Compliance
IPP 12 — Cross-Border Disclosure
Rules for disclosing personal information to overseas recipients, including the Section 11 agent exception for cloud services.
What is really being asked of the business
What this requirement is trying to protect in the real world
A good compliance programme starts by understanding the business purpose behind the requirement rather than treating it like a checklist.
Information Privacy Principle 12 governs when and how New Zealand organisations may disclose personal information to persons or organisations in other countries. Unlike IPP 3A (which takes effect in May 2026), IPP 12 is already in force and applies to every New Zealand organisation that shares personal information with overseas recipients.
The core requirement is straightforward: before disclosing personal information to an overseas recipient, a New Zealand organisation must be satisfied on reasonable grounds that the recipient is subject to privacy protections that, overall, provide comparable safeguards to those in the New Zealand Privacy Act 2020. Where comparable protections cannot be established, the organisation must either obtain the informed consent of the individual or rely on a prescribed exception.
For most New Zealand businesses, the practical question is not whether IPP 12 applies — it almost certainly does — but how to manage compliance efficiently. The answer often lies in the Section 11 agent exception, which is one of the most significant and frequently misunderstood provisions in the Privacy Act.
The Section 11 agent exception provides that where a person (the agent) processes personal information solely on behalf of another person (the principal), and does so under a contract or arrangement that prevents the agent from using or disclosing the information for its own purposes, the agent is not treated as holding the information in its own right. In practical terms, this means that when a New Zealand organisation engages a cloud service provider — such as AWS, Microsoft Azure, or Google Cloud — and that provider processes data solely under the organisation's instructions and contractual controls, the arrangement may fall under the agent exception rather than constituting a "disclosure" under IPP 12.
This distinction is critical for New Zealand businesses. A business using AWS infrastructure in Sydney to host its customer database is not necessarily "disclosing" personal information to an overseas recipient — provided the contractual arrangements establish the cloud provider as an agent acting under the organisation's control. The same principle applies to SaaS platforms, managed services, and other technology providers that process data on behalf of New Zealand organisations.
Why It Matters
Why business owners, customers, and boards pay attention to it.
Almost every New Zealand business uses at least one service where personal information is stored or processed outside New Zealand. Email platforms, customer relationship management systems, accounting software, HR tools, and cloud storage services routinely involve international data flows. Each of these represents a potential cross-border disclosure that must be assessed under IPP 12.
The Section 11 agent exception is the key to practical compliance for most businesses. When properly structured, the contractual relationship between a New Zealand organisation and its cloud service provider can establish the provider as an agent — meaning the data processing arrangement does not constitute a disclosure under IPP 12. However, this exception is not automatic. It requires appropriate contractual terms, clear limitations on the provider's use of the data, and documented evidence that the arrangement meets the agent criteria.
Where the agent exception does not apply — for example, when sharing personal information with an overseas business partner, parent company, or service provider that uses the data for its own purposes — the full IPP 12 requirements come into play. The organisation must assess whether the overseas recipient is subject to comparable privacy protections, and if not, obtain informed consent or rely on another prescribed exception.
Good Security's standard service delivery uses infrastructure in both New Zealand and Australia. We use AWS infrastructure in Sydney for AI-powered analysis capabilities, meaning client data is processed across NZ and AU environments under our control. For organisations that require all processing to remain within New Zealand — whether due to regulatory requirements, contractual obligations, or organisational policy — our Sovereign Processing add-on means every analysis, report, and AI-assisted review runs entirely on private New Zealand infrastructure.
Non-compliance with IPP 12 carries the same enforcement mechanisms as the broader Privacy Act — complaints to the Privacy Commissioner, compliance notices, and potential proceedings through the Human Rights Review Tribunal. A privacy breach involving personal information disclosed overseas without adequate protections would represent a significant aggravating factor in any enforcement action.
Key Requirements
The obligations most businesses need translated into operating reality.
This is where the framework turns into documented controls, ownership, evidence, and review cycles.
See key requirements
Reasonable Grounds for Comparable Protections
Before disclosing personal information to an overseas recipient, the disclosing organisation must be satisfied on reasonable grounds that the recipient is subject to privacy protections that, overall, provide comparable safeguards to the New Zealand Privacy Act. This assessment considers the recipient country's domestic laws, binding contractual commitments, and practical enforcement mechanisms.
Section 11 Agent Exception
Where a cloud service provider or other third party processes personal information solely on behalf of a New Zealand organisation — under a contract that prevents the provider from using the information for its own purposes — the arrangement may fall under the Section 11 agent exception. This means the provider is not treated as an overseas recipient, and the full IPP 12 disclosure requirements may not apply. Proper contractual arrangements are essential to rely on this exception.
Informed Consent as Alternative
Where comparable protections cannot be established and the agent exception does not apply, the organisation may disclose personal information overseas with the informed consent of the individual. The consent must be freely given, specific to the disclosure, and the individual must be informed that the overseas recipient may not be subject to the Privacy Act's protections.
