Are They a Controller or a Processor?

The terms “controller” and “processor” come from the GDPR, but they’re now widely used globally including in New Zealand — to explain how organisations relate to each other in respect to personal information.

A controller is the organisation that determines why and how personal information is collected and used. They’re the party that holds the primary accountability for what happens to the personal information. They are accountable for providing privacy notices, managing access requests, and reporting any breaches.

A processor, on the other hand, is an organisation that processes personal information on behalf of a controller. They act only under instruction and must not use or disclose the personal information for their own purposes. In New Zealand, processors are often referred to as agents.

Understanding the relationship between the parties is especially important when it comes to indirect collection — that is, receiving personal information from a third party rather than directly from the individual.

If the third party is acting as your processor, then the new IPP3A provisions around indirect collection don’t apply. That’s because the processor is handling information on your behalf, not providing it to you in a way that constitutes “collection” under the Privacy Act.

However, if both parties are controllers, but not joint controllers, that’s a different story. This arrangement may point to a potential indirect collection by your organisation and a disclosure by the other. And in situations where data flows in both directions, it’s possible that both organisations could be considered to have collected the information indirectly, triggering obligations for each.

Under the new IPP3A rules, if you're receiving personal information from another controller, you may need to provide privacy notice to the individuals concerned, unless one of the recognised exceptions applies (such as where the individual has already been informed, or where notification would prejudice a regulatory function).

A practical first step is to review all your contracts involving personal information. Make sure they clearly state whether the relationship is controller–controller or controller–processor. This distinction will help you identify which contracts might result in indirect collection, and whether you need to take further steps to meet your obligations under IPP3A.