Commencement date: 1 May 2023

Part 1: Preliminary

1. Parties to the MOU

1.1 The parties to this Memorandum of Understanding (MOU) are the Australian Information Commissioner (the AIC) and the Privacy Commissioner, New Zealand (the NZPC) (together the Parties ). In this MOU, the term ‘Party’ will mean either the AIC or the NZPC, as the context allows.

1.2 The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency established under the Australian Information Commissioner Act 2010 (Cth) (the AIC Act), responsible for regulating privacy law and freedom of information law, including relevantly, the Privacy Act 1988 (Cth) ( the Privacy Act AU). The OAIC is led by the AIC who is appointed by the Governor-General under section 14 of the AIC Act.

1.3 The NZPC is the New Zealand Privacy Commissioner as an independent Crown entity with statutory functions and powers under the Privacy Act 2020 ( Privacy Act NZ ), responsible for privacy regulation in New Zealand.

2. Purpose and function of the MOU

2.1 This MOU supports cross-border privacy law enforcement cooperation by enhancing and supporting information sharing between the Parties ( information sharing) , giving practical effect to the Organisation for Economic Cooperation and Development (OECD) Guidelines governing the protection of privacy and transborder flows of personal data.

2.2 In furtherance of the purpose expressed by clause 2.1, the provisions of this MOU are directed towards supporting:

  1. in respect of the AIC’s requirements, satisfaction of section 33A of the Privacy Act AU (refer to Part Two of this MOU); and
  2. In respect of the NZPC’s requirements, satisfaction of section 207 of the Privacy Act NZ (refer to Part Three of this MOU).

3. Scope of the MOU

3.1 This MOU does not create any enforceable rights or impose any legally binding obligations on either Party.

3.2 The MOU is not intended to be exhaustive in the subject matters within its scope. The Parties may enter into any other arrangements for cooperation and collaboration to the full extent permitted by the law.

3.3 Nothing in this MOU affects the exercise of the legislative functions, powers, duties or obligations of either Party.

4. Term of this MOU

4.1 This MOU commences on the date it is signed by the last party and continues unless it is terminated in accordance with clause 14.1.

Part 2: The AIC’s Information Sharing Requirements

5. Powers, functions and duties of the Parties

5.1 To comply with the requirements of section 33A, the AIC may only information share under this MOU for the purpose of either the:

  1. AIC exercising powers, or performing functions or duties, under the Privacy Act AU; or
  2. NZPC exercising its powers, or performing its functions or duties.

5.2 Accordingly, no information sharing may take place under this MOU unless either of the criteria in clause 5.1 are met.

5.3 The powers, functions and duties of the Parties relevant to the information sharing foreseen under this MOU are set out at clauses 5.5 and 5.6.

5.4 The Parties agree to:

  1. immediately notify each other should this MOU no longer accurately reflect the powers, functions and duties of the Parties relevant to the information sharing foreseen under it; and
  2. as soon as is practicable after having sent or received notification under clause 5.4 (a), cooperate to vary the MOU in accordance with clause 13 to accurately reflect the powers, functions and duties of the Parties.

AIC powers, functions and duties under the Privacy Act AU

5.5The AIC has:

  1. the information commissioner functions, the freedom of information functions and the privacy functions as those terms are defined in the AIC Act; and
  2. power to do all things necessary to be done for or in connection the functions listed in clause 5.5 (a).

NZPC powers, functions and duties

5.6The powers, functions and duties of the NZPC relevant to the information sharing foreseen under this MOU are set out in Appendix A.

6.Security arrangements of the NZPC

6.1To comply with the requirements of section 33A, the AIC may only information share under this MOU for where the AIC is satisfied on reasonable grounds that the NZPC has satisfactory arrangements in place for protecting the information or documents proposed to be shared.

6.2 Accordingly, no information sharing may take place under this MOU unless at least the standard criteria in Appendix B are met.

6.3 The NZPC agrees to:

  1. protect any information or documents shared with it under this MOU in accordance with the arrangements in both the standard criteria and the additional criteria, if any, in Appendix B;
  2. upon request by the AIC, provide evidence of ongoing compliance with clause 6.3 (a);
  3. immediately notify the AIC should this MOU no longer accurately reflect the arrangements put in place by the NZPC to protect information and documents shared under this MOU; and
  4. as soon as is practicable after notifying the AIC under clause 6.3 (c), cooperate to vary the MOU in accordance with clause 13 to accurately reflect the powers, functions and duties of the Parties.

7.Proactive information sharing by the AIC

7.1 The Parties agree that the AIC may proactively information share with the NZPC under this MOU.

7.2 Where the AIC proactively information shares under this clause 7, the AIC will:

  1. address all correspondence to the NZPC contact officer in Appendix C; and
  2. clearly record:
    1. that information or documents shared with the NZPC under this MOU was shared on the AIC’s own motion;
    2. the nature or kind of information or documents shared with the NZPC; and
    3. the purpose for which the information or documents were shared.

8.Information sharing requests by the NZPC

8.1 The Parties agree that the NZPC may request that the AIC share information or documents under this MOU ( an Information Sharing Request ).

8.2 The NZPC will:

  1. clearly express each Information Sharing Request as such; and
  2. address each Information Sharing Request to the contact officer of the OAIC in Appendix C.

8.3 Each Information Sharing Request must be:

  1. in writing; and
  2. contain:
    1. a sufficiently detailed description of the requested information or documents;
    2. the purpose for which the requested information or documents are sought; and
    3. to the extent that the NZPC seeks the requested information or documents to exercise its powers, or performing its functions and duties, the relevant power, function or duty.

