The New Zealand Privacy landscape is always lively, and 2025 has proven to be a particularly dynamic year for practitioners across the motu. With the sector having prepared for the implementation of Information Privacy Principle 3A (notification of indirect collection), and having busily interpreted the requirements of the Biometrics Processing Code, attention has also been turned to operationalising the Government Chief Digital Officer’s (GCDO) Standard for enabling access to, or collection of, government-held personal information by non-government third parties.
The Standard, when implemented successfully, will represent a real opportunity for both the public sector and their private sector counterparts to excel at information sharing. The introduction of the Standard provides a timely opportunity for all agencies to further the good work already done in the Privacy space, and to take stock on several fronts. Agencies will be assessing both their information sharing arrangements, and taking a strategic view of how these arrangements are managed.
There is a common misconception that Privacy effectively means that you cannot do anything with personal information. When managed correctly however, personal information that is protected and treated with respect can drive a real strategic advantage. When well implemented, potentially through using emerging technologies and modern trust management tools, sharing of personal information in line with the Standard can act as a driver for time- and cost-effective delivery of public services.
In the 2020’s age of Cloud and “as a service”, third parties are frequently involved in the delivery of these public services . Agencies will need to manage the operational implications that third parties - with their own risks, motivations, and potentially opaque practices in privacy and security – will inevitably introduce. The Standard provides a timely framework through which to do so.
A key requirement of the Standard is that agencies must retain responsibility for their personal information in all circumstances, including when it is being shared with these third parties. While the third party has their own responsibilities under the Privacy Act, this alone does not provide sufficient validation that information will be protected to the agency’s standards. The new Standard requires an arrangement resembling the processor/sub-processor relationship that exists under the European Union’s General Data Protection Regulation, where agencies remain responsible and must actively perform due diligence on their information sharing partners. This process must be actively managed, fully documented, and in most cases legally formalised through contractual controls.
As is often the case in the domain of privacy (where the answer to most questions is invariably “it depends”), the implementation of the Standard is unlikely to follow a singular or uniform approach. This process must always begin with a thorough risk assessment. There are several forms this assessment could take, given that the application of the Standard requires careful consideration and contextual adaptation. While the core commonality remains - of being in a place of assurance that information is adequately protected when held by third parties - it is anticipated that each agency will develop its own operational interpretation, tailored to specific risk profiles and information sharing data requirements.
This could look like an updated Privacy Impact Assessment template with sections targeting risk against IPPs 11 and 12, or its own additional assessment. It could be bundled with the Procurement function, or sit with Risk, or be the purview of a Legal team. Wherever the responsibility lands, it is key that the assessment of risk and associated controls - or at the very least their review - is carried out by experienced privacy and information-sharing professionals.
Once agreed upon and formalised, the information sharing assurance process must then be operationalised. This means that the teams driving the sharing of information must be clear on their responsibilities in this space, both to assess risk associated with their initiative and then to put in place the controls that mitigate it. Regular follow-ups must ensure that the agreed-upon protections for personal information are actively being carried out.
A key guarantor against protections becoming obsolete is the requirement for agency Chief Executives to ensure that the Standard is being demonstrably implemented, with agencies compelled to keep records of their ongoing compliance. This alone could create a significant resourcing demand, depending on the tooling and approach. Agencies will need to define what compliance looks like, and implement a consistent means of tracking and demonstrating the efficacy of assessments and assurance activities.
Another challenge is spreadsheet proliferation, with said spreadsheets being a common method of tracking completed PIAs and Information Sharing Agreements. There are limits to Excel for record keeping though, and manual tracking of compliance is burdensome. This is an area where Third Party Risk/Trust Management software tools could likely deliver real benefits. Many are at least partially AI-powered, providing a potential avenue for public sector agencies to demonstrate the willingness to explore the efficiencies in this area encouraged by the Public Sector AI Framework.
This may represent a significant initial cost and time investment in some cases, but could be a novel demonstration of the sector’s willingness to harness new technologies in the name of achieving a social good. Such tools also provide a centralised repository of third parties, their documentation, and communications with them. Most can support automation and the end-to-end assurance workflow, and can be integrated with MS tools, sending out reminders to assigned individuals or teams that assurance activities will need to be followed up on. The introduction of the Standard provides an opportunity to move beyond the limitations of spreadsheets. There are alternatives to Excel, and many of them can offer real efficiencies.
Bastion recommends the following steps when responding to the Standard:
1. Understand Your Information Sharing Landscape.
The first step to reducing risk is to understand what personal information your agency holds, where it’s located, and who it’s being shared with. Ideally, your agency will have existing registers for Information Sharing Agreements, Certification and Accreditations (C&As), and Privacy Impact Assessments that can act as a starting point. If not, the introduction of the Standard provides a timely opportunity to investigate how this crucial data can be collated and tracked.
2. Triage Information Sharing Partners.
Take stock of where your highest risk lies, and plan to tackle it incrementally – but swiftly. The Standard inherently requires agencies to do a risk assessment across all existing contracts to determine risk, triaging those that require immediate update and those that can wait until next planned review. Your agency’s resourcing will be best directed where your information sharing poses the highest privacy and security risks. This could be where a substantial volume of personal information is being shared, where the information shared is particularly sensitive, or where known concerns with the information sharing partner are present.
3. Assess Your Information Sharing
Managing information risk requires active vigilance across several fronts – understanding your agency’s current state, maintaining visibility of who information is being shared with and how, and assessing risk across each of those instances. The Standard helpfully provides a list of due diligence factors that agencies must consider when making these assessments. Acting as both a record of the conditions for sharing personal information, and as something of a targeted PIA, the assessment should identify where privacy and security risks exist, and provide a pathway towards protecting personal information.
4. Target Risks to Achieve Compliance
Information sharing is both legally and operationally complex, and there are a number of risk factors that could manifest into real issues if left unchecked. By ensuring that, to the fullest extent possible, risks surfaced through the assessment process are addressed and mitigated, agencies can minimise the possibility of harm occurring for the people whose information they hold, as well as the associated reputational risk this would inevitably introduce.
These initiatives will require more than a one-off risk assessment. To ensure risks identified during the assessment process are meaningfully addressed, agencies must embed assurance activities into business-as-usual operations, beyond the lifetime of a standard implementation project or initiative. This includes establishing clear ownership of information sharing relationships and activities, regular review cycles, and the accountability mechanisms necessary to prevent the gradual erosion of safeguards over time. Without this sustained focus, even the best frameworks risk becoming obsolete.
There’s a great deal to consider for agencies implementing the Standard, and for those looking for additional support in doing so, Bastion Security has a strong base of expertise in working with information risk frameworks and assessing third parties. If you would like to reach out to us to discuss how we can support you, please contact info@bastionsecurity.co.nz or visit us at bastionsecurity.co.nz