New Zealand Data Privacy

Overview

New Zealand customers can run their applications and workloads in the Asia Pacific (Sydney) Region to reduce latency to the customer's end-users based in Australia and New Zealand while avoiding the up-front expenses, long-term commitments, and scaling challenges associated with maintaining and operating their own infrastructure.

The main requirements for handling personal information are set out in the Information Privacy Principles (“IPPs”) which are part of the Privacy Act. The IPPs impose requirements for collecting, managing, using, disclosing and otherwise handling personal information collected from individuals in New Zealand.

The Privacy Act recognises a distinction between principals and agents. Where an entity (the agent) holds personal information for the sole purpose of storing or processing personal information on behalf of another entity (the principal) and does not use or disclose the personal information for its own purposes, the information is deemed to be held by the principal. In those circumstances, primary responsibility for compliance with the IPPs will rest with the principal. For the full table on IPP requirements, click here.

• What is the customer’s role in securing their content?

  Under the AWS Shared Responsibility Model, AWS customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site data center. Customers can build on the technical and organizational security measures and controls offered by AWS to manage their own compliance requirements. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features like AWS Identity and Access Management.

  When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:

  • Security measures that AWS implements and operates - "security of the cloud", and
  • Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services - "security in the cloud"

  

• Who can access customer content?

  Customers maintain ownership and control of their customer content and select which AWS services process, store and host their customer content. AWS does not have visibility into customer content and does not access or use customer content except to provide the AWS services selected by a customer or where required to comply with the law or a binding legal order.

  Customers using AWS services maintain control over their content within the AWS environment. They can:

  • Determine where it will be located, for example the type of storage environment and geographic location of that storage.
  • Control the format of that content, for example plain text, masked, anonymized or encrypted, using either AWS provided encryption or a third-party encryption mechanism of the customer’s choice.
  • Manage other access controls, such as identity access management and security credentials.
  • Control whether to use SSL, Virtual Private Cloud and other network security measures to prevent unauthorized access.

  This allows AWS customers to control the entire life-cycle of their content on AWS and manage their content in accordance with their own specific needs, including content classification, access control, retention and deletion.

• Where will customer content be stored?

  AWS data centers are built in clusters in various locations around the world. We refer to each of our data center clusters in a given location as a "Region."

  AWS customers choose the AWS Region(s) where their content will be stored. This allows customers with specific geographic requirements to establish environments in the location(s) of their choice.

  For example, while AWS does not currently have a Region in New Zealand, AWS customers in New Zealand can choose to deploy their AWS services exclusively in the Asia Pacific (Sydney) Region and store their content offshore in Australia. If the customer makes this choice, their content will be located in Australia unless the customer chooses to move that content.
  

  Customers can replicate and back up content in more than one Region, but AWS does not move customer content outside of the customer’s chosen Region(s), except to provide services as requested by customers or comply with applicable law.
  

• How does AWS secure its data centers?

  The AWS data center security strategy is assembled with scalable security controls and multiple layers of defense that help to protect your information. For example, AWS carefully manages potential flood and seismic activity risks. We use physical barriers, security guards, threat detection technology, and an in-depth screening process to limit access to data centers. We back up our systems, regularly test equipment and processes, and continuously train AWS employees to be ready for the unexpected.

  To validate the security of our data centers, external auditors perform testing on more than 2,600 standards and requirements throughout the year. Such independent examination helps ensure that security standards are consistently being met or exceeded. As a result, the most highly regulated organizations in the world trust AWS to protect their data.

  Learn more about how we secure AWS data centers by design by taking a virtual tour »

• Which AWS Regions can I use?

  Customers can choose to use any one Region, all Regions or any combination of Regions. Visit the AWS Global Infrastructure page for a complete list of AWS Regions.

• What security measures does AWS have in place to protect systems?

  The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Amazon's scale allows significantly more investment in security policing and countermeasures than almost any large company could afford on its own. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers and APN Partners, including security configuration controls, for the handling of personal data. More details on the measures AWS puts in place to maintain consistently high levels of security can be found in the AWS Overview of Security Processes Whitepaper.

  AWS also provides several compliance reports from third-party auditors who have tested and verified our compliance with a variety of security standards and regulations - including ISO 27001, ISO 27017, and ISO 27018. To provide transparency on the effectiveness of these measures, we provide access to the third party audit reports in AWS Artifact. These reports show our customers and APN Partners, who may act as either data controllers or data processors, that we are protecting the underlying infrastructure upon which they store and process personal data. For more information, visit our Compliance Resources.
  

• What about the New Zealand Notifiable Data Breaches (NDB) Scheme?

  AWS offers two types of New Zealand Notifiable Data Breaches (NZNDB) Addenda to customers who are subject to the New Zealand Privacy Act and are using AWS to store and process personal information covered by the NDB scheme. The NZNDB Addenda address customers' need for notification if a security event affects their data. AWS has made both types of NZNDB Addenda available online as click-through agreements in AWS Artifact (the customer-facing audit and compliance portal that can be accessed from the AWS management console). The first type, the Account NZNDB Addendum, applies only to the specific individual account that accepts the Account NZNDB Addendum. The Account NZNDB Addendum must be separately accepted for each AWS account that a customer requires to be covered. The second type, the Organizations NZNDB Addendum, once accepted by a master account in AWS Organizations, applies to the master account and all member accounts in that AWS Organization. If a customer does not need or want to take advantage of the Organizations NZNDB Addendum, they can still accept the Account NZNDB Addendum for individual accounts. NZNDB Addendum frequently asked questions are available online at AWS Artifact FAQ.