Government Chief Digital Officer Issues Standard To Protect Government-held Personal Information
The Government Chief Digital Officer Paul James today issued a new standard to enhance the protection of government-held personal information.
“To retain the trust and confidence of the public, government agencies must put privacy and transparency at the heart of their service delivery and management of personal information,” says Mr James. “The new Standard for providing non-government third parties with access to, or collection of, government-held personal information places clear expectations on all parties and will support agencies to adopt stronger information security, management and assurance practices.”
Agreements with third parties must confirm that any potential, perceived or real conflicts of interest have been disclosed, that these will be appropriately managed by the third party, and that the third party has processes for ongoing disclosure of new conflicts.
The new standard, developed by the GCDO in collaboration with a cross-agency working group, sets minimum expectations for public service agencies when arranging access to or collecting personal information with non-government third parties.
Many public services are delivered by third-party providers who are best placed to do so due to their location, relationships, knowledge and expertise. Sharing personal information is an essential component of this therefore we must get it right.
The new standard requires public service agencies to conduct a risk assessment whenever personal information is to be shared and includes robust safeguards to protect individual privacy and directs agencies to apply best practices when granting access to personal information.
Mr James, also Secretary for Internal Affairs, emphasises the importance of this new standard in maintaining public trust and confidence.
"Government agencies are custodians of New Zealanders’ personal information. How they handle that information is essential to public trust and confidence," says Mr James. "This new standard aims to ensure personal information is accessed and used responsibly, with appropriate safeguards to protect privacy.”
“We are committed to working closely with the Office of the Privacy Commissioner to ensure that the standard aligns with existing legal requirements and enhances the overall protection of personal information," says Mr James.
The standard will be mandatory for all public service agencies from 1 July 2025. Other State services agencies are encouraged to adopt it. It offers more options for assurance, audit, and addressing non-compliance, helping agencies establish clear legal responsibilities with third parties. Chief Executives must ensure their agencies implement the standard.
The development of this standard follows an inquiry into the protection of personal information which found some agencies fell short on their responsibility to protect and manage the sharing of personal information.