Privacy Act IPP 12 and Offshore Staffing: A Practical NZ Compliance Guide
The s11 agent exception, the six IPP 12 grounds, the OPC model contract clauses, and breach notification explained for NZ accountants advising clients on offshore staffing arrangements.
Under the Privacy Act 2020, offshore staff who process personal information solely on behalf of a NZ firm may fall within the section 11 agent exception. If that exception applies, the transfer is not treated as a "disclosure" and IPP 12 (the cross-border disclosure principle) is not triggered. The NZ firm remains fully responsible for the information.
For accountants advising clients on offshore staffing arrangements, the compliance pathway starts with one question: does the offshore party use client information for its own purposes? If it does not, the agent exception likely applies. If it does, or if the answer is uncertain, IPP 12 applies and one of six statutory grounds must be satisfied.
This guide walks through the s11 agent exception, the IPP 12 grounds, the OPC model contract clauses, and the breach notification framework. The route is more structured than most practitioners expect.
The Section 11 Agent Exception
Section 11 of the Privacy Act 2020 provides that where a party (A) holds personal information "for or on behalf of" another agency (B), the information is treated as held by B, not A. The transfer of information from B to A is "not a use or disclosure" under the Act.
In practical terms: if an offshore staffing company or service provider holds personal information solely for the purposes of the NZ agency, and does not use or disclose it for any of its own purposes, the Privacy Act treats the information as if the NZ agency still holds it. The transfer to the offshore party is not a "disclosure." IPP 11 (the disclosure principle) and IPP 12 (the cross-border disclosure principle) are not triggered.
The Office of the Privacy Commissioner confirmed this in November 2024 guidance on working with third-party providers:
"If the third-party provider is storing or processing the information solely on your behalf and will not use or disclose it for its own purposes, section 11 of the Privacy Act says that the third-party provider is not deemed to 'hold' the personal information for the purposes of the Privacy Act. This also means that you are not 'disclosing' the information to them. But as a result, your organisation remains fully responsible under the Privacy Act for what happens to that information. The third-party is 'you' for the purposes of the Privacy Act."
The "own purposes" boundary. The exception fails the moment the offshore party uses or discloses information for its own purposes. The OPC identifies two clear examples: using client information as AI training data, and using it to provide services to other organisations. MinterEllisonRuddWatts have signalled that the Privacy Commissioner is likely to take a strict approach to this boundary, noting that "even if the third party only uses a subset of the data or even an aggregated or de-identified dataset for its own purposes, this may still be considered a 'use' of personal information under the Privacy Act."
If a service agreement does not explicitly prohibit the offshore party from using client data for its own purposes, the agent exception is at risk.
Accountability under s11. The agent exception shifts analytical classification (who "holds" the data under the Act) but does not shift responsibility. The NZ agency remains the party accountable to affected individuals, to the Privacy Commissioner, and to regulators. Privacy Commissioner Michael Webster stated in 2024: "The law is very clear that when an agency outsources services to a third-party provider, the agency remains responsible for ensuring the data remains secure and used in a way that is compliant with the Privacy Act. At the end of the day, if your third-party provider has a privacy breach, it's your problem as well."
A practical caveat. No specific OPC determination or case note directly addresses whether offshore staffing arrangements qualify as agent relationships under section 11. The available OPC guidance focuses on third-party providers as organisations (cloud services, data processors) rather than the scenario of staff employed by a separate overseas entity but working under the NZ agency's day-to-day control. Law firm commentary strongly suggests s11 would apply to properly structured offshore staffing arrangements, but multiple firms recommend a conservative approach: contractual protections should be in place regardless of whether s11 applies.
Section 11(1) was broadened on 30 November 2022 (by section 94 of the Statutes Amendment Act 2022) from the original "holds information as an agent for" to the current "holds information for or on behalf of," including "as a representative or agent, or for safe custody or processing."
When IPP 12 Applies: The Six Grounds for Cross-Border Disclosure
Where the section 11 agent exception does not apply, or where the arrangement is uncertain, the transfer constitutes a "disclosure" to a foreign party. IPP 12 (set out in section 22 of the Privacy Act 2020) then requires at least one of six statutory grounds to be satisfied.
Individual authorisation (IPP 12(1)(a)). The individual expressly authorises the disclosure after being informed that the recipient may not provide comparable safeguards. This requires genuinely informed, specific consent. It is impractical as a general compliance mechanism for ongoing offshore arrangements involving multiple individuals' data.
Recipient carries on business in NZ (IPP 12(1)(b)). The offshore entity carries on business in New Zealand and is subject to the Privacy Act in relation to the information. This may apply to some multi-jurisdictional providers, but will not cover a pure offshore staffing arrangement where the provider operates solely from the overseas jurisdiction.
