SecurityPolicy.com.au
Home/ New Zealand/ AI, Privilege and Method/ AI, Client Data and Legal Privilege in New Zealand: A Clean-Room Approach
New Zealand AI, Privilege and Method Law Reviewed 2026-07-13

AI, Client Data and Legal Privilege in New Zealand: A Clean-Room Approach

13
Information Privacy Principles that can apply across the AI data life cycle
ss 54 and 56
Evidence Act provisions for legal advice and litigation privilege
Rule 8
Professional duty requiring lawyers to protect client information in strict confidence
7 Dec 2023
Date of the current New Zealand court GenAI guidelines for lawyers and non-lawyers
Why this guide exists

High-demand emerging-law guide: professionals want the productivity benefits of AI but need a practical method for reducing privacy, confidentiality, privilege and court-process risks when client information is involved.

Can New Zealand professionals use AI on client and personal information safely, and what problem does a "clean room" approach solve?

New Zealand professionals can use AI for appropriately assessed work, but no tool, subscription tier or consent form makes every use safe or lawful. The Privacy Act 2020 applies when personal information is placed into prompts, source documents, retrieval systems or outputs. Lawyers and other regulated professionals may also owe confidentiality, competence, privilege and court-related duties. In this guide, a "clean room" is a risk-reduction method: minimise or de-identify the source material; use only approved accounts and tools; isolate each client or matter; prohibit provider training and unrelated reuse; restrict human and technical access; control retention and deletion; and keep evidence of what happened. It is not the advertising-technology arrangement commonly called a data clean room. The method reduces unnecessary disclosure, cross-matter contamination and loss-of-control risks, but it is not a statutory safe harbour and cannot guarantee that privilege survives, consent is valid or a particular use complies with every professional duty.

How this differs by situation
  • Professionals using approved AI — Use may be possible where purpose, information, tool, legal duties and human review have been assessed.
  • Clean-room method — Minimise, isolate, restrict, monitor and delete data within a documented controlled workflow.
  • Public or unapproved AI tools — Do not enter client, confidential, privileged or personal information where retention, training, access and onward use are not controlled.
PUT THIS IN YOUR POLICY, EXACTLY

Client, personal, confidential or potentially privileged information may be used with AI only through an approved clean-room workflow. The workflow must minimise the information, isolate the client or matter, use an approved tool and account, prohibit model training and unrelated provider use, restrict access, apply defined retention and deletion, and preserve an audit record. Clean-room approval reduces risk but does not guarantee privacy compliance, confidentiality, privilege or accuracy, and it does not remove the requirement for professional judgement and human review.

Privacy Act 2020 — how do IPP 5, IPP 10/11 and IPP 12 apply to putting personal information into an AI tool? (include section 11 agent point)

IPP 5 requires reasonable safeguards for personal information placed into or generated by an AI system, including account security, access control, configuration, encryption, logging, supplier security and protection against unauthorised training or disclosure. IPP 10 generally limits use to the purpose for which the information was obtained, subject to its listed exceptions. IPP 11 generally restricts disclosure to an AI provider or another party unless the original purpose, authorisation or another exception permits it. Section 11 is important where a provider solely stores or processes information as the agency's agent: the information is generally treated as held by the New Zealand agency, not disclosed to the processor for its own purposes, and the agency remains responsible. If the provider uses the information for model training, product improvement, advertising, independent analytics or another purpose of its own, section 11 may treat both organisations as holding it and IPP 11 must be assessed. IPP 12 applies when personal information is disclosed to a foreign person or entity and requires a permitted basis such as comparable safeguards, contractual safeguards or informed authorisation. Overseas storage or processing by a genuine section 11 agent is not automatically an IPP 12 disclosure, but location, foreign access, subprocessors and independent provider rights still require careful review.

