Good Security

Compliance

Using Cloud Services? Here is What IPP 12 Means for Your Data

IPP 12 governs cross-border disclosure of personal information. Here is what NZ businesses using cloud services need to know.

7 March 2026 9 min read By Good Security
7 March 2026 9 min read

If your business uses cloud services — email, file storage, CRM, accounting software, or anything hosted outside New Zealand — you are dealing with IPP 12 whether you realise it or not.

Information Privacy Principle 12, under the Privacy Act 2020, sets out the rules for disclosing personal information to overseas recipients. Unlike IPP 3A (which takes effect in May 2026 and covers indirect collection notification), IPP 12 is already in force. It has been since the Privacy Act 2020 commenced on 1 December 2020.

This article explains what IPP 12 means in practice for New Zealand businesses using cloud services, with a focus on the Section 11 agent exception that determines whether your cloud usage is even a "disclosure" in the first place.

Current as at 7 March 2026. This article is practical guidance, not legal advice.

What IPP 12 requires

The short version: If your business uses any cloud service hosted outside New Zealand, IPP 12 already applies to you — it has been in force since 2020. The critical question is whether your cloud providers qualify as your "agents" under Section 11, which determines whether you need comparable overseas protections at all. Book a free consultation to check your cross-border data obligations. Read on for the full guide.

Before disclosing personal information to a foreign person or entity, an agency must believe on reasonable grounds that the recipient:

  1. is subject to the Privacy Act 2020 (for example, a New Zealand organisation operating overseas), or
  2. is subject to privacy laws that provide comparable safeguards to the Privacy Act, or
  3. is a participant in a prescribed binding scheme, or
  4. is covered by another prescribed exception.

Alternatively, the individual can give informed consent to the overseas disclosure after being told that the overseas recipient may not be subject to comparable privacy protections.

The key question for most NZ businesses is not whether IPP 12 applies in theory — it is whether your specific use of cloud services counts as a "disclosure" at all.

The big question: is my cloud data an overseas disclosure?

This is where Section 11 of the Privacy Act 2020 becomes critical.

Section 11 defines an "agent" relationship. When an overseas entity holds personal information solely as your agent — meaning they process it under your instructions, for your purposes, and are contractually bound to act on your behalf — the transfer is not treated as a disclosure to a foreign person. You remain the agency responsible for the information, and the overseas entity is simply holding it on your behalf.

This distinction matters because most cloud service providers operate as agents, not independent recipients of your data.

When it is NOT a disclosure (Section 11 agent)

If your cloud provider:

  • stores and processes data under your instructions
  • is contractually bound to use the data only for providing the service to you
  • does not use the data for its own independent purposes
  • has a data processing agreement that keeps you in control

...then the transfer to that provider is generally not a "disclosure" under IPP 12. The provider is your agent.

Practical examples:

  • AWS hosting in Sydney. You run your application on AWS infrastructure in the ap-southeast-2 (Sydney) region. AWS processes and stores data under your instructions, subject to a data processing addendum. This is an agent relationship — not a disclosure. Good Security, for example, uses AWS infrastructure in Sydney for AI-powered analysis. The data is processed in New Zealand and Australia under Good Security's control, with AWS acting as agent.
  • Microsoft 365 with Australian data residency. Your email and files are stored in Microsoft's Australian data centres. Microsoft acts as your data processor under the Microsoft Customer Agreement and DPA. This is generally an agent relationship.
  • Xero accounting. Xero stores your financial data (which includes personal information about employees, suppliers, and customers) on its infrastructure. Xero's terms position it as a data processor acting on your behalf.

When it IS a disclosure (needs IPP 12 assessment)

  • Microsoft 365 with global support access. While your data may be stored in Australia, Microsoft's support engineers in other countries may access it for troubleshooting. That access by personnel in non-comparable jurisdictions could constitute a disclosure that needs assessment.
  • SaaS with US-only hosting. A specialist SaaS tool stores your client data exclusively in the United States. If the provider's terms give it independent rights to use or access the data beyond providing the service, this may be a disclosure rather than an agent relationship.
  • Sharing data with an overseas partner. If you send client information to an overseas business partner who uses it for their own purposes (not as your agent), that is a disclosure under IPP 12.

