Are you Gifting Personal Information?

Every day across New Zealand, organisations engage vendors to support their operations. In many cases, these vendors require access to personal information to deliver their services.

But a critical question is not asked often enough “Is this vendor just acting on our instructions, or are they using personal information for their own purposes as well?”

Under the Privacy Act 2020, this question goes to the heart of whether the vendor is acting as your agent or an agency in its own right. While organisations often prefer to assume that a vendor is “just a processor”, the reality is that many modern service providers do much more than simply follow instructions. If a vendor combines your data with the data from other clients, uses it to improve its own products, develop insights, train models, or markets additional services, then it is no longer acting only on your behalf. It is acting as another agency, effectively a controller in GDPR speak.

This distinction is important as when a vendor uses personal information for its own purposes, your organisation is no longer in a controller-to-processor relationship as defined in section 11 of the Privacy Act. Instead, you are engaged in a controller-to-controller disclosure.

In a controller-to-controller disclosure under Information Privacy Principle 11, you must be able to clearly justify the disclosure of personal information to that vendor. You must be satisfied that it is lawful, necessary, and proportionate, and that the purpose aligns with the reason the information was originally collected or falls within another permitted ground for disclosure.

In these situations, a standard contract is not enough. Instead, the relationship should be treated as a data sharing arrangement, with clear documentation of the purpose of the disclosure, the lawful basis for it, expectations around minimisation, security, and retention, and transparency with individuals through privacy notices. Both parties must be able to stand independently behind their right to collect and use the information. You cannot outsource accountability simply because a contract says the vendor is a “processor” when their activities clearly show otherwise.

Many popular platforms, particularly in advertising technology, behavioural analytics, artificial intelligence, risk profiling, data enrichment, and biometric processing, rely on using personal information not only to serve one client, but to feed their wider ecosystem. The details of this argument are likely contained in the lengthy terms and conditions that are rarely read or fully understood at procurement stage. Yet under the Privacy Act, if you disclose personal information to a vendor knowing (or reasonably expected to know) that they will use it for their own purposes, you remain responsible for ensuring that disclosure is lawful from the outset.

The consequences of getting this wrong can be significant. An individual may complain that their information was shared without proper authority. The organisation may be required to justify not only what data was shared, but why it was shared, and what steps were taken to confirm the receiving party’s role. Reputational damage can follow quickly, particularly if people feel their information has been monetised or repurposed without their knowledge or meaningful control.

This is why organisations must start treating vendor privacy assessments as more than a checklist exercise. It is not enough to ask, “Do you comply with the Privacy Act?” A better question is, “Do you use any of the personal information we provide to you for your own purposes, product development, analytics, benchmarking, training, or commercial benefit?” A vendor’s answer to that question will often tell you whether you are dealing with a true service provider or maybe have a controller controller relationship.

If the answer is yes, then the governance approach must change. The disclosure must be assessed as a disclosure under IPP 11. The risks must be clearly understood and accepted. Privacy statements should explain this type of sharing to individuals. And in some cases, consent may be required.

In a world where personal information has real commercial value, the idea that a vendor is “just processing data for us” is increasingly outdated. Modern organisations need to look beyond comforting labels and examine actual behaviours. Because when a vendor uses personal information for their own purposes, the relationship is no longer about outsourcing a service. It is about making a deliberate decision to share personal information with another controller, and that decision carries legal, ethical, and reputational consequences that cannot be ignored.