How this differs by situation
  • Security and permitted use — IPP 5 protects prompts, source data and outputs; IPP 10 limits use for new AI purposes.
  • Provider acting solely as agent — Section 11 can treat information as held by the customer, but responsibility remains with that customer.
  • Independent or overseas recipient — Assess IPP 11 and, where information is disclosed overseas, establish an IPP 12 pathway.
PUT THIS IN YOUR POLICY, EXACTLY

Before personal information is entered into an AI system, we will document the permitted purpose under IPP 10, the security safeguards required by IPP 5, and whether the provider is acting solely as our section 11 agent or may use or disclose the information for its own purposes. Any disclosure to an overseas recipient must have a documented IPP 12 basis. Provider access, model training, product improvement, human review, subprocessors and foreign data locations must be expressly assessed rather than assumed.

Legal professional privilege and AI — how can using an AI tool risk waiver under the Evidence Act 2006, and how does isolation/minimisation reduce it?

Section 54 of the Evidence Act 2006 protects qualifying confidential communications between a person and a legal adviser made for obtaining or providing professional legal services. Section 56 protects qualifying communications, information and materials made, received, compiled or prepared for the dominant purpose of preparing for a proceeding or an apprehended proceeding. Privilege belongs to its holder, ordinarily the client, rather than being the lawyer's information to release freely. Section 65 provides for express or implied waiver, including disclosure or conduct inconsistent with maintaining confidentiality. Uploading privileged material to an external AI provider does not automatically produce the same legal result in every case, but risk increases where terms permit provider training, human review, onward disclosure, broad retention or independent use. A clean room reduces that risk by using the minimum necessary extract, replacing identities and matter details, restricting the provider contractually to processing on behalf of the professional, isolating matters, limiting access, disabling training, controlling deletion and preserving evidence of confidentiality measures. These controls support, but do not guarantee, a conclusion that confidentiality and privilege were maintained. Client authorisation may reduce confidentiality risk but can itself affect privilege analysis and should not be treated as a universal cure.

How this differs by situation
  • Legal advice privilege — Section 54 protects qualifying confidential lawyer-client communications for professional legal services.
  • Litigation privilege — Section 56 protects qualifying material created for the dominant purpose of preparing for actual or apprehended proceedings.
  • Waiver-risk reduction — Minimise disclosure, preserve confidentiality, restrict the provider and document the controls, without promising privilege will survive.
PUT THIS IN YOUR POLICY, EXACTLY

Potentially privileged material must not be entered into an AI tool unless a matter-specific privilege assessment has been completed and the approved clean-room controls are operating. Only the minimum necessary extract may be used. Client and matter identifiers must be removed or replaced where practicable, provider training and independent use must be prohibited, access and retention must be restricted, and the basis for concluding that confidentiality is maintained must be recorded. Clean-room use is a risk-reduction measure and is not a guarantee against waiver.

Lawyers' confidentiality and competence duties (Conduct and Client Care Rules 2008) and AI

Rule 8 requires a lawyer to protect and hold in strict confidence all information concerning a client, the retainer and the client's business and affairs acquired through the professional relationship. Under rule 8.1, that duty begins when information is disclosed in relation to a proposed retainer and continues indefinitely. Disclosure is permitted or required only within the rules, and rule 8.5 limits any permitted disclosure to an appropriate recipient and the extent reasonably necessary. Rule 3 requires competent and timely legal services consistent with the retainer and reasonable care. Rule 7.1 requires reasonable steps to ensure the client understands the retainer, is kept informed and is consulted about implementation of instructions. AI use therefore requires more than a secure subscription: the lawyer must understand the tool, supervise its use, verify facts, law and citations, exercise independent judgement, prevent unauthorised staff use and communicate with the client where appropriate. Client consent may reduce one confidentiality concern, but does not excuse incompetence, misleading output, excessive disclosure, weak security, loss of privilege or breach of a court duty.

