Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations. Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside the country;
- people/entities outside the country being able to access or "see" personal data held in the country; and
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
When transferring personal employee information outside New Zealand, the employee’s consent must be obtained. Employers in New Zealand can only disclose personal information to a foreign person or entity if (the Privacy Act 2020, Information Privacy Principle 12):
- the individual authorizes the disclosure after being expressly informed that the foreign party may not be required to protect the information in a way that is comparable to the safeguards required under New Zealand’s Privacy Act;
- the foreign entity has business in New Zealand and, the employer believes on reasonable grounds that the foreign entity is subject to the Privacy Act;
- the employer reasonably believes that the foreign entity is subject to privacy laws that provide comparable safeguards to those in the Act;
- the employer reasonably believes that the foreign entity is a participant in a prescribed binding scheme (i.e., an internationally recognized scheme to protect personal information);
- the employer reasonably believes that the foreign entity is subject to privacy laws of a prescribed country (i.e., a New Zealand government authorized country); or,
- the employer otherwise reasonably believes that the foreign entity is required to protect personal information in a way that’s comparable to the safeguards in the Privacy Act (ex., through a contractual agreement).
The above requirement does not apply if the personal information is disclosed to the foreign entity to meet one of the following requirements and it’s not reasonable to comply with the above:
- to avoid prejudice to the maintenance of the law by any public sector agency;
- to enforce a law that imposes a financial penalty;
- to protect public revenue; or,
- for the conduct of proceedings before court or tribunal.
When an employee joins a company, they should be provided with notice upon the start of their employment that advises them of where their personal information may be transferred, the purpose and which information may be transferred internationally. The notice should also include the circumstances in which consent may not be obtained.
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Employee consent must generally be obtained when transferring personal information outside New Zealand. When transferring personal data internationally, ensure that data will continue to receive an adequate level of protection, comparable to New Zealand’s privacy laws.