The Government Chief Digital Officer Paul James today
issued a new standard to enhance the protection of
government-held personal information.
“To retain the
trust and confidence of the public, government agencies must
put privacy and transparency at the heart of their service
delivery and management of personal information,” says Mr
James. “The new Standard
for providing non-government third parties with access to,
or collection of, government-held personal information
places clear expectations on all parties and will support
agencies to adopt stronger information security, management
and assurance practices.”
Agreements with third
parties must confirm that any potential, perceived or real
conflicts of interest have been disclosed, that these will
be appropriately managed by the third party, and that the
third party has processes for ongoing disclosure of new
conflicts.
The new standard, developed by
the GCDO in collaboration with a cross-agency working group,
sets minimum expectations for public service agencies when
arranging access to or collecting personal information with
non-government third parties.
Many public
services are delivered by third-party providers who are best
placed to do so due to their location, relationships,
knowledge and expertise. Sharing personal information is an
essential component of this therefore we must get it
right.
Advertisement – scroll to continue reading
The new standard requires public service
agencies to conduct a risk assessment whenever personal
information is to be shared and includes robust safeguards
to protect individual privacy and directs agencies to apply
best practices when granting access to personal
information.
Mr James, also Secretary for Internal
Affairs, emphasises the importance of this new standard in
maintaining public trust and confidence.
“Government
agencies are custodians of New Zealanders’ personal
information. How they handle that information is essential
to public trust and confidence,” says Mr James. “This new
standard aims to ensure personal information is accessed and
used responsibly, with appropriate safeguards to protect
privacy.”
“We are committed to working closely
with the Office of the Privacy Commissioner to ensure that
the standard aligns with existing legal requirements and
enhances the overall protection of personal information,”
says Mr James.
The standard will be
mandatory for all public service agencies from 1 July 2025.
Other State services agencies are encouraged to adopt it. It
offers more options for assurance, audit, and addressing
non-compliance, helping agencies establish clear legal
responsibilities with third parties. Chief Executives must
ensure their agencies implement the
standard.
The development of this
standard follows an inquiry into the protection of personal
information which found some agencies fell short on their
responsibility to protect and manage the sharing of personal
information.
