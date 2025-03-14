New research just out from Kordia shows 35% of business leaders said cyber-attacks or data leaks coming through third-party suppliers were their biggest business concern.

Privacy Commissioner Michael Webster says, "The law is very clear that when an agency outsources services to a third-party provider, the agency remains responsible for ensuring the data remains secure and used in a way that is compliant with the Privacy Act.

"At the end of the day, if your third-party provider has a privacy breach, it’s your problem as well," he said.

Mr Webster says OPC isn’t alone in emphasising that privacy and security considerations need to be at the fore when using third-party providers.

"Kordia’s research backs up what we’ve long said; that businesses need to factor third parties into business continuity and cyber-response plans.

"It’s clear that more consideration needs to be given to the privacy issues and it’s not a case of out of sight out of mind and thinking a third-party provider has everything covered.

"You can’t outsource the responsibility of taking care of personal information."

Mr Webster, says it’s not just an issue for the private sector, with the recent PSC Inquiry and the Stats NZ report raising privacy issues linked to the use of third parties.

"This research is yet more evidence that agencies need to pay more attention to privacy and cyber security risks when using third party providers and to make sure there’s a plan in place should that provider suffer a privacy or cyber breach."

The Office of the Privacy Commissioner has recently issued guidance to help agencies working with third-party providers understand their responsibilities in this area. It takes businesses through all the considerations they should make before engaging a third-party provider.