How this differs by situation
  • Strict confidentiality — Rule 8 covers client, retainer and business information and continues after the retainer ends.
  • Competence and supervision — Lawyers remain responsible for verifying AI-assisted work and supervising staff and systems.
  • Client communication — Retainer terms and consultation may need to address material AI use, risks and who or what performs the work.
PUT THIS IN YOUR POLICY, EXACTLY

A lawyer remains professionally responsible for every AI-assisted service and output. Client information must be protected in accordance with rule 8, and AI use must meet the competence, supervision, communication and court duties applying to the matter. All factual statements, legal propositions, authorities and citations must be checked by an appropriately qualified person. Client authorisation does not remove the lawyer's duties of competence, confidentiality, independent judgement, privilege protection or fidelity to the court.

New Zealand courts' and NZLS guidance on generative AI — what do they expect?

The current New Zealand court guidelines available in 2026 were issued on 7 December 2023 in separate versions for lawyers and non-lawyers. They do not impose a blanket ban. For lawyers, existing professional duties continue: understand the technology's limits, protect private, confidential, suppressed and privileged information, verify all output and authorities, avoid misleading the court and comply with suppression and procedural requirements. The guidelines say lawyers generally should not enter information that is not already in the public domain into public generative-AI tools. A genuinely protected in-house system may reduce that particular concern, but the underlying professional duties remain. Routine disclosure of AI use is not universally required, although a court may ask about it or impose a requirement. Non-lawyers and litigants in person are warned that AI is not a substitute for legal advice or an authoritative source and that they remain responsible for material filed. NZLS guidance, released on 14 March 2024 and updated on its website on 24 February 2026, expects purpose definition, tool and vendor due diligence, privacy-by-design, a privacy impact assessment, isolation of trials, approved-use policies, training, human review, client communication where appropriate and regular reassessment.

How this differs by situation
  • Lawyers appearing in court — Protect non-public information, verify every authority and comply with all existing professional and court duties.
  • Self-represented litigants and lay advocates — Remain responsible for accuracy and should not treat AI as legal advice or an authoritative source.
  • Law-practice governance — Define purpose, assess tools, use privacy by design, train users, supervise outputs and review the arrangement.
PUT THIS IN YOUR POLICY, EXACTLY

AI must not be used to place private, confidential, suppressed or privileged information into a public or uncontrolled tool. Every court document, legal authority, quotation and factual assertion produced with AI assistance must be independently checked against an authoritative source by an appropriately qualified person. Users remain responsible for the final document and must disclose AI use where required by a court, tribunal, rule, direction or specific order.

Data minimisation and de-identification under New Zealand law — and its limits

Data minimisation is not a magic transformation applied after a document has been uploaded. Under IPP 1, agencies should collect personal information only where necessary for a lawful purpose, while IPP 5, IPP 9 and IPP 10 support limiting exposure, retention and new uses. For an AI clean room, use the smallest relevant extract rather than a complete file; remove names, contact details, identifiers, signatures, metadata, tracked changes and unnecessary attachments; replace matter references with random codes; abstract distinctive facts where possible; and clean both prompts and outputs. De-identification has limits. Information remains personal information where an individual is identifiable, even if their name is absent. Rare events, occupations, locations, dates, family relationships, quoted communications or combinations of fields may permit re-identification. Pseudonymised information linked to a lookup table will ordinarily remain identifiable to whoever can access that table. Generative-AI outputs may also infer or reproduce personal information not obvious in the prompt. Treat de-identification as a layered risk-reduction control, test it from the perspective of a likely recipient and avoid claiming data is anonymous unless re-identification risk is genuinely remote in context.

How this differs by situation
  • Minimise before use — Use only the facts and document fragments required for the defined AI task.
  • Remove direct and indirect identifiers — Strip obvious identifiers, metadata and distinctive combinations that could identify an individual.
  • Test residual risk — Consider the provider's other data, likely recipients, outputs and the possibility of linkage or inference.
PUT THIS IN YOUR POLICY, EXACTLY

Before AI use, information must be reduced to the minimum facts or extracts necessary for the approved purpose. Direct identifiers, hidden metadata and unnecessary contextual details must be removed or replaced. De-identification must be tested for linkage, inference and distinctive-fact risk. Information must continue to be treated as personal, confidential or privileged whenever an individual or matter remains reasonably identifiable, directly or indirectly.

