Information Privacy Principle 12 — Disclosure of Personal Information Outside New Zealand
The data's offshore. The answer needs to be here
Usually becomes relevant when staff or customer data touches offshore cloud platforms, vendors, or overseas partners — and you need to show which arrangements are actually compliant.
This page helps when
- Staff or customer data already touches offshore cloud platforms, vendors, or partners
- You need to show which arrangements rely on the Section 11 agent exception and which need stronger safeguards
- A buyer, board, or privacy review is asking for evidence rather than assumptions
Best next move
Start with Baseline.
Use the scorecard for a fast benchmark, then move into a working session when this requirement is already affecting customers, insurers, procurement, or internal accountability.
Where This Starts To Hurt
The buyer moment that makes this rule urgent
The moment usually arrives when a customer, an auditor, or the Privacy Commissioner asks where personal data actually leaves New Zealand
IPP 12 becomes relevant the moment personal information leaves New Zealand, or is processed by providers outside New Zealand. For most organisations, that is not a fringe case. Email, CRM, HR, finance, support, and cloud platforms regularly create international data flows, even when you is fully local.
The core question is not just whether data goes offshore. It is what kind of relationship sits behind that transfer. If an overseas provider is acting only on your instructions under the right contractual terms, the Section 11 agent exception may mean the arrangement is not treated as a disclosure in the full IPP 12 sense. If the recipient is using the information in its own right, the analysis is different, and the organisation needs a stronger compliance position.
That is why IPP 12 is really a documentation and decision problem. You need to know which vendors are involved, where processing happens, what contracts say, and which arrangements rely on the agent exception versus full cross-border disclosure rules. Without that, it is very easy to assume the position is fine without being able to prove it.
What Starts Breaking
What stalls: deals, audits, or insurer renewals
IPP 12 matters because most organisations already have cross-border data exposure whether they talk about it or not. The risk is not only where the data sits. It is whether you can explain, evidence, and defend why each overseas arrangement is acceptable under the Privacy Act.
This becomes especially important during privacy reviews, enterprise due diligence, and breach scenarios. If an incident involves offshore processing and no one can show what legal basis or contractual protection was relied on, the organisation looks unprepared very quickly.
It also affects vendor decisions. Some businesses are comfortable managing a documented Australia- or US-based processing model. Others need NZ-only handling because of customer commitments, regulatory settings, or board preference. IPP 12 is the rule that separates those positions and forces you to be explicit.
What You Will Need To Prove
The first controls, owners, and evidence to put in place
The Section 11 agent exception versus full cross-border disclosure is the pivot — the cloud contract and the subprocessor chain carry first weight
See the main requirements
Reasonable Grounds for Comparable Protections
Before disclosing personal information to an overseas recipient, the disclosing organisation must be satisfied on reasonable grounds that the recipient is subject to privacy protections that, overall, provide comparable safeguards to the New Zealand Privacy Act. This assessment considers the recipient country's domestic laws, binding contractual commitments, and practical enforcement mechanisms.
Section 11 Agent Exception
Where a cloud service provider or other third party processes personal information solely on behalf of a New Zealand organisation — under a contract that prevents the provider from using the information for its own purposes — the arrangement may fall under the Section 11 agent exception. This means the provider is not treated as an overseas recipient, and the full IPP 12 disclosure requirements may not apply. Proper contractual arrangements are essential to rely on this exception.
Informed Consent as Alternative
Where comparable protections cannot be established and the agent exception does not apply, the organisation may disclose personal information overseas with the informed consent of the individual. The consent must be freely given, specific to the disclosure, and the individual must be informed that the overseas recipient may not be subject to the Privacy Act's protections.
Prescribed Requirements and Exceptions
The Privacy Act prescribes additional requirements and exceptions for cross-border disclosure, including where the disclosure is required by law, where it is necessary for the maintenance of the law, or where non-compliance is necessary to prevent or lessen a serious threat to public health or safety. Organisations should be aware of these additional provisions and document their applicability where relevant.
Record-Keeping and Documentation
Organisations must maintain records sufficient to demonstrate compliance with IPP 12, including records of overseas disclosure relationships, assessments of comparable protections, contractual safeguards in place (particularly for agent exception arrangements), and any consents obtained. These records should be maintained for as long as the disclosure relationship continues.