Comparable foreign privacy laws (IPP 12(1)(c)). The disclosing agency has reasonable grounds to believe the recipient is subject to privacy laws that, overall, provide comparable safeguards. This is a judgement call. One important qualification for NZ-AU transfers: the Australian Privacy Act contains exceptions for small businesses and does not cover employee records. For NZ organisations disclosing employee information to Australia, it may be arguable that Australian privacy law does not constitute "comparable" safeguards for that specific category of information.
Prescribed binding scheme (IPP 12(1)(d)). The recipient participates in a scheme prescribed by regulations under section 213. As of March 2026, no binding schemes have been designated. This ground is currently unavailable.
Prescribed country (IPP 12(1)(e)). The recipient is subject to the laws of a country prescribed by regulations under section 214. As of March 2026, no countries have been prescribed. This ground is also currently unavailable.
Other comparable safeguards (IPP 12(1)(f)). The disclosing agency has reasonable grounds to believe the recipient is otherwise required to protect the information comparably. A contractual agreement requiring the offshore party to observe protections equivalent to those in the Privacy Act is the primary example. This is the most practically accessible ground for offshore staffing arrangements, and the ground for which the OPC model contract clauses are designed.
For most offshore staffing arrangements where IPP 12 applies, ground (f) via contractual comparable safeguards is the practical compliance pathway.
OPC Model Contract Clauses
Where the compliance pathway runs through IPP 12(1)(f), the OPC's Model Contract Clauses Agreement for IPP 12 Cross-border Privacy Transfers is the recommended tool. The model agreement was developed by Chapman Tripp, commissioned by the Privacy Commissioner, and published on 19 November 2020.
The agreement has two parts. Part 1 ("The Details") is a fill-in section where the parties specify: the start date, party details, a description of the personal information being transferred, permitted uses, permitted disclosures, security requirements, categories of sensitive information, breach notification responsibilities, deletion events, applicable local data laws, termination terms, and notice addresses. Part 2 ("General Terms") contains the standard legal clauses drafted by Chapman Tripp, requiring no fill-in but modifiable with caution.
Key obligations on the overseas recipient (Part 2):
The model agreement is not mandatory. The OPC explicitly states: "The model contract is just that, a set of 'model' clauses. Parties are free to negotiate and modify the clauses as they see fit." And: "By itself, the Model Agreement cannot guarantee compliance with IPP 12, but it will deliver much better results than most 'DIY' efforts."
One qualifier: the OPC's guidance notes the model agreement may not be adequate for transfers to countries without a fair, reliable, and accessible court system, or countries with laws that would undercut the protections.
The model agreement, guidance documents, and an online Agreement Builder are available on the OPC website at privacy.org.nz/responsibilities/disclosing-personal-information-outside-new-zealand/.
When model clauses are not needed. If the section 11 agent exception applies, the model clauses are not required for IPP 12 compliance (because IPP 12 is not triggered). However, the OPC and multiple law firms recommend contractual protections regardless of s11 status, because the NZ agency remains fully responsible and the service agreement is what maintains the agent exception.
Breach Notification: The 72-Hour Question
What the statute requires. Section 114 of the Privacy Act 2020 requires an agency to notify the Privacy Commissioner "as soon as practicable" after becoming aware that a notifiable privacy breach has occurred. Section 115 requires the same standard for notifying affected individuals. There is no numerical timeframe in the statute. "As soon as practicable" is the entire standard.
What the OPC has said about 72 hours. The OPC published guidance (first in June 2021, reiterated in May 2024) setting an expectation of 72 hours. The exact wording: "Our expectation is that you will do this within 72 hours of becoming aware that it's a notifiable breach. This timeframe is a guide only and is intended to initiate prompt notification to us."
The 72-hour figure is borrowed from EU GDPR Article 33(1), where it is a statutory requirement. Under NZ law, it is OPC guidance only and is non-binding. The 72 hours runs in calendar hours, not business hours. Weekends count. The clock runs from the point at which the agency becomes aware that the breach constitutes a notifiable privacy breach (after assessing serious harm), not from first discovery of any potential issue.
Agent knowledge attribution. Sections 120 and 121 of the Privacy Act 2020 were amended by the Statutes Amendment Act 2025 (in force 27 November 2025). The amendments inserted a definition of "agent" into section 120(6) aligned with section 11 terminology: a person who holds information "for or on behalf of" the principal agency.
The practical effect: when an offshore provider acting as an agent becomes aware of a privacy breach, that knowledge is immediately attributed to the principal NZ agency. The 72-hour guidance window begins running from when the agent knows, not from when the NZ agency is informed.
MinterEllisonRuddWatts, analysing the Bill in October 2024, recommended that principal agencies include contractual requirements for providers to notify them of breaches within 24 to 48 hours of the provider becoming aware. This buffer is necessary to give the principal time to assess seriousness and notify the OPC within the guidance window.
Penalty context. Failure to notify the Privacy Commissioner is a criminal offence under section 118, carrying a maximum fine of $10,000 NZD. The NZ agency may also face civil liability under the Privacy Act. Privacy Commissioner Michael Webster, in the December 2025 five-year review, called for multi-million dollar fines, a right to erasure, and robust AI controls. The current $10,000 maximum may not persist.