9. NZPC’s use of shared information or documents

9.1 The NZPC agrees to only use information or documents shared with it under this MOU for the purpose for which it was shared.

9.2 If the NZPC is served with a binding legal order or requirement to provide information to a third party, and that information was obtained from the AIC under this MOU, the NZPC will:

  1. notify the AIC of the order or requirement as soon as practicable unless legally compelled not to do so; and
  2. to the extent practicable, consult with the AIC as to how to respond to the order or requirement.

Part 3: The NZPC’s Information Sharing Requirements

10. Basis for Disclosure to the AIC

10.1 Section 207 of the Privacy Act NZ is the lawful basis for disclosure by the NZPC to the AIC under this MoU.

10.2 Despite the obligation of secrecy under section 206 of the Privacy Act NZ, as the AIC meets the definition of an “overseas privacy enforcement authority”, the NZPC or his delegate may provide to the AIC any information or a copy of any document that the NZPC holds in relation to the performance of the NZPC’s functions, duties or powers under the Privacy Act NZ where the conditions of section 207(1)(b) are satisfied.

11. Conditions and Other Steps in Relation to Disclosure to the AIC

11.1 The applicable conditions for providing information to the AIC under section 207(1)(b) require that:

  1. the NZPC considers that providing the information may assist the AIC in the performance or exercise of the AIC’s functions, duties or powers under or in relation to the Privacy Act AU; or
  2. the NZPC considers that providing the information may enable the AIC to reciprocate with the provision of other related information that will assist the NZPC in the performance or exercise of the NZPC’s functions, duties or powers under the Privacy Act NZ.

11.2 The NZPC may impose any conditions that the NZPC considers appropriate in relation to the provision of any information or copy of any document under section 207(1), including conditions related to:

  1. the storage and use of, or access to anything provided; and
  2. the copying, return, or disposal of copies of any document provided.

Part 4: Miscellaneous Clauses

12. Confidentiality

12.1 Information sharing undertaken in accordance with this MOU is subject to all applicable confidentiality, secrecy and privacy requirements under the laws applicable to the Parties in their respective jurisdictions.

13. Variations

13.1 The Parties will monitor the operation of the MOU and review it as required.

13.2 Any term of this MOU may be varied at any time with the mutual written consent of each Party.

14. Termination of MOU

14.1 Either Party may terminate this MOU by giving at least 30 days' written notice to the other Party. The termination will take effect 30 days after the notice is sent, unless otherwise agreed, in writing, between the Parties.

15. Costs

15.1 Each Party agrees to bear its own costs in performing its functions under this MOU.

16.Claims or Complaints

16.1 The Parties agree to consult and cooperate with each other in the event of any complaint or claim made against a party relating to the use of information shared in accordance with this MOU.

17.Dispute Resolution

17.1 Where a dispute arises between the Parties regarding this MOU, the Parties will make reasonable attempts to resolve the dispute at the contact officer level.

18. Notices

18.1 Any notice in relation to this MOU is to be in writing and delivered to the contact officer specified in Appendix C.

18.2 A notice is deemed to be effected:

  1. if delivered by hand - upon delivery to the relevant address;
  2. if sent by post - upon delivery to the relevant address; or
  3. if transmitted electronically - upon actual receipt by the addressee.

18.3 A notice received after 5.00 pm, or on a day that is not a business day in the place of receipt, is deemed to be effected on the next business day in that place.

Signatures and Execution

Elizabeth MacPherson

Deputy Privacy Commissioner (Office of the New Zealand Privacy Commissioner)

Elizabeth Hampton

Deputy Commissioner (Office of the Australian Information Commissioner)

signed signed

Appendix A: NZPC powers, functions and duties

The powers, functions and duties of the NZPC relevant to this MOU are as follows.

Power, function or duty

Legislative or other authority

Enables the New Zealand Privacy Commissioner to exercise the powers, and carry out the functions and duties, conferred on the Commissioner by or under the Privacy Act 2020 or any other enactment

Section 17(1)a of the Privacy Act 2020

The power to inquire generally into any matter, including any other enactment or any law, or any practice or procedure, whether governmental or non-governmental, or any technical development, if it appears to the Commissioner that the privacy of individuals is being, or may be, infringed.

Within that, the specific powers include:

  • Section 87 – information and documents in relation to Investigations by Commissioner
  • Section 128 – information required to inform the issuance or variation of a Compliance Notice
  • Section 202 - enable the Commissioner to respond to inquiries from the public about personal information held by that agency
  • Section 203 – information to inform a formal inquiry under s17(1)(i)

Section 17(1)(i) of the Privacy Act 2020

Appendix B: NZPC arrangements to protect information or documents shared

The standard criteria are as follows.

Arrangement

Y/N

Have a secure ICT system and secure internet gateways in place.

Y

Store information or documents shared under this MOU separately to other documents.

Y

Limit access to information or documents shared under this MOU to those staff responsible for exercising the powers, functions or duties of the NZPC.

Y

Comply with the Information Security requirements under the Protective Security Policy Framework or another framework with at least as protective requirements.

Y

Notify the OAIC contact officer in the event there is a data breach involving information or documents shared under this MOU.

Y

Subject to other relevant legislative requirements, destroy or de-identify any information or documents shared under this MOU when they are no longer require for the purpose for which they were shared.

Y

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia