Engaging a new service provider – first do privacy due diligence

The Privacy Act places obligations on businesses and organisations that collect personal information to keep the information safe and secure, and to use and share it appropriately.  

Those obligations continue even where the personal information has been passed on to a third party service provider (such as a cloud storage service). In practice, it’s much more difficult for a business or organisation to keep an eye on privacy compliance when not physically in control of the information. 

Unfortunately, if things go wrong for the service provider while they’re holding personal information on your behalf, that can have major implications for your business or organisation. You could be liable for a privacy breach that arose out of circumstances over which you had no control, potentially having to pay compensation, fines, and/or facing significant reputational impacts.

The possibility of privacy issues arising with the introduction of a third party provider makes it especially important for businesses and organisations to carry out thorough due diligence before engaging the third party.  

What is privacy due diligence?

Due diligence is a familiar concept in the commercial world. When you buy a business or take on a new tenant in commercial premises, you do your research to understand what you would be taking on and any associated risks. 

The same applies when your business or organisation is planning to share personal information with a third party as part of your business operations—be that a cloud storage service, email marketing service, marketing analytics provider, or similar. 

Before you hand over any personal information your business or organisation has collected, it is important to understand, and be comfortable with, the privacy practices of, and obligations of, that third party service provider.  

How do I carry out privacy due diligence?

The type of due diligence enquiries required will differ depending on the services you are engaging, but some key things to consider in most circumstances are:

  • Where is the third party based? Some countries have privacy protections comparable to, or even more rigorous, than New Zealand’s. Other countries have much less robust privacy protections, which increases the risk of transferring personal information there.
  • Will the third party use any of the personal information for their own purposes, or are they just processing / holding it on your behalf?  If they will use it for their own purposes, you may have extra obligations to comply with under the Privacy Act, especially if they’re based outside of New Zealand.
  • Do they have a privacy policy?  If yes, how thorough is it? A privacy policy is a great way to get a sense of a third party’s approach to privacy. A detailed policy suggests they have turned their minds to privacy. A light or incomplete policy suggests they may not have given privacy much thought. The policy can be used a springboard for asking more questions of the third party.
  • Does the third party have a privacy officer (if in New Zealand), or a designated privacy representative of some kind (if outside of New Zealand)? If a third party doesn’t have someone in this position, they may not be across their privacy compliance obligations. 
  • Does the third party have a data incident response plan? A response plan shows that the third party has planned for what will happen in a suspected privacy breach/data incident situation. A detailed response plan would often provide clarity about how soon you will be notified about any privacy breach/data incident. 
  • Has the third party been involved in any privacy/cyber security incidents? One way to find this out would be to ask directly, although in some cases the information may have been publicly reported.

What if privacy due diligence raises concerns?

If your privacy due diligence into a third party service provider has raised some question marks about their practices, the first step is to ask them to explain. Sometimes while privacy-related documentation may be lacking in detail, there are other ways a third party can show you they have robust privacy protections in place.  

If those answers aren’t forthcoming, or your concerns don’t get answered, it would be sensible to think twice about engaging the third party.  If you really want to proceed with them, consider agreeing specific terms around privacy in writing. You may need the third party to warrant to you that they will comply with privacy law and provide an indemnity to you if they fail to do so. 

Duncan Cotterill’s specialist data protection and privacy lawyers can help your business or organisation assess a potential third party service provider, guide you through carrying out privacy due diligence, and help you work out how to proceed if you have any worries.  

For more information, please contact a member of our Data Protection and Privacy team.

 

Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.

Related insights

Find an expert