Interpretation of Information Availability Policies

Information Availability Principle

For as long as it has any business or statutory requirements to do so, government must be able to:

• use the information it owns/holds;
• provide access to its information to others, when they are entitled to access it.

Information Availability Policies

1. Informed consent to externally-imposed digital encumbrance

Any information that is relied on for execution of public business must be free from encumbrance by externally-imposed digital restrictions, except with the informed consent of government.

Rationale

Restrictions on the usage of information may hinder an agency's ability to do business and keep adequate records. Agencies need to know when an encumbrance exists, so that they can either refuse to accept the information on those terms, or can take appropriate measures to manage the risk.

This policy ensures that agencies that accept information with usage restrictions, do so with prior knowledge and hence with the opportunity to satisfy themselves that there is no negative impact, or that adequate mitigations are available.

Supports Information Availability Policy.

Scope & Interpretation

This policy will generally be relevant in situations where information is to be held but not 'owned' by government, and thus there may be a legitimate reason for the information to be externally encumbered. By contrast, Policy 3, 'Control of digital encumbrances', will apply in situations where the information is owned by the government, and therefore there is no legitimate reason for an external party to control the digital rights.

Agencies should generally be attempting to have information unencumbered to support the process of government, or at the very least to have it able to be copied to an unencumbered public record. Simply identifying that a legitimate (which can be commercial) reason exists for the encumbrance is not in itself justification to allow encumbered data into government.

Refer to Glossary: DRM, for types of encumbrance likely to be encountered under TC/DRM.

"free from encumbrance by externally-imposed digital restrictions" refers to freedom from digital restrictions on usage imposed from outside the New Zealand government.

The notion of "informed consent" has two parts:

• "informed" requiring adequate advice to government and sufficient understanding by government to appreciate the implications for the integrity of government-held information (Policy 2 helps elaborate on how this might be achieved), and
• "consent" requiring active decision-making in each case.

"informed consent of government" will therefore apply when a person in an agency, authorised to make such a decision on an agency's behalf, is aware of the encumbrance (or the possibility of it) and with that awareness and an understanding of the implications, accepts the information. It is possible that the detection and consent process could be delegated to rules-based software, which could either:

• acknowledge the possibility of an encumbrance, but determine the information to be of a category for which an encumbrance does not matter, or
• positively detect an encumbrance, identify the nature of the encumbrance and the category of information it is applied to, and accept it on the basis of consent criteria being satisfied.

Informed consent could potentially be achieved by development of a specific trust relationship between recipient and provider, if a provider were to make a general undertaking either to not use DRM, or to use it only within specific boundaries.

The basis/rationale for the "consent" decision needs to be recorded.

Categories of information for which external encumbrance may not compromise the public record

The Public Records Act 2005 sets up a very broad definition of "public record". Within that definition, the Chief Archivist has authorised several classes of routine or trivial records for destruction as soon as they are no longer administratively required. These will be described in a future Trusted Computing and Digital Rights Management Standards and Guidelines document.

For these classes of material, it is possible that encumbrance may be allowed without compromising the public record. However, if such routine information is subsequently used in official business (e.g. information sourced from a discussion list is used as a basis for formal action) an adequate record should be captured without encumbrance.

Categories of information that should rarely, if ever, be subject to external encumbrance

Information that should rarely, if ever, be subject to external encumbrance, is that which is relied upon in the course of public business (e.g. for decision-making, policy setting), or which provides the basis for citizen rights. In such cases, agencies should create an adequate, unencumbered record of relevant information.

2. Conditions for externally-imposed digital encumbrance

If information is required for execution of public business, and is externally encumbered:

• the agency must have full knowledge of the rights when consenting to the encumbrance;

• the agency must be notified that an encumbrance exists, and be able to easily view the rights, at each use;

• the rights must be fixed, except by mutual consent of the agency and the rights-holder;

• the rights assigned must be adequate for the uses of the information, including use by officials with responsibilities to audit and review.

Rationale

This policy ensures that the information continues to be fit for purpose. Each user will be sufficiently informed of any usage restrictions, such that if a mitigating action (e.g. making a file note) is required on their part to maintain fitness for purpose, they will be aware of it.

Supports Information Availability Policy.

Scope & Interpretation

Refer to Glossary: Rights for a definition of this term.

Notification of an encumbrance will enable users to know whether they need to record separate notes.

Encumbered information may be used multiple times by multiple officials. On each use, they need to know:

• whether the information is encumbered;

• what the details of the encumbrance are.

This will require some form of alert to users in an agency on each usage of the information so that they are aware that an encumbrance exists, and a means for finding out what the encumbrance is.

"rights must be fixed" means that the digital rights with which the information is encumbered, must not be subject to alteration or revocation.

Example: The subsequent addition of an access expiry date, or the revocation of a user's ability to perform a particular function on the information, such as printing it.

The clause allowing rights to be changed "by mutual consent of the agency and the rights-holder", is intended primarily to allow for subsequent relaxation of the rights, in order to accommodate the needs of the agency. Agencies should exercise care in agreeing to any other sort of change because the usage needs may be well understood at the time the information is first received and used, but after the fact may not be well known or in fact forgotten. In situations when a request is made to vary the terms of restriction, it may not be possible for the agency representative to know what use had been made of the information in the past. If the consent activity is not "fully informed", it must not proceed.

