The Privacy Commissioner’s office has renewed a code aimed at protecting overseas transfer of processing done by computer services company EDS for public sector agencies.
It appears, however, to stop short of allowing the commissioner to take any action to prevent such a transfer.
Arrangements now in place replace the EDS Information Privacy Code, formulated in 1997. This expired at the end of June. It was itself a successor to the GCS Information Privacy code, which regulated the use of public sector data by GCS Ltd (the former Government Computer Services). EDS took over GCS in the mid-90s.
The new agreement provides that EDS (New Zealand) not transfer "identified information" out of New Zealand unless:
(a) the relevant "designated agency" authorises the transfer in writing; and
(b) before the authorisation takes effect, EDS produces to the Privacy Commissioner the authorisation together with a statement in writing specifying
(i) the country in which the information is to be processed; and
(ii) the safeguards proposed to ensure the security of the information in transit and in the course of processing.
Designated agencies include Auckland District Health Board, Department for Courts, Department of Corrections, Ministry of Social Development, Inland Revenue Department, Land Information New Zealand, Land Transport Safety Authority, Ministry of Justice, New Zealand Police and the Serious Fraud Office. "Identified information" means "information received by EDS in connection with an existing service that is deemed by virtue of subsection 3(4) of the Privacy Act 1993 to be held by a designated agency".
The provision covers only "existing services" — those which were being provided by GCS at October 1 1994, or its successors under new contracts.
The old agreement was in substantially the same terms, but was phrased specifically as an addition to Principle 5 of the Privacy Act, which covers security of private information.
An EDS spokeswoman says no qualifying services are being provided overseas today. "We take our privacy responsibilities very seriously, and would respect the letter and spirit of the agreement," she says.
Privacy commissioner Bruce Slane clearly views EDS's record in the same way. "There has been no tendency [by the company] to depart from the provisions," he says, "and we don't believe in legislating unnecessarily." Hence a less formal agreement has been put in place rather than extending the previous legal code.
The previous code and the present agreement do not bring in new government systems because the original measure was intended to apply not to EDS but to the specific systems handled by GCS when it was privatised. If the commissioner's office were to apply restrictions to EDS in its dealings with government agencies today, "we'd have to do it for a whole lot of other companies", Slane says.