- Directions and priorities
- Roadmap
- Access to government services
- Access to government data
- Services to government employees
- Aligning agency applications
- Standardising enterprise applications
- Defining and reusing authoritative data
- Integrating workflow across government
- Unifying communications and networking
- Securing government information
- Aligning management of commodity software
- Building operational foundations
- Roadmap Overview Key
- Programme
- Common capabilities
- Resources
- COE Reference Architecture
- Benefits Realisation
- Checklist for agencies
- Enterprise Architecture
- Communication technologies
- Information and data
- Procurement and ICT contracts
- Trust and security
- Standards / compliance
- Agency Guides
- Government Use of Offshore ICT Service Providers
- Executive Summary
- Introduction
- Background
- Risk Management Approach
- Discussion of key risks
- Big picture risks
- Trust and public confidence risks
- Control risks
- Governance, management and project risks
- Economic risks
- Business continuity risks
- Security and integrity risks
- Privacy risks
- Legal, jurisdictional and commercial risks
- Fiscal risks
- Summary of key risks and mitigations
- Some topics to discuss with your legal advisors
- Resources
- FAQ
- Glossary
- NZGOAL
- Open source
- Overseas Hosting Risk Analysis
- Participation
- Government Use of Offshore ICT Service Providers
- Government Cloud Business Case 2011 FAQs
- Pre-2009 research
- Previous e-Government Strategy 2006
- The GCIO
Background
Government agencies considering the use of ICT service providers for data processing and management services or government data storage should assess the risks of doing so and compare those risks against any potential benefits. Some risks may be trivial, such as when an agency chooses to make older publications available electronically. Others may be such as to preclude any consideration of permitting the information to be stored offshore, such as national security information or sensitive personal information such as criminal records.
Agencies might consider using an offshore ICT provider for several reasons, such as a lack of capability in New Zealand, value for money, or anticipated technology and skills transfer to the agency from the offshore provider. While these potential benefits might exist, agencies should balance them against the risks that such offshoring might pose. For example:
- Loss of control. Offshoring data or data processing and management services can limit the control that government agencies have over the quality and type of services provided. Foreign service providers, industry, infrastructure services and governments can exert influence over the way services are delivered, developed and protected. Government agencies are likely to have less control over data held offshore than over data held in New Zealand.
- Loss of privacy and security. The confidentiality of offshore ICT services can be threatened by factors outside the control or knowledge of the New Zealand government. Offshoring may make it difficult or impossible for NZ government agencies to monitor and manage security and privacy effectively. In some circumstances, foreign law may enable another government to gain access to private New Zealand information and services without the knowledge or authorisation of the New Zealand government. Some foreign legislation may preclude notification to clients if the foreign government agencies access those clients' data.
- Jurisdictional issues. Outsourcing data or data processing and management to offshore ICT service providers may impede the investigation or prosecution of privacy or security breaches because the New Zealand law that supports such investigations does not apply or may be specifically excluded by contract. Agencies should investigate the rules surrounding legal discovery in the relevant jurisdiction and understand the implications for their agency.
A comprehensive risk assessment will entail a different effort for different situations but will always require identification of the significant risks, controls and mitigating measures, and a decision about the management of each of those risks. The effort should be proportionate to those identified risks as well as the expected rewards. The assessment involves considering:
- the nature of the information to be outsourced
- the nature of the processes to be outsourced
- the location of the service provider (relevant jurisdiction), and, if different,
- the location from which service will be supplied.
The main concerns for security, service integrity, stewardship, and privacy when data is outsourced overseas are:
- possible non-compliance by the government agency with New Zealand legislation and policies, including the Privacy Act 1993 and the Public Records Act 2005 and the possible non-application of such legislation (e.g. the Privacy Act) which would apply if the service provider were not offshore. Offshore hosts can potentially collect, store, aggregate, and sell or otherwise exploit government information including government held personal information without the same legislative restrictions and sanctions that would apply in New Zealand.
- intelligence-gathering by foreign governments and foreign non-governmental entities that may affect the security of government information and the privacy of New Zealanders.
- overseas judicial decisions that might require disclosure of New Zealand personal information held offshore, or allow the commercial use of that information.
- overseas or international (e.g. undersea cables or satellites) infrastructure breakdowns, natural hazards, civil unrest, industrial unrest, criminal activity, or terrorism with a potentially greater impact than would occur if similar incidents occurred in New Zealand.
- possible monitoring or enforcement difficulties when rights must be asserted overseas and/or against offshore entities.
- recovery and/or secure disposal of government information, including private data and intellectual property relating to sensitive government processes, at the termination of an outsourcing relationship.
Printer-friendly version
Send by emailRelated pages
Latest updates
- SEEMail
- Getting innovation into Government ICT
- Toolkit for Agencies
- Government ICT Update - April 2013
- Open and Transparent Government
- Open and Transparent Government
- All-of-government cloud computing approach
- Invitation to contribute
- NZGOAL Guidance Note 1: Website copyright statements
- NZGOAL Guidance Note 2: File formats
RSS Feed
