Business Associate Agreement (New Zealand)
Privacy Act 2020
BUSINESS ASSOCIATE AGREEMENT
Privacy Act 2020 — New Zealand
This Agreement is made on [Agreement Date] between:
[Principal Name] (NZBN [Principal NZBN]), of [Principal Address] (the "Principal"); and
[Associate Name] (NZBN [Associate NZBN]), of [Associate Address] (the "Associate").
1. SCOPE OF SERVICES
1.1 The Associate will provide the following services: [Services Description]
1.2 In providing those services, the Associate will process the following personal information on behalf of the Principal: [Data Types]
1.3 The purpose of processing is: [Processing Purpose]
1.4 Term: [Agreement Term].
2. PRIVACY ACT 2020 OBLIGATIONS
2.1 The Associate must handle all personal information in accordance with the Privacy Act 2020 and the Information Privacy Principles (IPPs), including:
- IPP 5 (storage and security): protect information against loss, misuse, or unauthorised access;
- IPP 10 (limits on use): use information only for the purpose for which it was disclosed;
- IPP 11 (limits on disclosure): not disclose information to third parties without the Principal's consent.
2.2 If the services involve health information, the Associate must also comply with the Health Information Privacy Code 2020.
3. SECURITY
3.1 The Associate must implement and maintain [Security Standard] to protect the personal information processed under this Agreement.
3.2 Sub-contractors: [Subcontractors Allowed]. Where permitted, the Associate must ensure sub-contractors are bound by equivalent privacy obligations.
3.3 The Associate must conduct regular security assessments and provide results to the Principal on request.
4. BREACH NOTIFICATION
4.1 The Associate must notify the Principal [Breach Notification Period] of any actual or suspected privacy breach, providing sufficient detail to enable the Principal to assess whether the breach is a notifiable privacy breach under section 113 of the Privacy Act 2020.
4.2 The Principal is responsible for notifying the Office of the Privacy Commissioner and affected individuals as required by the Privacy Act 2020.
4.3 The Associate must cooperate with the Principal in investigating and remedying any privacy breach.
5. DATA RETENTION AND RETURN
5.1 On termination of this Agreement, the Associate must return all personal information to the Principal in a standard format within 20 working days, and securely delete all copies from its systems.
5.2 The Associate must retain data for [Retention Period] where required by law.
6. AUDIT AND INDEMNITY
6.1 The Principal may audit the Associate's privacy compliance with 10 working days' notice.
6.2 The Associate indemnifies the Principal against all losses arising from the Associate's breach of the Privacy Act 2020 or this Agreement.
6.3 This Agreement is governed by the laws of New Zealand.
SIGNED:
For [Principal Name]: ______________________________ Date: [Agreement Date]
For [Associate Name]: ______________________________ Date: [Agreement Date]
Principal Agency
________________
Signature
Business Associate
________________
Signature
What Is a Business Associate Agreement (New Zealand)?
A Business Associate Agreement in New Zealand records the data handling to be provided, the fees, the service standards, and each party's obligations between the provider and the client under the Companies Act 1993.
When Do You Need a Business Associate Agreement (New Zealand)?
A Business Associate Agreement is needed whenever parties in New Zealand wish to formalize their arrangement regarding business operations, corporate governance, and commercial transactions. There are numerous situations in which this document becomes essential for protecting the interests of all involved parties. In a business context, you may need a Business Associate Agreement when entering into new commercial relationships, when formalizing existing arrangements that have previously been informal, when expanding your business operations, or when restructuring existing agreements. Companies registered with Companies Office should confirm proper documentation is maintained for all significant business transactions. You should also consider using a Business Associate Agreement when there has been a change in circumstances that affects an existing arrangement, when you need to comply with new regulatory requirements, when you wish to update outdated documentation, or when professional advisors recommend formalizing certain aspects of your affairs. In New Zealand, maintaining current and accurate legal documentation is considered established standards and can help prevent costly disputes. It is generally advisable to prepare a Business Associate Agreement before any issues arise, rather than trying to document terms after a dispute has already begun. Proactive documentation provides clarity and reduces the potential for misunderstandings. If you are unsure whether you need this document for your specific situation in New Zealand, consulting with a qualified legal professional can provide guidance tailored to your circumstances. The timing of executing a Business Associate Agreement is also important. In New Zealand, certain documents must be executed before specific actions are taken or within prescribed time periods to be effective. Delaying the preparation of necessary legal documents can result in complications, lost rights, or additional costs. Therefore, it is recommended to prepare this document as early as possible once the need has been identified.