Technical isolation and vendor terms that make an AI tool "clean-room safe" (no-training, data location, deletion, subprocessors)

No vendor can be declared absolutely "clean-room safe" from a product name or marketing claim. A tool can instead be approved as clean-room eligible for a defined use after technical, contractual and legal review. Minimum controls should include organisation-managed accounts, strong authentication, role-based access, separate workspaces or tenants for sensitive matters, encryption, disabled public sharing, restricted connectors, controlled exports, prompt-injection protections where relevant and monitoring for abnormal access. Contract terms should prohibit model training and unrelated product improvement using customer content; prohibit advertising and independent analytics; identify hosting, support and backup locations; list and control subprocessors; limit human review; require prompt incident notification; define retention, deletion and backup expiry; assist with access and correction requests; preserve ownership and confidentiality; and provide an exit process. Evidence should distinguish a user-interface setting from a binding contractual commitment. NCSC secure-AI guidance supports access control, segregation of sensitive environments, transparency about data use and storage, logging, lifecycle documentation and incident procedures. Logging must itself be minimised and protected because full prompts may reproduce the sensitive material the clean room is intended to contain.

How this differs by situation
  • Technical isolation — Use managed identity, least privilege, separate workspaces, restricted connectors, encryption and controlled export.
  • Provider and subprocessors — Contractually restrict training, human access, independent use, location, retention and onward processing.
  • Evidence and monitoring — Retain configurations, contract versions, access events and deletion evidence without unnecessarily logging sensitive content.
PUT THIS IN YOUR POLICY, EXACTLY

An AI tool is clean-room eligible only after documented approval of its contract, architecture, configuration and proposed use. Customer content must not be used for model training, advertising, unrelated analytics or product improvement. Data locations, support access, subprocessors, retention, backup expiry, deletion, breach notification and exit arrangements must be documented. Access must use organisation-managed identity, least privilege and matter isolation. Marketing statements or interface settings alone are not sufficient evidence of protection.

What the clean room is NOT — its limits, and what it does not replace (consent, privilege, competence, court duties, a security programme)

The clean room in this guide is not an advertising-industry data clean room, a certified product category, a legal opinion, a privilege wrapper or a guarantee that information is anonymous. It does not convert an unnecessary or incompatible use into a permitted Privacy Act purpose. It does not make broad provider rights acceptable merely because the provider calls the service enterprise-grade. It does not guarantee against privilege waiver, and client consent does not necessarily solve confidentiality, power-imbalance, privilege, court, professional or security concerns. It does not replace a lawyer's duty to check authorities, exercise independent judgement and avoid misleading the court. Nor does it replace an organisation-wide security programme covering identity, devices, patching, backups, incident response, staff training, supplier management and breach notification. A clean room is one controlled route for a defined AI task. High-risk material may still need to remain entirely outside external AI, including suppressed information, highly sensitive evidence, unredacted discovery, authentication secrets and material where disclosure consequences cannot be acceptably reduced.

How this differs by situation
  • Not a legal safe harbour — Approval does not establish consent, lawful use, preserved privilege or compliance with every professional obligation.
  • Not a substitute for judgement — Qualified people must validate outputs and decide whether AI should be used at all.
  • Not the whole security programme — Broader cyber, privacy, supplier, incident and workforce controls remain necessary.
PUT THIS IN YOUR POLICY, EXACTLY

Clean-room approval is not a legal safe harbour, privilege guarantee, consent substitute, accuracy certification or replacement for our security programme. It does not authorise information that is prohibited by law, a court order, professional duty, client instruction or contract. The approving officer may require further safeguards or prohibit AI use entirely where the residual privacy, confidentiality, privilege, security or accuracy risk remains unacceptable.