Prescribed Requirements and Exceptions
The Privacy Act prescribes additional requirements and exceptions for cross-border disclosure, including where the disclosure is required by law, where it is necessary for the maintenance of the law, or where non-compliance is necessary to prevent or lessen a serious threat to public health or safety. Organisations should be aware of these additional provisions and document their applicability where relevant.
Record-Keeping and Documentation
Organisations must maintain records sufficient to demonstrate compliance with IPP 12, including records of overseas disclosure relationships, assessments of comparable protections, contractual safeguards in place (particularly for agent exception arrangements), and any consents obtained. These records should be maintained for as long as the disclosure relationship continues.
How Good Security Helps
Where businesses usually need practical support.
This is about building the policies, registers, evidence, and governance needed to stand up to scrutiny.
Third-Party / Vendor Risk Register
Our vendor risk register tracks all third-party service providers that receive or process personal information, recording their jurisdictions, data processing locations, privacy protections, and contractual safeguards. For each vendor, we document whether the Section 11 agent exception applies or whether the full IPP 12 cross-border disclosure requirements must be met — giving you a clear, auditable compliance position.
Personal Data Inventory
Cross-border compliance starts with knowing where your data goes. Our personal data inventory service maps every data flow involving personal information across your organisation, identifying all instances where information is processed or stored outside New Zealand — including those embedded in cloud services you may not have considered.
Privacy Impact Assessment
We conduct analyst-prepared privacy impact assessments for each cross-border disclosure relationship, evaluating whether the recipient's jurisdiction and arrangements provide comparable privacy protections and whether the Section 11 agent exception applies. Our assessments are structured, documented, and designed to withstand scrutiny from the Privacy Commissioner.
Policy Suite & Lifecycle Management
We develop the policies and procedures your organisation needs to manage cross-border disclosure compliance — including overseas disclosure policies, vendor assessment protocols, agent exception documentation templates, and data transfer procedures — so your team knows exactly what to do when new cross-border relationships arise.
Privacy Breach Readiness Report
A breach involving personal information disclosed overseas without adequate protections is a serious escalation scenario. We make sure your breach response plans account for IPP 12 considerations, including cross-border notification obligations and the additional complexity of breaches involving overseas recipients.
Further Reading
Related guidance for teams that need the detail.
These articles go deeper into the surrounding decisions, timelines, and implementation issues.
Insight
Using Cloud Services? Here is What IPP 12 Means for Your Data
IPP 12 governs cross-border disclosure of personal information. Here is what NZ businesses using cloud services need to know.
Read article
Insight
What NZ Businesses Need to Know About IPP 3A Indirect Collection Notification Before May 2026
IPP 3A takes effect 1 May 2026. Here is what indirect collection notification means for NZ businesses and how to prepare.
Read article
FAQ
Common commercial questions.
What is IPP 12? +
Information Privacy Principle 12 is the provision in the New Zealand Privacy Act 2020 that governs the disclosure of personal information to persons or organisations outside New Zealand. It requires organisations to be satisfied that overseas recipients are subject to comparable privacy protections before disclosing personal information to them. IPP 12 is already in force — unlike IPP 3A, which takes effect in May 2026.
Is using AWS in Australia a 'disclosure' under IPP 12? +
Not necessarily. When a New Zealand organisation uses AWS (or Azure, Google Cloud, or similar providers) and the provider processes data solely under the organisation's instructions and contractual controls, the arrangement may fall under the Section 11 agent exception. Under this exception, the cloud provider is treated as an agent acting on your behalf rather than an overseas recipient of a disclosure. However, this requires appropriate contractual terms — the provider must be contractually prevented from using the data for its own purposes. Most major cloud providers include these terms in their standard data processing agreements, but organisations should verify and document that the agent exception criteria are met.
What contracts do I need for cross-border compliance? +
The specific contracts depend on your situation. For cloud services where you are relying on the Section 11 agent exception, you need a data processing agreement that establishes the provider as your agent and prevents them from using personal information for their own purposes. For genuine cross-border disclosures (where the agent exception does not apply), you may need contractual safeguards that bind the overseas recipient to handle information in accordance with standards comparable to the Privacy Act. Good Security can review your existing vendor agreements and identify gaps in your contractual coverage.
How does Sovereign Processing help with IPP 12 compliance? +
Good Security's standard service delivery uses infrastructure in New Zealand and Australia — we use AWS in Sydney for AI-powered analysis. For organisations that need all data processing to remain within New Zealand, our Sovereign Processing add-on means every analysis, report, and AI-assisted review runs entirely on private New Zealand infrastructure. This eliminates the cross-border element entirely for our services, which can simplify your IPP 12 compliance position and satisfy contractual or regulatory requirements for NZ-only data processing.
Most businesses managing Information Privacy Principle 12 — Disclosure of Personal Information Outside New Zealand obligations start with Assurance.
If you are weighing up fit, scope, or urgency, start with the scorecard for a fast benchmark and book a consultation when you need a practical next-step plan.