What to Include in Your Business Associate Agreement (New Zealand)
A well-drafted Business Associate Agreement for use in New Zealand should contain several essential elements to confirm it is legally effective and provides adequate protection for all parties. Party Identification: The document should clearly identify all parties involved, including their full legal names, addresses, and relevant identification numbers. For individuals in New Zealand, this may include identity card or passport numbers. For companies, registration numbers and registered addresses should be specified. Clear identification prevents disputes about who is bound by the agreement. Recitals and Background: The document should include background information explaining the context and purpose of the arrangement. This helps establish the parties' intentions and can be important in interpreting the terms of the document if any ambiguity arises later. The recitals section provides valuable context for the operative provisions that follow. Operative Terms: The core terms and conditions should be set out clearly and thoroughly. This includes the rights and obligations of each party, any conditions or prerequisites, the duration of the arrangement, and any limitations or restrictions. All key terms should be defined precisely to avoid ambiguity and potential disputes. Payment and Financial Terms: Where applicable, the document should specify any payments, fees, deposits, or other financial considerations. The amounts, currency (NZD), payment schedules, and methods of payment should be clearly stated. Any provisions for late payment, interest charges, or adjustments should also be included. Term and Termination: The document should specify its duration, including the start date, end date or conditions for expiry, and any provisions for renewal or extension. The circumstances under which either party may terminate the arrangement early should be clearly defined, along with any notice requirements and the consequences of termination. Dispute Resolution: The document should include provisions for resolving any disputes that may arise, such as negotiation, mediation, arbitration, or litigation. In New Zealand, parties may choose to specify the jurisdiction of New Zealand courts and the applicable law. Including a clear dispute resolution mechanism can save significant time and expense if disagreements occur. Governing Law and Jurisdiction: The document should specify that it is governed by the laws of New Zealand and that disputes shall be subject to the jurisdiction of New Zealand courts. This is particularly important in cross-border transactions or where parties are based in different jurisdictions. Signatures and Execution: The document must be properly signed by all parties or their authorised representatives. In New Zealand, certain documents may need to be witnessed, notarised, or executed as deeds to be legally effective. The date of execution should be clearly recorded, and each party should retain an original signed copy for their records. The forms-legal.com Business Associate Agreement (New Zealand) provides a ready-to-use template that meets New Zealand legal requirements.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Business Associate Agreement (New Zealand) (New Zealand) [Legal document template]. Forms Legal. https://forms-legal.com/new-zealand/business/contracts/business-associate-agreement-new-zealand
"Business Associate Agreement (New Zealand) (New Zealand)." Forms Legal, 2026, https://forms-legal.com/new-zealand/business/contracts/business-associate-agreement-new-zealand.
@misc{formslegal-business-associate-agreement-new-zealand,
author = {{Forms Legal}},
title = {Business Associate Agreement (New Zealand) (New Zealand)},
year = {2026},
howpublished = {\url{https://forms-legal.com/new-zealand/business/contracts/business-associate-agreement-new-zealand}},
note = {Free legal document template. Based on Companies Act 1993}
}Also available for these jurisdictions:
Frequently Asked Questions
A Business Associate Agreement (BAA) is a contract between a business that holds personal or health information (the principal agency) and a service provider (the business associate) that processes that information on the principal's behalf. In New Zealand, there is no specific statutory term 'business associate agreement' — the concept derives from the US HIPAA framework. However, the Privacy Act 2020 requires that New Zealand agencies take reasonable steps to protect personal information from unauthorised access, use, or disclosure, which includes ensuring that contractors and service providers who process personal information on the agency's behalf are bound by appropriate contractual obligations. The Privacy Act 2020 imposes obligations on 'agencies' — any person or organisation that holds personal information. Where an agency outsources data processing (e.g. cloud hosting, payroll processing, analytics), the agency remains responsible for the security of that information and should have a written agreement with the processor setting out data handling obligations.
