One of the recommendations to emerge from the Privacy Commissioner’s Phase 1 inquiry into the Manage My Health breach (which we discuss further in this article) – appearing almost as an afterthought – could fundamentally reshape accountability under the New Zealand Privacy Act.
The Commissioner has recommended an amendment to the Privacy Act that would make third-party vendors directly liable for complying with Information Privacy Principle (IPP) 5, even when they are collecting, storing or processing personal information solely on behalf of a customer organisation.
The problem identified by the inquiry
Under section 11 of the Privacy Act, personal information stored or processed by a third-party vendor is deemed as being held by the organisation that engaged the vendor (the customer). This means the customer organisation remains responsible for compliance with the IPPs. This approach ensures that the customer organisation remains accountable for the information being stored or processed.
In the past, when vendors were performing relatively limited outsourced functions, the approach worked well. Today, however, many organisations rely on cloud providers, software-as-a-service platforms, managed service providers, AI vendors and specialist data processors that may have greater control over security settings than the customer itself.
The Commissioner noted that vendors increasingly play a central role in the storage, processing and sharing of personal information and are therefore attractive targets for malicious actors. Yet the current legal framework can make it difficult to hold those vendors directly accountable when security failures occur.
The inquiry concluded that organisations should not have to rely solely on contractual remedies when a vendor fails to implement appropriate security safeguards. Instead, the law itself should impose direct obligations on vendors.
The GDPR approach
The Commissioner’s report points to article 32 of the EU GDPR as a useful model. Article 32 requires both controllers and processors to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk. Importantly, the obligation applies directly to processors. A processor cannot avoid responsibility simply because it is acting on behalf of a controller.
EU data protection authorities have taken enforcement action against cloud providers and technology companies where inadequate access controls, poor authentication mechanisms or insufficient monitoring exposed personal information to unauthorised access. This enforcement has created a clear market expectation. Security compliance is not viewed by vendors only as a contractual issue; vendors know that regulators may investigate them directly.
What the change could mean in practice
This change could certainly drive better privacy and security practices overall, but it could have other unintended consequences that are less beneficial.
- It would better reflect modern technology ecosystems – In many cloud and SaaS environments, the vendor often controls significant aspects of security architecture, monitoring, patching and infrastructure. Assigning responsibility solely to the customer organisation may no longer reflect operational reality.
- It would incentivise vendors to do better – Vendors would know that inadequate security could expose them directly to compliance notices, investigations and reputational consequences regardless of what their contracts say. This could incentivise more investment in data protection.
- It would clarify, but could also confuse, accountability – Direct liability on vendors would make it clear that both parties have security obligations, but this could confuse the overall assessment of which party is ultimately responsible for managing (and notifying) a breach. Drafting would need to make clear that the change applied only in relation to IPP 5, not other parts of the Privacy Act (such as Part 6).
- It could speed up procurement processes – Organisations would have greater confidence that their vendors are subject to statutory security obligations, rather than relying entirely on negotiated contractual protections.
- However, it might reduce accountability in other ways – Organisations are currently required by IPP 5(b) to ensure that personal information is protected when being processed by a vendor. It is possible that this change could reduce an organisation’s due diligence efforts because of over-reliance on vendor liability.
- It might provide individuals with greater recourse – Individuals affected by a privacy breach would be able to complain to the Privacy Commissioner about both the customer organisation and the vendor. This might make a significant difference in some cases, though it could also create confusion for individuals.
This change will need care to get right
The Manage My Health inquiry may ultimately be remembered not only for its findings about a major health sector breach, but also for prompting a reconsideration of how privacy accountability is allocated in an era of cloud computing and outsourced data processing.
When coupled with a potential civil penalties regime for breaches of the IPPs, this change could significantly increase privacy risk for vendors. However, it could also cloud the landscape in relation to accountability and liability in some arrangements. As with the implementation of IPP 3A, we will need to take guidance and lessons from overseas to ensure that this change is drafted and applied in a way that meets its policy purpose while minimising unintended consequences.