If you work frequently on issues under the Privacy Act, one of the topics you’ll have addressed over the years is the position where an agency (let’s call it the “Primary Agency”) uses another agency or organisation (let’s call it the “Processing Agency”) to store or process personal information for the Primary Agency. In this scenario, under section 3(4) of the Privacy Act 1993, the personal information is deemed to be held by the Primary Agency, and not the Processing Agency, as long as the Processing Agency doesn’t use or disclose the information for its own purposes.
This is what section 3(4) says:
3 Information held by agency
… (4) For the purposes of this Act, where an agency holds information—
(a) solely as agent; or
(b) for the sole purpose of safe custody; or
(c) for the sole purpose of processing the information on behalf of another agency,—
and does not use or disclose the information for its own purposes, the information shall be deemed to be held by the agency on whose behalf that information is so held or, as the case may be, is so processed.
This provision is particularly significant because, when it applies, the Processing Agency’s receipt of information is not a “collection” for the purposes of the information privacy principles that deal with collection, and the Primary Agency’s provision of the information to the Processing Agency is not a “disclosure” for the purposes of information privacy principle 11.
This is not a provision that one would have expected to change much in the Privacy Act 2020. However, the wording did change. The equivalent section in the Privacy Act 2020 is section 11. This is what it says:
11 Personal information treated as being held by another agency in certain circumstances
(1) This section applies if an agency (A) holds information as an agent for another agency (B) (for example, the information is held by A on behalf of B for safe custody or processing).
(2) For the purposes of this Act, the personal information is to be treated as being held by B, and not A.
(3) However, the personal information is to be treated as being held by A as well as B if A uses or discloses the information for its own purposes.
(4) For the purposes of this section, it does not matter whether A—
(a) is outside New Zealand; or
(b) holds the information outside New Zealand.
(5) To avoid doubt, if, under subsection (2), B is treated as holding personal information,—
(a) the transfer of the information to A by B is not a use or disclosure of the information by B; and
(b) the transfer of the information, and any information derived from the processing of that information, to B by A is not a use or disclosure of the information by A.
My focus in this post is on section 11(1) and (2), not 11(3). Section 11(3) did make a clarifying change, but what I’m focusing on here, in particular, is the change of wording in section 11(1).
Has there been a narrowing in scope?
What we now see in section 11 is the result of amendments to what was clause 8 of the Bill, at the Select Committee stage. Before the Privacy Bill reached the Select Committee, clause 8 was materially similar to section 3(4) of the 1993 Act. Clause 8 said this:
8 Personal information treated as being held by agency in certain circumstances
(1) For the purposes of this Act, personal information is treated as being held by an agency (Agency A) even if another agency (Agency B) holds the information—
(a) as agent for Agency A; or
(b) for the purpose of safe custody on behalf of Agency A; or
(c) for the purpose of processing the information on behalf of Agency A.
(2) For the purposes of this section, it does not matter whether Agency B—
(a) is outside New Zealand; or
(b) holds the information outside New Zealand.
If you compare clause 8 with what is now section 11 of the 2020 Act, you’ll see that the wording of section 11 now contains the overarching concept of one agency holding information “as an agent” for another agency. Section 3(4) of the 1993 Act and (arguably) the old clause 8 of the Privacy Bill didn’t do this. The current section 3(4) doesn’t require a principal-agent relationship as a necessary condition for all the circumstances it refers to. Rather, it refers to three specific scenarios, i.e., where an agency holds information (a) solely as agent, or (b) for the sole purpose of safe custody, or (c) for the sole purpose of processing it on behalf of another agency. A principal-agent relationship is required for (a), but not necessarily for (b) and (c) (and, in this context, I don’t read the words “on behalf of” in (c) as requiring a strict principal-agent relationship as known by the common law of agency).
At first glance, one might infer that the Select Committee change has had the effect of narrowing (unwittingly) the scope of what is now section 11 of the 2020 Act, or one might at least come to the conclusion that the change has created potential confusion as to the meaning of “agent” in clause 8(1). If a change in meaning was intended, this could affect agencies’ ability to rely on what is now section 11 when, for example, they use third party storage and processing services. Similarly, it is an important issue for the likes of cloud service providers and other outsourced service providers, both domestically and overseas. It is commonplace for the agreements they put in place, and indeed in contracts that government agencies put in place in these kinds of situations, to expressly exclude any form of principal-agent relationship.
Given the significance of this issue, it’s worth considering whether Parliament actually intended to change the meaning and scope of the provision in this regard.
Keep calm and carry on
Thankfully, it seems fairly clear that the change of language to clause 8 of the Privacy Bill (now section 11 of the Act) was only intended to simplify the language of the clause as originally introduced. It seems highly unlikely that Parliament intended to narrow its scope. There are two reasons for this view.
First, it seems fairly clear that the example given in section 11(1) (“for example, the information is held by A on behalf of B for safe custody or processing”) was intended to mirror what we see in the current section 3(4) of the 1993 Act. Second, it is clear that cloud storage and processing providers were intended to be covered by section 11. When the Justice Select Committee reported back on the Bill, the Committee said this (my emphasis):
Information that is stored or processed by one agency on behalf of another
Under clause 8, an agency would remain accountable for information held by another agency as its agent. This includes “cloud” providers and information sent overseas for storage or processing on behalf of an agency.
However, we believe a storing or processing agency that used or disclosed the information for its own purposes should also be accountable to the affected individual. We therefore recommend amending clause 8 to provide that, in such circumstances, both agencies would be treated as holding the information.
Cloud services should not be covered by the principles relating to overseas disclosure
We consider that the obligations in clause 19 of the bill as introduced, IPP 11(3) to (6) (which, for reasons to be discussed later, we recommend renaming to IPP 12), should not apply to an agency transferring information to a cloud storage provider or other overseas processor.
Under clause 8, the transferring agency would be treated as still holding the information and would be liable for any privacy breaches by the cloud service provider. Therefore, the transfer of data between the agency and the cloud service provider would not be a disclosure for the purposes of the IPPs.
For the avoidance of doubt, we recommend making this clear by inserting subclause (5) into clause 8.
If clause 8/section 11 applies to cloud service providers as clearly indicated in these excerpts, despite such providers often expressly excluding a principal-agent relationship, then logically the section must apply to other ‘processing’ scenarios where there is not necessarily a principal-agent relationship in narrow/orthdox terms.
For these reasons, in my view agencies should not be concerned about a narrowing in scope of the storage and processing aspects of the current section 3(4) as amended in section 11 of the 2020 Act. The wording of section 11(1) does require us to give a broad and fairly loose meaning to the word “agent” in section 11(1) but I suggest that’s what we need to do. Hopefully, in time, the wording of section 11 will be amended but, for now, I suggest we just ‘keep calm and carry on’.