The Privacy Act 2020 contains 13 Information Privacy Principles (IPPs) that apply to all agencies holding personal information in New Zealand. A Business Associate Agreement should address the following key obligations: IPP 5 (storage and security) — the business associate must protect personal information against loss, misuse, or unauthorised access; IPP 10 (limits on use) — the associate must only use the information for the purpose for which it was disclosed; IPP 11 (limits on disclosure) — the associate must not disclose the information to third parties without the principal's consent; and IPP 12 (unique identifiers) — the associate must not use personal identifiers (such as IRD numbers) unless authorised. The Privacy Act 2020 also requires agencies to notify the Office of the Privacy Commissioner (OPC) and affected individuals in the event of a notifiable privacy breach — a breach that is reasonably likely to cause serious harm. The BAA should specify the business associate's obligations to notify the principal promptly of any privacy breach so the principal can meet its statutory notification obligations within the required timeframe.
Health information is a special category of personal information in New Zealand, subject to heightened protection under the Health Information Privacy Code 2020 (HIPC), issued under the Privacy Act 2020. The HIPC imposes stricter obligations on health agencies (including health service providers, ACC, health insurers, and their contractors) in relation to the collection, use, storage, and disclosure of health information. Rule 5 of the HIPC requires health agencies to take reasonable steps to protect health information against loss, misuse, or unauthorised access. The HIPC also has specific rules about the retention of health information, patients' rights of access to their own health records, and the disclosure of health information to third parties. A Business Associate Agreement for a service provider who handles health information (e.g. a cloud storage provider for a medical practice, or a billing processor for a health insurer) must reflect the requirements of the HIPC in addition to the Privacy Act 2020. New Zealand health agencies are also subject to the Code of Health and Disability Services Consumers' Rights, which gives consumers rights in relation to their health information.
If a business associate suffers a privacy breach involving personal information held on behalf of a New Zealand agency, the consequences may include: a complaint to the Office of the Privacy Commissioner (OPC) by an affected individual; an investigation by the OPC; a Human Rights Review Tribunal proceeding; and significant reputational damage. Under the Privacy Act 2020, the OPC may issue compliance notices requiring the agency (and by extension its associates) to comply with the Privacy Act. If the matter proceeds to the Human Rights Review Tribunal, the tribunal may award compensation for interference with privacy. The Privacy Act 2020 also creates a criminal offence for providing false or misleading information to the OPC (s 212). From a contractual perspective, the principal agency may have a claim against the business associate for breach of contract if the BAA requires the associate to comply with the Privacy Act and the associate fails to do so. The BAA should include an indemnity provision requiring the business associate to indemnify the principal against losses arising from the associate's breach of its data protection obligations.
A Business Associate Agreement (New Zealand) does not legally require a lawyer in New Zealand, and individuals and businesses may draft and execute the document independently. The Companies Act 1993 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified New Zealand lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The High Court of New Zealand has jurisdiction over disputes arising from this type of document, and Companies Office may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Affiliate Agreement (New Zealand)
Create an Affiliate Agreement for New Zealand online businesses governed by the Contract and Commercial Law Act 2017 and Fair Trading Act 1986. Covers commission structure, tracking links, cookie duration, payment threshold, prohibited content, disclosure requirements, brand guidelines, and termination provisions.
Agency Agreement (New Zealand)
Create an Agency Agreement for New Zealand governed by the Contract and Commercial Law Act 2017 (CCLA), the Fair Trading Act 1986 (FTA), the Consumer Guarantees Act 1993 (CGA), and the Employment Relations Act 2000. This template covers exclusive or non-exclusive agency appointments, territory, scope of authority, commission structure, del credere obligations, GST at 15%, principal's and agent's obligations, intellectual property, sub-agency, restraint of trade, Privacy Act 2020 compliance, dispute resolution through AMINZ, and termination.
Arbitration Agreement (New Zealand)
Create a New Zealand Arbitration Agreement governed by the Arbitration Act 1996 (based on the UNCITRAL Model Law). This template covers the scope of arbitration, AMINZ or ad hoc arbitration rules, seat of arbitration, number of arbitrators, appointment method, kompetenz-kompetenz principle, confidentiality, arbitral award enforceability, and governing law for commercial, construction, and international disputes.
Barter Agreement (New Zealand)
Create a New Zealand Barter Agreement (contra deal) for the exchange of goods or services without cash. Compliant with the Contract and Commercial Law Act 2017 (CCLA), Goods and Services Tax Act 1985, Consumer Guarantees Act 1993, and Fair Trading Act 1986. Covers agreed market valuations for GST purposes, delivery obligations, cash balancing payments, quality warranties, non-performance remedies, confidentiality, and Privacy Act 2020 obligations. Suitable for businesses and individuals exchanging services across New Zealand.