Where your data is stored could impact your clients’ privacy

Posted on Nov 28, 2025 in IT policy, Legal, Security
Where your data is stored could impact your clients’ privacy

Why Data Location Still Matters for Your Clients’ Privacy in 2026

At recent legal technology events, we’ve continued to see data sovereignty emerge as a critical concern for New Zealand law firms. While cloud adoption has accelerated significantly over the past decade, the fundamental question remains: “where is my data stored?” According to recent guidance from the Privacy Commissioner, this question has become even more important as privacy laws worldwide have strengthened.

For law firms, client information remains their responsibility regardless of where it’s stored. While your cloud provider should have robust data handling obligations (always check your contract), the ultimate accountability still rests with your firm under New Zealand law.

The Privacy Act 2020 makes it clear that agencies – including law firms – remain responsible for personal information they outsource to service providers. This responsibility continues whether your provider operates locally or offshore. However, as soon as data crosses New Zealand’s borders, it becomes subject to the privacy, security, and intelligence laws of the destination country.

The complexity deepens when you consider that your primary data and backups may be stored in different jurisdictions. Each location subjects your clients’ information to different legal frameworks, some of which may conflict with New Zealand’s privacy requirements.

The New Zealand Law Society’s current guidance emphasises that lawyers must protect clients’ personal data and cannot compromise their statutory obligations when using cloud services. All cloud computing use must align with professional obligations under the Lawyers and Conveyancers Act and the Privacy Act 2020.

Essential Questions for Your Cloud Provider

Based on Privacy Commissioner guidance, here are the critical questions to ask any cloud provider:

  • In which specific countries is our data stored and processed?
  • What privacy laws apply in those jurisdictions, and how do they compare to New Zealand’s Privacy Act 2020?
  • Do these laws apply to our specific type of information and your business model?
  • How do you handle government requests for information? Will you notify us of any disclosure requests or requirements?
  • What are your data breach notification procedures and timeframes?
  • Where can clients lodge privacy complaints if issues arise?
  • Can you guarantee data will remain within specified geographic boundaries?

As Sue Boyle, General Manager at Preston Russell Law, notes: “Understanding exactly where our client data resides has become fundamental to our risk management approach. It’s not just about compliance – it’s about maintaining the trust our clients place in us.”

The digital landscape continues evolving rapidly, but the principle remains constant: know where your data lives, understand the legal implications, and ensure your cloud strategy aligns with your professional obligations.

Need help evaluating your current data storage arrangements or exploring compliant cloud solutions? Our team specialises in helping New Zealand law firms navigate these complex decisions while maintaining the highest standards of client confidentiality. Contact us to discuss your firm’s specific requirements.

Chris Drowley
General Manager, Resolve Technology
Outside the office, Chris runs a highly organised empire of model trains — where the schedules are always on time, unlike the real thing.

Need help with this?

Resolve Technology can help. Learn more about our Cyber Security Services and Privacy Impact Assessments services, or get in touch to discuss your needs.