Addressing cross-border issues on employee privacy

Jo Douglas explains what one significant change to the Privacy Act means to the cross-border exchange of information on employees.

As an employer, you will likely be involved in collecting personal information about those who work for you. This process of information gathering commonly starts at the interview stage and will carry on throughout the employment relationship.  

Information you hold about staff must be protected, and safeguards put in place to make sure that you manage the use and disclosure of that information only as necessary for a legitimate and lawful business purpose.  

With the common use of cloud-based services for processing information and centralised administrative processes for larger companies, it is possible that information may be transferred beyond the location where it was collected. This may create legal issues to consider.

The Privacy Act 2020 preserves and carries forward a number of safeguards that we are familiar with from the previous Act. Employees have a right to access personal information held about them, and care must be taken by employers about what information is kept and how that is done.

Complaints about a breach of privacy rights can be pursued with the Privacy Commissioner in the first instance and ultimately through the Human Rights Review Tribunal.  

One significant change in the 2020 Act is a new Information Privacy Principle (IPP) containing a number of controls on the disclosure of personal information to foreign agencies or persons.   This follows international regulation in a number of jurisdictions that already have safeguards on cross-border exchange of information. 

This new IPP may be relevant to employers who rely on offshore agencies to assist in processing information, or if sharing is required with foreign entities, even if it is for lawful business purposes.  

If you are employing staff you may need to turn your mind to whether adequate measures are in place to meet the rules regarding cross-border exchange of information.     

The intent of the new laws is to ensure that information being sent outside of New Zealand will be subject to the same safeguards as apply under our local legislation. 

IPP 12 explained

New IPP 12 under the Act provides that personal information may only be disclosed offshore if the foreign entity or person:

• Is carrying on business in New Zealand and is subject to the Privacy Act,
• Is subject to privacy laws that overall, provide comparable safeguards to those in the Privacy Act, or
• Is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act (for example, by way of a binding contractual term expressly requiring safeguards to be put in place),
• Is subject to the privacy laws of a country that has been prescribed in regulations by the New Zealand government as providing comparable safeguards (regulations have yet to be promulgated).

The individual may also consent to the disclosure, after being expressly informed that the foreign entity may not be required to protect the information in a way that, overall, provides comparable safeguards to those in the Act.   

If consent has not previously been obtained through an employment agreement or other signed policy, it may be difficult to later obtain that consent. 

You may also be able to enter into an agreement with the foreign agency to contractually require the same safeguards to be applied to the information. The Office of Privacy Commissioner provides an example agreement to consider for this purpose. It may be necessary to consider whether this will be a practical or workable solution, depending on the location of the recipient agency. In particular consider what options will there be around enforcement if there was a breach of the contract. 

Some exchange is permissible if the disclosure is for the storage or processing of information on your behalf (as an agent). This would apply to cloud-based data services based outside of New Zealand.   

You will however still be responsible for ensuring that the agency handles the personal information in accordance with the New Zealand Privacy Act. 

Employers are advised to consider their contractual provisions or privacy policies dealing with personal information and make sure that they are adequate to address the provisions in the 2020 Act.   

Jo Douglas is a partner at Douglas Erickson, Employment Lawyers. Email: [email protected]. This article is written for the purposes of providing genera information only and is not intended to be legal advice.