Evidence and governance — proving the clean room operated

A clean room is only defensible if the organisation can show that its controls existed and operated for the relevant task. Keep an approved-use record covering the business purpose, client or matter category, personal-information and privilege assessment, permitted data classes, minimisation method, approving person and expiry or review date. Retain the applicable provider contract and privacy terms, data-processing terms, subprocessor list, data-location record, security assessment and dated configuration evidence showing that training and sharing were disabled. Maintain access records, workspace or matter identifiers, model and version information, output-review evidence, user training, deletion or retention events, exceptions, incidents and periodic control tests. Avoid solving the evidence problem by storing complete sensitive prompts indefinitely. Where full-content logging is unnecessary, record metadata, classifications, hashes or approval references instead. Changes to models, provider terms, locations, integrations or training settings should trigger reassessment. For legal work, retain enough to demonstrate human verification and the basis for treating confidentiality and privilege as protected, while applying the same minimisation and access controls to the audit record itself.

How this differs by situation
  • Approval evidence — Record purpose, data category, legal assessment, permitted use, approver and review date.
  • Vendor and configuration evidence — Retain the operative contract, subprocessor list, locations, settings, model version and security review.
  • Operational evidence — Record access, human review, deletion, training, incidents and control tests without over-logging sensitive content.
PUT THIS IN YOUR POLICY, EXACTLY

Every clean-room use must be supported by a dated approval, applicable vendor terms, data-flow and location record, security and privacy assessment, configuration evidence, authorised-user record, data-minimisation record, human-review evidence and retention or deletion event. Material changes to the provider, model, terms, subprocessors, locations, integrations or settings require reassessment. Audit records must not reproduce sensitive prompt content unless that content is necessary, authorised and protected to the same standard as the source material.

What's my next step?

Common misconceptions

  • “A clean room is a legally recognised safe harbour.” False: the clean room described here is a risk-control method, not a statutory status or guarantee of compliance. INFERRED
  • “This is the same thing as an advertising data clean room.” False: this guide uses the term for a controlled client-data minimisation and isolation workflow, not an adtech data-matching environment. INFERRED
  • “An enterprise subscription automatically protects privilege.” False: account type is only one fact; terms, provider access, training, retention, disclosure, confidentiality and the privilege holder's conduct all matter. INFERRED
  • “Any AI upload automatically waives legal privilege.” Too absolute: waiver under section 65 is fact-specific, although external disclosure and terms inconsistent with confidentiality can create substantial risk. VERIFIED
  • “The lawyer owns the privilege and can decide alone to disclose it.” False: privilege is held by the person entitled to it, ordinarily the client, and lawyers must also comply with confidentiality and professional duties. VERIFIED
  • “Client consent cures every AI risk.” False: consent does not remove competence, security, purpose, privilege, suppression, court or other professional obligations. INFERRED
  • “Removing a person's name makes the material anonymous.” False: information is personal information whenever an individual remains identifiable from context, linkage or other available data. VERIFIED
  • “A provider described as a processor becomes responsible instead of the customer.” False: a section 11 agent processes on the agency's behalf, and the principal agency remains responsible for the information. VERIFIED
  • “Every overseas cloud processor automatically creates an IPP 12 disclosure.” Not necessarily: section 11 may apply to a provider acting solely as an agent, but independent use or disclosure requires separate IPP 11 and IPP 12 analysis. VERIFIED
  • “New Zealand courts prohibit lawyers from using generative AI.” False: the guidelines permit cautious use while preserving all existing duties, accuracy checks and protections for non-public information. VERIFIED
  • “A clean room replaces human checking and the wider security programme.” False: qualified review, access security, incident response, supplier controls, training and other safeguards remain necessary. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Assess the purpose and privacy impact of AI use Office of the Privacy Commissioner Proposed AI processing involving personal information Before approval or deployment and again after material changes
Apply reasonable security safeguards to AI inputs, outputs and systems Office of the Privacy Commissioner Holding or processing personal information through an AI tool or provider Continuously throughout collection, use, storage, access, retention and deletion A qualifying interference with privacy may lead to OPC action and Human Rights Review Tribunal remedies or damages
Confirm that the AI use and disclosure are permitted Office of the Privacy Commissioner Using personal information for an AI purpose or making it available to an AI provider Before each materially new purpose, provider, model or disclosure A qualifying interference with privacy may lead to OPC action and Human Rights Review Tribunal remedies or damages
Determine whether the AI provider is an agent or an independent recipient Office of the Privacy Commissioner A third-party provider stores, processes, trains on, analyses or otherwise accesses personal information Before contracting and whenever provider terms, purposes or subprocessors change
Assess overseas disclosure under IPP 12 Office of the Privacy Commissioner Personal information is disclosed to a foreign person or entity rather than processed solely by a section 11 agent Before disclosure and after changes to location, recipient, purpose or safeguards A qualifying interference with privacy may lead to OPC action and Human Rights Review Tribunal remedies or damages
Protect legal professional privilege Courts applying the Evidence Act 2006 AI use involving confidential legal communications or material prepared for actual or apprehended proceedings Before disclosure and continuously while privileged material is held or processed Privilege may be disputed or lost through waiver, with resulting evidential and litigation consequences
Protect lawyer-client confidentiality New Zealand Law Society and Lawyers and Conveyancers Disciplinary Tribunal A lawyer or law practice proposes to use client, retainer or client-business information with AI From initial disclosure concerning a proposed retainer and indefinitely thereafter Complaints, findings of unsatisfactory conduct or misconduct, and disciplinary orders may apply depending on the circumstances
Maintain competence, supervision and human verification New Zealand Law Society and relevant court or tribunal AI assists with legal advice, research, drafting, evidence, submissions or court documents Before advice is given or material is relied on, filed, served or submitted Complaints, disciplinary consequences, costs, procedural orders or other court consequences may apply
Comply with court and tribunal GenAI expectations Courts and tribunals of New Zealand Generative AI is used in connection with court or tribunal proceedings Throughout preparation, filing, submission and hearing of the matter The court or tribunal may require explanation, correction or other procedural action; existing professional and court sanctions remain available
Maintain evidence of clean-room approval and operation Internal governance, Office of the Privacy Commissioner and relevant professional regulator Client, personal, confidential or potentially privileged information is approved for controlled AI use At approval, throughout operation, at deletion and after each material change or incident

