Information and data sharing requirements for suppliers

1. During the course of our relationship, we may nominate specific information tools that must be used to share information between us.

2. Information tool:

2.1. When you are supplying information to us, information tool means any mechanism, tool, or method we nominate for receiving information from you.

2.2. When you are uplifting information from us, the information tool means the relevant self-service open data portal within which we make information available for you to download.

3. We may change any information tool applicable to you at any time, and we will work with you to coordinate the timing for this change.

4. We will grant your nominated users with individual access credentials for the information tool. Access credentials are personal to your users. You must ensure that your users keep their individual access credentials secure at all times.

5. You must immediately notify us of any security breach that has compromised any of your users' access credentials or any device used to access our information tool.

6. We will provide reasonable support in connection with your use of any nominated information tool during usual business hours.

7. When sending information to us, you will:

7.1. submit all required information via the nominated information tool;

7.2. collect information for the agreed collection period (which may be one-off, recurring, or ad hoc);

7.3. ensure that all the information you provide us is:

7.31. in the format we have specified (for example, CSV/XML/XLS/PDF/DOCX/TXT);

7.32. in accordance with our nominated naming conventions; and

7.33. provided by the date and time we require for each collection period.

8. You warrant that all information you provide to us will be accurate, not otherwise misleading, and in accordance with any other specifications, we may require from time to time.

9. You acknowledge that the Council may be relying on the information you provide.

10. Where you collect more information than the Agreement requires, you will offer to supply that information to us free of charge.

11. If any information you send us does not meet the requirements of this information sheet or any Existing Information Terms, you agree to resend the information in the required form as soon as possible and at no additional cost to us.

12. If any resent information still does not meet the requirements of this information sheet or any Existing Information Terms, we may elect to fix that information (or engage a third party to do so). You agree to pay our reasonable costs to fix that information, which will be charged at an hourly rate. You acknowledge that we may deduct such costs from any fees we owe you.

13. If we agree to provide you with information —that is not already being done via a B2B system—then our preferred method for providing this information to you is via the Council nominated information tool.

14. We make no warranty or representation that any information that we provide to you will:

14.1. be compatible with your software or systems; or

14.2. meet any particular need or requirement of yours.

15. In the absence of any specific requirement around information transfer, we agree to:

15.1. make the information available for self-service download from the Council nominated information tool during usual business hours;

15.2. give you user access, including all access credentials, to the relevant information portal; and

15.3. classify all information according to our information management policy.

16. You agree to:

16.1. only use the information for its intended purpose under the Agreement;

16.2. comply with the Creative Commons Attribution 4.0 International (CC BY 4.0) License(external link),  where the information you access is the information we make generally available to the public. This license requires that you give appropriate credit to us for the source of the information you use and that you indicate where changes were made;

16.3. follow all of our directions, policies, and security requirements in order to keep the information safe and secure; and

16.4. let us know as soon as possible if you have trouble accessing the information or if you find any issues with the information’s quality.

17. You acknowledge that during the course of your engagement with us, we may develop efficiencies in the way information is shared between us. These efficiencies may lower your costs in providing your services to us. In the event such efficiencies are uncovered, you agree to work with us in good faith to review the fees charged for your services to take into account any cost or time savings.

18. If you access, collect, use, disclose, store, process, transfer or otherwise handle Personal Information during the course of your engagement with us (in scope personal information), you must:

18.1. comply with all applicable privacy laws and not do, or omit to do, anything that may cause us to breach our obligations under privacy law; and

18.2. assist us to comply with our obligations under privacy law relating to that in scope personal information, including (at your cost):

18.2.1. providing information necessary to demonstrate your compliance with clauses 18 to 2;

18.2.2. assisting us in responding to requests from individuals to exercise their rights; and

18.2.3. in relation to matters of information security, breach notification, impact assessments and consultation responsibilities.

19. You agree to comply with our reasonable requests and directions in respect of the collection, storage, security, handling, use, disclosure and deletion of in scope personal information. You agree to only process any in scope personal information to the extent necessary to perform your obligations in respect of your engagement with us.

20. You must not permit access to, transfer, disclosure or processing of in scope personal information:

20.1. to or by any third party; or

20.2. outside of New Zealand,

unless we have agreed to it in writing.  For the avoidance of doubt, any such approval shall not otherwise limit your obligations to us in respect of your processing of any in scope personal information.

21. In addition to any other information security requirements otherwise agreed between us (including as set out in this agreement), you must implement appropriate technical and operational security measures to protect against accidental or unlawful destruction, loss, alteration, misuse or unauthorised disclosure of, or access to in scope personal information, including implementing any security requirements prescribed by privacy law. To the extent of any conflict between data security requirements in this agreement and those otherwise agreed between us, the more stringent or higher level of security standard will apply.

22. You agree to notify us if you become aware of any actual or suspected accidental, unlawful or unauthorised destruction, loss, alteration, access to, disclosure of, or any breach of security relating to any in scope personal information, including any action that prevents you from accessing any in scope personal information on a temporary or permanent basis (in each case being a privacy breach) no later than 24 hours after becoming aware of such privacy breach.

23. As soon as practicable after becoming aware of a privacy breach you will:

23.1. take immediate action to stop the privacy breach, recover or restore any in scope personal information, and fix any vulnerabilities to prevent further privacy breaches.

23.2. provide us with the information we require for us to comply with our obligations under privacy law;

23.3. not disclose any information about the privacy breach (including to any government agency or affected individual) without our prior written consent (except where you are required to do so by privacy law, provided you notify us in advance and take into consideration our reasonable requests prior to making such disclosure); and

23.4. assist us with implementing our contingency plans and other mitigation activities relating to such privacy breaches.

24. You indemnify us and our related parties at all times against any loss, liability, damage, costs and expenses (including legal fees on a solicitor-client basis) suffered or incurred by us or our related parties in connection with any privacy breach caused or contributed to by you, your subcontractors, employees or any other third party engaged by you in connection with your services.

25. In this section on the processing of personal information:

25.1. Personal information has the meaning given in privacy law.

25.2. Privacy law means:

25.2.1. the Privacy Act 2020 and Privacy Regulations 2020 and all other applicable laws which relate to the privacy, protection or processing of personal information; and

25.2.2. any codes of practice, guidelines or information directives issued by the New Zealand Privacy Commissioner from time to time.

25.3. Processing means any operation or set of operations performed upon personal information or sets of personal information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

25.4. Related parties means our related entities and organisations, including Council controlled organisations.

26. We own all information we hold and control. This includes all information that you collect or supply as part of your relationship with us unless otherwise negotiated.

27. In addition to this information sheet, you agree to comply with our other minimum information technology policies(external link) and minimum security policies(external link) published on our website and updated from time to time.

28. Your repeated or continued breach of this information sheet will constitute a material breach of your agreement with us.

29. If you breach the requirements of this information sheet, we may take enforcement action against you. This may include claiming service credits from you.