Reminder: The public consultation period on the guidance closes on 15th December 2008. So anyone who would like to be heard, please leave a comment here or send us an email to ict.offshore@ssc.govt.nz.
As promised, a post about personal information and offshore providers.
Scenario 1
You’ve put your tender out. And because you know the project will involve personal information, you made sure to include a clause about compliance with the New Zealand Privacy Act or a similarly protective privacy regime. One response came from an Australian company.Can/should you automatically exclude that response from consideration? Answer: No
Why?
The New Zealand Privacy Commissioner and the Australian Federal Privacy Commissioner have signed an agreement to cooperate on cross-border enforcement of privacy law. This is not an automatic “go for it” but does provide you with room to explore how that agreement might be incorporated into a contract or otherwise serve as the basis for mitigating concerns about compliance with the Privacy Act 1993.
Scenario 2
A second response came from a Singaporean company. You don’t even know if they have a Privacy Commissioner. What now? Again, you don’t necessarily have to exclude that response.
Why?
Although Singapore does not have a general privacy or data protection law, it has a reputation for a squeaky clean commercial law regime. In 2008, they ranked right behind New Zealand (first equal, we were) in Transparency International’s Corruption Perceptions Index. So again, you may be able to adequately address privacy concerns through appropriate contractual terms, including New Zealand for choice of law, and have those terms enforced through Singapore’s legal system.
Lawyers again?
And if you find yourself in the situation of needing to discuss contractual terms to protect personal information with your lawyer, the Guidance (yes, in the Privacy Section and in the Risks & Mitigations Section) has some useful resources, for example:
- The European Commission publishes information on decisions about the adequacy of non-EU- countries’ data protection regimes at http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm
- The EU also publishes Standard Clauses for the Transfer of Personal Data to Third Countries
- The OECD publishes a Recommendation on Consumer Dispute Resolution and Redress and Recommendation on the Cross-border Enforcement of Laws Protecting Privacy.
- The International Chamber of Commerce publishes standard contractual frameworks for data protection at http://www.iccwbo.org/id911/index.html
- The Electronic Privacy Information Centre (a US NGO) publishes an annual survey of privacy protection around the world at http://epic.org/bookstore/
So, there’s no need to feel you have to create everything from scratch. Judicious adoption and adaptation may be all that’s required. And don’t forget the general advice on legal and commercial risks and their mitigations.