Sources

  1. Privacy Act 2020 — latest version primary
  2. Office of the Privacy Commissioner — Artificial intelligence primary
  3. Office of the Privacy Commissioner — Generative Artificial Intelligence primary
  4. Information Privacy Principle 5 — storage and security primary
  5. Information Privacy Principle 10 — limits on use primary
  6. Information Privacy Principle 11 — limits on disclosure primary
  7. Information Privacy Principle 12 — disclosure outside New Zealand primary
  8. Office of the Privacy Commissioner — Sending information overseas primary
  9. Office of the Privacy Commissioner — Working with third-party providers primary
  10. Evidence Act 2006 — latest version primary
  11. Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 primary
  12. New Zealand Law Society — Generative AI guidance for lawyers primary
  13. New Zealand Law Society releases Generative AI guidance for lawyers primary
  14. NZLS — Lawyers are responsible for court documents prepared using Generative AI primary
  15. Courts of New Zealand — Guidelines for use of generative AI in courts and tribunals primary
  16. Guidelines for use of generative AI in courts and tribunals — Lawyers primary
  17. Guidelines for use of generative AI in courts and tribunals — Non-lawyers primary
  18. National Cyber Security Centre — Guidelines for secure AI system development primary
  19. New Zealand Information Security Manual primary
  20. Own Your Online — New Zealand cyber security guidance primary
  21. Reddit r/newzealand discussion — workplace AI restrictions forum
  22. Reddit r/newzealand discussion — customer data and privacy forum
  23. Reddit r/newzealand discussion — confidential work information forum
  24. Reddit r/newzealand discussion — lawyer testing AI contract drafting forum
  25. Reddit r/newzealand discussion — third-party data-sharing clauses forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.