Reading time: 5 minutes

The ways that businesses can store information now have changed dramatically over the past few decades. For example, locked filing cabinets and storage rooms full of customer information have become hard drives and remote servers online. Additionally, search and retrieval is easier with the greater connectivity that the internet brings. However, this also raises privacy issues when the information you store using technological means includes personal information. In particular, cloud services raise some privacy issues. Therefore, this article will explain whether privacy law impacts how you can use cloud services in New Zealand.

What Are Cloud Storage Services?

In your business context, cloud storage services are companies that run internet servers that can manage and store your digital data for you. Servers are computers or systems that can store and process substantial amounts of information, which these third party companies are in charge of. You will likely pay a regular fee to use a cloud computing service that will depend on:

  • how much information you want to store;
  • the security you want; and
  • the network speed.

For example, Google Drive manages a cloud service that you can use to store your business’ essential files.

Additionally, your contract with a third-party cloud service provider will dictate how they handle your business’ information, including its private data. You will be able to access the information that a cloud storage server holds through any network connection.

Benefits of Cloud Services

There are many benefits to utilising cloud computing services for your business, which can include: 

  • having information on-demand from anywhere with an internet connection;
  • allowing for greater work from home capabilities;
  • cybersecurity measures;
  • less need for a physical space for your business;
  • scalability for increasing your usage depending on business growth;
  • flexible fee options that scale depending on what storage you actually need; and
  • more storage capacity for your business’ information.

However, as with any system that operates on the internet, cloud servers do come with their own online security concerns. Most third-party services will offer cybersecurity systems to provide robust data protection. Despite this, you cannot completely eliminate the risk of a data breach, which you need to be mindful of when operating online.

Does the Privacy Act Apply to Cloud Storage Services?

Under the Privacy Act, personal information is any information that you can use to identify a living individual. Additionally, if your business deals with personal information, you are an agency under privacy law and must comply with its rules. Some of these rules have important implications for using cloud services, including the following:

  • storing information securely for only as long as necessary;
  • allowing access and corrections to personal information for your customers;
  • restrictions on what you can use personal information for; and
  • limits on who you can share personal information with.

In reference to cloud computing, privacy law dictates that you are responsible for any personal information you give to a cloud service provider. Despite the fact they are the ones storing it, you cannot pass off the responsibility of protecting your customers’ personal information. You will also need to meet other privacy obligations, such as data breach reporting.

For example, say that your cloud service provider experiences a data breach involving your business’ personal information. You are responsible for notifying any relevant parties, such as the affected parties and the Privacy Commission.

Therefore, it is crucial that you evaluate the security capabilities of the cloud service provider you engage to ensure they operate according to the law’s standard. They should adequately protect against:

  • misuse;
  • loss; and
  • unauthorised disclosure.

Using Cloud Services

Following this, your cloud service provider holds your business’ information as your agent for privacy purposes. Therefore, you need contractual safeguards to manage that relationship. For example, the table below sets out issues you should cover.

Data Ownership

Set out that you maintain ownership over your business’ data, including personal information. Your provider can only use the information for the reasons you specify.

Access and Retrieval

Determine methods for accessing customer information for information access requests.

Confidentiality and Security

Detail the security measures you expect and appropriate confidentiality measures, such as up to date encryption measures. You should also include specifications for particularly high risk or sensitive information.

Complying with Privacy Law

Ensure that your cloud service provider promises its compliance with the Privacy Act and any other applicable regulations.

Warranties and Indemnities

Set out disclaimers and limitations to protect your liability.

Data Breach Response

Work together to determine a response plan that meets the Privacy Act’s requirements.

Contract Termination

If you need to terminate your contract, specify what happens to the personal information the provider stores.

Most cloud servers will be overseas companies, but this will typically not qualify as a cross-border disclosure because they process personal information on your behalf. Therefore, you will not need to comply with regulations regarding sharing personal information with overseas parties. However, despite that fact, you still need to ensure they comply with the Privacy Act and any contractual measures you set.

Key Takeaways

You can use cloud services for your business’ personal information under privacy law. However, you need to ensure that your cloud service provider deals with personal data in accordance with the Privacy Act. If you would like more information or help with your business’ privacy management online, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What are cloud computing services?

Cloud computing services are a kind of storage service that you may engage to store your business’ online information. However, you typically pay a fee to a third-party company that depends on the kind of storage and security you want.

What is personal information?

Personal information is any data about an identifiable individual. Therefore, if you can use a piece of data to identify a living person, then it is personal information. For example, names and phone numbers are personal information.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards