How New Zealand and Australian businesses keep offshored data compliant — ISO 27001:2022, the NZ Privacy Act 2020, and the Australian Privacy Principles, explained plainly.
ISO 27001:2022 is the current international standard for an Information Security Management System (ISMS). Certification means an accredited external auditor has verified that controls exist, are documented, and are continually improved — across people, process and technology, not just IT.
Information Privacy Principle 12 governs disclosing personal information to a recipient outside New Zealand. It is permitted where the overseas recipient is required to protect the information with safeguards comparable to the Act — for example through certification and contractual obligations. An ISO 27001:2022-certified provider with NZ-led management and clear data terms is built to meet this test.
APP 8 covers cross-border disclosure of personal information. The disclosing entity generally remains accountable for the overseas recipient's handling of the data, so it must take reasonable steps to ensure the recipient complies. Certified security controls plus contractual data-handling provisions are the practical way Australian businesses discharge that responsibility.
Most offshore providers in the region cannot demonstrate independent certification. The difference shows up the moment your security or procurement team sends a questionnaire.
| What your reviewer asks | ISO 27001:2022 provider (PCS) | Uncertified provider |
|---|---|---|
| Independent security audit? | Yes — accredited certification | Self-attestation only |
| Documented ISMS & controls? | Yes — full control set | Usually informal |
| Answers privacy questionnaires? | From an existing evidence pack | Built ad hoc, slowly |
| Supports IPP 12 / APP 8 review? | Designed to | Case by case |
| NZ-led accountability? | Yes — NZ-founded, NZ-managed | Often offshore-only |
Generally yes, with appropriate safeguards. Under the NZ Privacy Act 2020 (IPP 12) you may disclose personal information overseas where the recipient has comparable safeguards; under the Australian Privacy Principles (APP 8) you remain accountable for the recipient's handling. An ISO 27001:2022-certified provider with contractual data terms helps satisfy both. This is general information, not legal advice.
It means an accredited external body has audited the provider's information-security management system — access control, encryption, device management, incident response, personnel security and continual improvement. PCS Global holds this certification across its Fiji delivery operation. Read the deep dive.
Yes. PCS works under confidentiality and data-handling terms appropriate to each engagement — including NDAs and data-processing provisions — backed by its ISO 27001:2022-certified controls.
Work is performed in the PCS-managed, access-controlled delivery centre in Suva, Fiji, on managed devices and a secured network — not from unmanaged home setups unless explicitly agreed and secured.
Yes. We provide certification evidence and complete standard security questionnaires as part of onboarding. Start the conversation.
We'll complete it from our existing ISO 27001:2022 evidence pack and walk your team through our controls.
Talk to PCS about compliance →