a PIA toolkit available to help assess the privacy risks.
What kind of personal information is it?
It’s important to understand the level of privacy risk that you’ll need to manage with your third-party provider. We have guidance on different kinds of personal information that may carry higher privacy risk, such as where the information is sensitive or confidential.
For example, an organisation might employ the use of a third-party software provider to manage their payroll. Information required to process payroll can be sensitive, such as bank account and IRD numbers. Appropriate security measures need to be in place. We have guidance on handling sensitive information.
Due diligence
You will need to be confident that the information is protected wherever it is, and whatever organisation is handling it. Ask questions that enable you to have that confidence (this is normally referred to as ‘due diligence’), and ask those questions early, before you commit to using the provider.
Any subsequent contract with that provider should satisfactorily reflect the key protections that you expect to be in place. It should also require the third-party to ensure that any subcontractors or support agencies will equally protect the information. Your organisation needs to know whether the third-party provider will use or disclose the personal information that you provide for its own business purposes.
What will the third-party provider do with the information?
There are a range of services that third-party providers offer. Some third-party providers will merely store the information and some will process the information for you (for example, a service providing data analytics). Some may themselves use third-party services such as generative AI tools to store or process the information.
A key thing to understand is whether the third-party provider will use the information for their own purposes or not. Some examples of third parties using information for their own purposes could be when your information is used as AI training data or using the information you provide for services to other organisations.
If the third-party provider is storing or processing the information solely on your behalf (for example storing information as a cloud service) and will not use or disclose it for its own purposes, section 11 of the Privacy Act says that the third-party provider is not deemed to “hold” the personal information for the purposes of the Privacy Act. This also means that you are not “disclosing” the information to them, which means you do not need to worry about the Privacy Act’s disclosure principle (IPP 11). But as a result, your organisation remains fully responsible under the Privacy Act for what happens to that information. The third-party is “you” for the purposes of the Privacy Act.
If the third-party provider will use or disclose the information for its own purposes, as well as performing services for you, then both the third-party provider and your organisation will be deemed to “hold” that information for the purposes of the Privacy Act. That means you will both be responsible for the information in various ways depending on how it is being stored or used. Sharing personal information with that third-party provider could also be a “disclosure” and you will need to make sure that sharing the information is allowed under IPP11. IPP12 may also be relevant if the third-party provider is not based in New Zealand.
In addition, both your organisation and the third-party provider may be accountable if there is a privacy breach. This means that your organisation and the third-party provider need to have a plan to outline who will notify OPC and individuals affected in case there is a breach. We have guidance on who should notify OPC and affected individuals.
Return to top.
Example of a section 11 situation: Wonder Bottling Ltd uses third-party Big Data Analytics
Wonder Bottling Ltd wants to use the third-party Big Data Analytics Ltd to run Wonder Bottling’s website. Big Data Analytics will store all website data, including personal information provided by customers to Wonder Bottling via web forms. It will also process the information stored and provided to the website to provide website analytics to Wonder Bottling Ltd.
Big Data Analytics is not using Wonder Bottling Ltd’s information for another purpose or service, such as using Wonder Bottling Ltd’s data insights to provide a service to another organisation. It is solely storing and processing information for Wonder Bottling Ltd. Under section 11, this means that Wonder Bottling Ltd is responsible for anything that happens to that information while it is being stored or processed by Big Data Analytics.
For instance, if Big Data Analytics is the subject of a notifiable privacy breach in relation to the personal information transmitted by Wonder Bottling, Wonder Bottling would be responsible for notifying the Office of the Privacy Commissioner (OPC) and affected individuals. In their agreement, Big Data Analytics should be required to inform Wonder Bottling about any breaches of that information so that Wonder Bottling can fulfil this requirement.
However, if Big Data Analytics were to change how it operates and start using that information for another purpose, Big Data Analytics would have its own obligations under the Privacy Act, such as responsibilities to make sure the information is accurate and fit for purpose under IPP8, and to use the information in line with IPP10.
Return to top.
Protecting personal information once you’ve chosen a third-party provider
Since your organisation is legally responsible for anything that happens to the personal information that a third-party provider stores or processes for you (whether or not that third-party is also responsible), you should make sure that you have a robust agreement in place with them that requires them to keep the information safe and gives you a remedy when things go wrong.
What should be in an agreement with a third-party provider?
Security measures
An organisation needs to do everything within its power to prevent unauthorised use or disclosure of personal information. This means that your organisation needs to get assurances that the third-party provider has the appropriate security measures in place to protect any information it stores or processes on your behalf. The more sensitive the information is, the stronger those assurances may need to be.
Our guidance on security and access controls provides examples of the types of security measures the third-party provider should take to protect the personal information it stores. Your organisation may wish to seek regular reporting from the third-party provider on the effectiveness of the measures.
Individuals’ right to access and correct the information your organisation holds about them
The Privacy Act requires you to give people access to their personal information if they ask you to, and correct that information if it is wrong. There are also strict statutory timeframes for responding to requests. Those timeframes don’t change when the information is stored by a third-party rather than by you. You need to ensure that your agreement with the third-party provider includes provisions that make sure you can locate and retrieve information quickly, so you can meet your obligations.
Read our Other things to consider
If you’re sending personal information to a third-party provider to process, store, or use on your behalf, you need to make sure you are transferring the information securely. Download a PDF version of this guidance.
Read the full 2024 Annual Report (opens to PDF). “Thousands of times each day New Zealanders provide their personal information in exchange for goods and services. They could be face-to-face with a small business or online with a large government department. All of these exchanges involve privacy. A society that values privacy and personal information is one where its people can have greater trust in government and businesses because they know their information will be looked after. This Annual Report is the first under theStatement of Intent 20232027, which sets my Offices purpose as ensuring that privacy is a core focus for agencies. We do this to protect the privacy of individuals, enable agencies to achieve their own objectives, and safeguard a free and democratic society.
Deputy Privacy Commissioner Liz MacPherson says she is very disappointed to learn that in at least two instances, identifiable personal information was shared by Inland Revenue with social media platforms. IR is the custodian of highly sensitive tax information about most New Zealanders. Given the nature of their work and the fact all New Zealand taxpayers must interact with them its important IR upholds the very highest privacy and confidentiality standards.
What is particularly concerning in this case is that IR apparently had no idea that these incidents, including the intentional sharing by IR staff of identifiable personal details of 268,000 New Zealand taxpayers with social media platforms had occurred. It is unlikely based on the information available to us that the breaches are notifiable under the Privacy Act.