Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Assurance guidance

Guidance on assurance provisions and requirements for agencies and third parties when implementing the information sharing standard.

This guidance is in development

This guidance will be updated based on your questions and feedback. If you would like anything added or clarified, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz

Assurance provisions

Information sharing agreements must contain assurance provisions to assure the agency that the third party is collecting, accessing and using the personal information in the way that was agreed.

Assurance and reporting cycle

Ongoing agreements that do not have an agreed end date should include a regular assurance and reporting cycle.

The timing of a regular cycle is at the discretion of the agency and should be based on the risk assessment that was done before the information sharing agreement was established.

Information for assurance

Information is needed to report to the agency on assurance measures. These check that the agreement is operating properly.

Assurance reporting and measurement can include certain data types, for example:

the sensitivity of the personal information
the volume of the personal information accessed or collected
the frequency of the sharing between the agency and the third party
reporting on the intended use of the personal information by the third party.

Required assurance provisions

Some assurance provisions must be included in an information sharing agreement. What’s included is at the discretion of the agency and determined when setting up the agreement.

The assurance provisions depend on the agency understanding how the third party can provide the assurance the agency needs. Different third parties have different capabilities to provide assurance.

The following assurance provisions are all required.

Confirmation of compliance

An information sharing agreement clarifies how the agency asks the third party for confirmation of compliance with the agreement.

The agreement also details how the third party demonstrates that personal information is protected according to the agreement.

Documentation

Documents that record the information sharing activity need to provide evidence that sharing is happening properly.

An information sharing agreement:

clarifies how the third party maintains detailed records for compliance activities
includes the ability for the agency to access records held by the third party.

This ability should be limited to only what is necessary for the information sharing agreement.

Reporting

Third parties need to report on their compliance with the agreement. The agreement includes how they must do this.

Co-operation

When there is an incident or a privacy or security breach, the agency and the third party need to work together to:

notify the relevant authority
work to resolve the incident or breach
recover the information.

An information sharing agreement requires the third party to:

co-operate with the agency to assist in identifying any incident or breach related to the agreement
provide reasonable help with any response and investigation activity by the agency.

An agreement has the responsible roles for contact between the agency and the third party. Roles should be identified and recorded instead of named people.

Dispute resolution

A dispute between an agency and a third party is never desired, but disputes can happen.

An information sharing agreement must have dispute resolution clauses to address what both parties can do if there is a dispute. These clauses include:

steps to ensure all reasonable efforts are made to resolve disputes
escalation pathways if disputes are not resolved initially.

Audit provisions

Audit is one of the tools to provide assurance that the information sharing agreement is operating properly.

Conducting an audit does not need to be the first tool an agency uses with a third party, but it must be included as a useful and appropriate tool when needed.

An information sharing agreement must include audit provisions for the agency, including the ability to:

audit the third party’s handling of personal information
do an audit on request when the agency has reasonable grounds to suspect the agreement has not been complied with by the third party.

The information that is required for an audit should focus on what is relevant to the information sharing agreement. An agency may not need all the information that a third party holds to do an audit.

Office of the Privacy Commissioner’s guidance

Agencies should be familiar with the Office of the Privacy Commissioner’s guidance on:

working with third party providers
an agency’s ongoing responsibilities when sharing personal information
assurances that an agency may want from a third party.

Working with third-party providers — Office of the Privacy Commissioner

Contact us

For further information, to ask questions or give feedback, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 14 July 2025