What it means for NZ businesses using cloud services

Most standard cloud service usage by NZ small and mid-sized businesses will fall under the Section 11 agent exception — if proper contractual arrangements are in place. The practical steps are:

1. Audit your cloud services

List every cloud service that stores or processes personal information. For each one, identify:

  • Where the data is stored (country/region)
  • Whether the provider has a data processing agreement (DPA)
  • Whether the DPA positions the provider as your processor/agent
  • Whether support or operational access from other countries is possible

A personal data inventory is the most efficient way to do this systematically.

2. Assess each provider

For providers operating as agents (most cloud services with a DPA), confirm:

  • The contract clearly establishes an agent/processor relationship
  • Data use is limited to providing the service to you
  • The provider has appropriate security controls (SOC 2, ISO 27001, or equivalent)
  • You understand where support access may originate

For providers where the relationship is a disclosure (data shared for their independent use, or no adequate DPA), assess:

  • Whether the recipient country has comparable privacy protections
  • Whether you need to obtain individual consent
  • Whether alternative providers with better arrangements are available

3. Put contractual safeguards in place

Make sure your agreements with cloud providers include:

  • A data processing agreement or addendum
  • Restrictions on data use to providing the service
  • Notification obligations for sub-processor changes or data breaches
  • Data location commitments (if important to your organisation)

A vendor risk register helps you track these arrangements across all your providers and flag when contracts need review.

4. Document your assessment

The Privacy Act expects you to have taken reasonable steps. Documentation is your evidence. For each cloud provider, record:

  • Your assessment of whether the relationship is agent or disclosure
  • The contractual basis for your conclusion
  • Any specific safeguards you have relied on
  • The date of your assessment and when it will next be reviewed

Data residency: NZ and Australia

For businesses that want to minimise their cross-border exposure, choosing providers with Australian or New Zealand data centres is a practical step. Many major cloud platforms now offer data residency in the Australia/New Zealand region.

Good Security's own approach illustrates this in practice. Client data is processed in New Zealand and Australia, using AWS infrastructure in Sydney for AI-powered analysis. AWS operates as an agent under Good Security's control, and the NZ-AU region provides adequate privacy protections under Australian privacy law.

For organisations that need all processing to remain within New Zealand — for regulatory, contractual, or preference reasons — the Sovereign Processing upgrade ensures every AI-assisted analysis and report runs entirely on private New Zealand infrastructure. This removes even the agent-based cross-border element, providing a clear answer to any IPP 12 question: no disclosure, no cross-border transfer, no assessment required.

FAQ

Is IPP 12 new?

No. IPP 12 has been in force since the Privacy Act 2020 commenced on 1 December 2020. It is not part of the May 2026 amendments (those are IPP 3A — indirect collection notification).

Does using AWS or Azure mean I am disclosing data overseas?

Not automatically. If the cloud provider acts as your agent under a data processing agreement, the transfer is generally not a "disclosure" under Section 11 of the Privacy Act. But you need to verify the contractual arrangements and understand where support access may originate.

What about the Section 11 agent exception — does it apply to all cloud services?

It applies when the overseas entity holds your data solely as your agent — processing it under your instructions, for your purposes. Most major cloud providers (AWS, Azure, Google Cloud) operate this way under their standard data processing agreements. Smaller or niche SaaS providers may not have adequate contractual arrangements, so each one needs assessment.

What is the penalty for non-compliance with IPP 12?

The Privacy Commissioner can investigate complaints and issue compliance notices. The Human Rights Review Tribunal can award damages for interference with privacy. Beyond formal penalties, an IPP 12 breach involving personal information of clients or employees can damage trust and business relationships.

How does IPP 12 relate to IPP 3A?

They are different principles covering different situations. IPP 12 governs cross-border disclosure — sending personal information to overseas recipients. IPP 3A (effective May 2026) covers indirect collection notification — telling people when their information has been collected from a third party. For IPP 3A guidance, see our IPP 3A compliance guide.

What to do next

Every NZ business using cloud services is already subject to IPP 12 — it has been in force since 2020. If the Privacy Commissioner investigates and your cloud providers are not covered by adequate contractual arrangements, the liability sits with you, not with the provider. The good news: for most businesses, a vendor risk register and personal data inventory will confirm that standard cloud providers already qualify as agents — and where they do not, the fix is contractual, not technical.

Book a free consultation — find out whether your cloud arrangements stand up to an IPP 12 assessment before a complaint or a breach forces the question.

Need to understand indirect collection notification? See our IPP 3A compliance guide.

Continue reading

Need help applying this to your business?

We can help you work out whether this is an immediate issue, how exposed you are, and what a sensible next step looks like.

Book a Free Consultation Take the 2-Minute Security Scorecard