How We Help You Answer It
When the business usually calls us
We usually get called after a Commissioner query or procurement lands — the answer needs a disclosure map and proof the recipient is contractually bound
Track The Suppliers That Could Expose The Business
Our vendor risk register tracks all third-party service providers that receive or process personal information, recording their jurisdictions, data processing locations, privacy protections, and contractual safeguards. For each vendor, we document whether the Section 11 agent exception applies or whether the full IPP 12 cross-border disclosure requirements must be met — giving you a clear, auditable compliance position.
Stop searching ten systems every time a customer asks for their data
Cross-border compliance starts with knowing where your data goes. Our personal data inventory service maps every data flow involving personal information across your organisation, identifying all instances where information is processed or stored outside New Zealand — including those embedded in cloud services you may not have considered.
Catch privacy risk before the project launches
We conduct analyst-prepared privacy impact assessments for each cross-border disclosure relationship, evaluating whether the recipient's jurisdiction and arrangements provide comparable privacy protections and whether the Section 11 agent exception applies. Our assessments are structured, documented, and built to hold up to Privacy Commissioner scrutiny.
Stop Maintaining Policies Nobody Actually Reads
We develop the policies and procedures your organisation needs to manage cross-border disclosure compliance — including overseas disclosure policies, vendor assessment protocols, agent exception documentation templates, and data transfer procedures — so your team knows exactly what to do when new cross-border relationships arise.
Know Who Gets Told, When, And What, The Moment A Breach Hits
A breach involving personal information disclosed overseas without adequate protections triggers the toughest version of the notification process. We make sure your breach response plans account for IPP 12 considerations, including cross-border notification obligations and the additional complexity of breaches involving overseas recipients.
Remember every security promise across every contract
Many enterprise customers now send their own cross-border disclosure clauses ahead of contract — specific jurisdictions, data-residency conditions, sub-processor approvals. The customer requirements register tracks those obligations per customer so you meet each one without rediscovering them at renewal.
If You Need The Detail
Related reading for the implementation detail
Related reading on cloud data sovereignty, the Section 11 agent test, and the subprocessor-disclosure chain IPP 12 reviews end up requesting
Insight
Using cloud services? Here's what IPP 12 means for your data
IPP 12 governs cross-border disclosure of personal information. Here is what NZ businesses using cloud services need to know.
Read article
Insight
IPP 3A starts May 2026. You need a process
IPP 3A changes the rules for referrals, background checks, partner handoffs, and any other indirect collection. What NZ businesses need to fix before 1 May 2026.
Read article
Questions Before A Decision
The questions that come up before the contract
What is IPP 12? +
Information Privacy Principle 12 is the provision in the New Zealand Privacy Act 2020 that governs the disclosure of personal information to persons or organisations outside New Zealand. It requires organisations to be satisfied that overseas recipients are subject to comparable privacy protections before disclosing personal information to them. IPP 12 is already in force — unlike IPP 3A, which takes effect in May 2026.
Is using AWS in Australia a 'disclosure' under IPP 12? +
Not necessarily. When a New Zealand organisation uses AWS (or Azure, Google Cloud, or similar providers) and the provider processes data solely under the organisation's instructions and contractual controls, the arrangement may fall under the Section 11 agent exception. Under this exception, the cloud provider is treated as an agent acting on your behalf rather than an overseas recipient of a disclosure. However, this requires appropriate contractual terms — the provider must be contractually prevented from using the data for its own purposes. Most major cloud providers include these terms in their standard data processing agreements, but organisations should verify and document that the agent exception criteria are met.
What contracts do I need for cross-border compliance? +
The specific contracts depend on your situation. For cloud services where you are relying on the Section 11 agent exception, you need a data processing agreement that establishes the provider as your agent and prevents them from using personal information for their own purposes. For genuine cross-border disclosures (where the agent exception does not apply), you may need contractual safeguards that bind the overseas recipient to handle information in accordance with standards comparable to the Privacy Act. Good Security can review your existing vendor agreements and identify gaps in your contractual coverage.
How does Sovereign Processing help with IPP 12 compliance? +
Good Security's standard service delivery uses infrastructure in New Zealand and Australia, including AWS in Sydney for analysis and report production. For organisations that need all data processing to remain within New Zealand, our Sovereign Processing add-on means every analysis, report, and review runs entirely on private New Zealand infrastructure. This eliminates the cross-border element entirely for our services, which can simplify your IPP 12 compliance position and satisfy contractual or regulatory requirements for NZ-only data processing.
Need a clearer answer on IPP 12 — Cross-Border Disclosure?
A working session maps every cross-border data flow, tests which fall under Section 11, and produces the evidence pack IPP 12 rests on