Jurisdiction comparison:
What to Check in Client Arrangements
When reviewing a client's offshore staffing arrangement for privacy compliance, the following items cover the critical assessment points. This is a first-assessment framework for accountants reviewing existing contracts, not a substitute for specific legal advice on contract drafting or regulatory determinations.
Arrangement structure
Who provides the offshore staff: a dedicated staffing company, a BPO provider, or direct employment?
Under whose day-to-day direction and control do the offshore staff operate?
Does the offshore entity provide services to other clients using the same staff or systems?
Agent status
Does the service agreement restrict the offshore party to processing personal information only for the client's purposes?
Does the agreement explicitly prohibit the offshore provider from using the information for AI training, product development, benchmarking, analytics for other clients, or any other own purpose?
Does the agreement state that the offshore party acts as agent for the NZ agency in relation to personal information?
Security and safeguards
Does the contract require the offshore party to maintain security standards consistent with the OPC model clause definition: "at least the standard generally expected globally from a reasonable and prudent processor of similar personal information"?
Does the agreement address physical security, system access controls, and data segregation?
Breach notification
Does the contract require the offshore party to notify the NZ agency of any actual or suspected privacy breach within 24 to 48 hours of the provider becoming aware?
Is it clear that this internal notification window feeds into the NZ agency's obligation to notify the Privacy Commissioner under section 114?
Does the agreement specify who is responsible for notifying affected individuals?
Sub-agents and third parties
Does the agreement require the offshore party's own sub-contractors to be bound by equivalent obligations?
Does it require the offshore party to notify the NZ agency before engaging any sub-agent who will handle personal information?
Ongoing compliance
Does the agreement include audit rights or periodic review mechanisms?
Does it specify what happens to the information on contract termination (deletion or return)?
If the offshore arrangement is with an Australian provider, does the agreement address the employee records gap in the Australian Privacy Act, particularly for payroll processing?
Frequently Asked Questions
Does the NZ Privacy Act apply to offshore staff?
The Privacy Act 2020 applies to agencies that carry on business in New Zealand, regardless of where their staff are located. An NZ business that uses offshore staff to handle client personal information remains subject to all Privacy Act obligations for that information. The Act does not create separate rules for offshore arrangements. It applies to the NZ agency, which is responsible for the information regardless of where processing occurs.
What is the section 11 agent exception?
Section 11 provides that where an offshore party holds personal information solely for or on behalf of a NZ agency (and does not use or disclose it for its own purposes), the information is treated as held by the NZ agency, not the offshore party. The transfer is not a "disclosure" under the Act, so IPP 12 is not triggered. The NZ agency remains fully responsible. If the offshore party uses the information for any of its own purposes, even in aggregated or de-identified form, the exception does not apply to that use.
Do I need OPC model contract clauses for offshore staff?
Not necessarily. The model clauses are relevant where IPP 12 is triggered (that is, where the arrangement constitutes a "disclosure" rather than an agent relationship under section 11). If the offshore party is a true agent processing solely for the NZ agency's purposes, IPP 12 is not triggered and the model clauses are not required to satisfy it. However, the OPC and law firm commentary consistently recommend contractual protections regardless of s11 status, because the NZ agency remains fully responsible and the service agreement is what maintains the agent exception.
What is the 72-hour breach notification requirement?
The 72-hour figure is OPC guidance, not a statutory requirement. Section 114 of the Privacy Act 2020 requires notification to the Commissioner "as soon as practicable," with no numerical timeframe. The OPC published 72-hour guidance in June 2021, describing it as "a guide only." For businesses using offshore staff, sections 120 and 121 (as amended November 2025) attribute the agent's knowledge of a breach immediately to the principal NZ agency. The clock runs from when the offshore provider becomes aware, not from when the NZ agency is informed.
Does IPP 12 apply if I use a Philippine or Indian staffing company?
It depends on the arrangement structure, not the country. Neither the Philippines nor India is a "prescribed country" under section 214 (no countries have been prescribed as of March 2026). The starting point is the section 11 question: does the staffing company use personal information for its own purposes, or solely to provide staff working under the NZ agency's direction? If the staffing company operates shared platforms, uses client data for its own services, or commingles data across clients, IPP 12 is likely triggered and a compliance ground must be established, most practically IPP 12(1)(f) via contractual safeguards.
The privacy compliance framework is one dimension of the broader advisory landscape for accountants advising clients on offshore staffing. The financial case, operational structure, employment classification, and cultural navigation each carry their own frameworks.
For the complete advisory framework, including financial modelling, regulatory requirements, and client conversation guidance, see the NZ Accountants' Guide to Advising on Offshore Solutions.
Download the NZ Advisory Toolkit — practical advisory tools for NZ accountants advising clients on offshore staffing arrangements, including compliance checklists, conversation frameworks, and decision criteria.