3. Control of digital encumbrances

Any DRM encumbrance applied to the government's master copy of any information it owns, must be under the government's full and exclusive control.

Rationale

This policy ensures that government will not lose the ability to maintain control over its intellectual property, and the use of its information.

Supports Information Availability Policy.

Scope & Interpretation

As well as applying this policy in a technical context, government agencies will need to apply it when negotiating contracts for project and development work that is expected to result in production of information which the government will own. Stating in the contract that such information must either be unencumbered, or that the encumbrance must be under the government's control, will:

• reduce the likelihood of subsequent disputes with vendors;
• reduce the likelihood of DRM encumbrances being inadvertently applied by the vendor.

'Master copy' refers to the copy of the information regarded as authoritative and identified as such, and from which other copies may be made. A master copy may consist of multiple versions, as each of these may have significance for record-keeping or administrative purposes. Backups of the master copy are considered part of the master copy. Copies made for other purposes are not.

This policy will apply in situations where the information is owned by the government, and therefore there can be no legitimate reason for an external party to control the digital rights. By contrast, Policy 1, 'Informed consent to externally-imposed digital encumbrance', will generally be relevant in situations where information is to be held but not 'owned' by government, and thus there may be a justified reason for an agency to accept the information with an external encumbrance.

4. Usage by all legitimate parties

When implementing solutions involving TC/DRM, agencies will ensure that adequate provision is made for the use of any information, at present and in the future, by all parties with statutory rights to use that information.

Rationale

This policy ensures that agencies consider the full range of information usage requirements when implementing TC/DRM solutions.

Supports Information Availability Policy.

Scope & Interpretation

Statutory rights to hold and use information derive from the Public Records Act, Privacy Act, Official Information Act and other legislation.

Relevant parties with statutory rights may include individuals, Archives New Zealand, and other agencies.

TC/DRM technologies can be used to restrict usage of information. It is expected that there will be much less flexibility to reverse, suspend or bypass these restrictions, than with conventional technologies currently in use by government agencies. Therefore, if TC/DRM restrictions are applied to information and some present or future access requirement is not provided for, there will be less chance of finding a way to satisfy the requirement, compared with if conventional technologies had been used.

Inadequate provision for legitimate access may take the following forms:

• the need for access was overlooked by the agency applying the restrictions, or
• the need for access was recognised, but the agency applying the restrictions made insufficient provision to ensure that the management and technical prerequisites for access were, and would continue to be, satisfied.

Agencies need to ensure that provision for use is made:

• for information stored within their own organisation

• for information they have sent to other parties with statutory rights to use that information.

Agencies making use of TC/DRM for communications, must do so only if all intended recipients have reasonable access to the technology required to permit use of the information.

Example: If a DRM-protected document is sent to a recipient and that recipient requires internet access for authentication, the recipient must either have internet access, or the document must be made available to them in an alternate, usable form.

When considering what 'future' encompasses, agencies should consider issues such as usage expiry mechanisms, provision for data migration, etc.

5. Assurance of future accessibility

If agencies' use of hardware or software can be limited by TC/DRM technologies, and access to information is reliant on that hardware or software, then agencies will take appropriate measures to ensure future accessibility of that information.

Rationale

This policy ensures that future access to information is not inadvertently lost as a result of TC/DRM restrictions on the use of the hardware or software normally used to access the information.

Supports Information Availability Policy.

Scope & Interpretation

Agencies must ensure that the functioning of hardware or software required to maintain government information, cannot be impeded by influences outside government control.

Example: For instance, a software application might contain a start-up test that blocks access to the application's normal functionality if it cannot successfully perform an online validation check with the software vendor's network. Such 'heartbeat' functionality could cause agencies to be hindered from accessing or processing their data through circumstances outside of their control, so would not be acceptable unless there was a suitable bypass mechanism or process available to them.

Alternatively, agencies must adopt mitigation strategies to ensure continued access to information if government's use of the software or hardware were to be externally constrained.

If access to government information is reliant on an agency's hardware or software, and the operation of the hardware or software relies on communication with systems outside the control of government, then the agency is not in a position to ensure future accessibility. Therefore, software or hardware relied on for access to government information must be able to operate without reliance on communication with systems outside the control of government.

This policy does not rule out the use of subscription-based software licences or ASP (Application Software Provider) services, but does require that information is readily accessible by some other means should the subscription end.

This policy requires consideration of issues around future requirements for migration (both of the information and its associated audit trail) to different platforms, data formats or software products, when implementing TC/DRM now. For example, will information created in one environment using particular software be accessible in the future if it needs to be migrated to a different platform or if it has to be accessed using different software? Although these issues are not peculiar to TC/DRM, in some cases the use of TC/DRM will significantly reduce the mitigation options.

6. Minimum constraint on usage

Agencies will apply digital encumbrances to information only if there is a clearly identified business reason for doing so, and will apply only the minimum necessary degree of constraint.

Rationale

Placing usage restrictions on any information inevitably makes it more expensive to manage. The expense is not necessarily confined to the agency, but may also impact other agencies with which the information is shared, or which may subsequently become its custodian (such as Archives New Zealand). In addition, usage restrictions raise the risk that a legitimate user may not have the access to which they are entitled.

Supports Information Availability Policy.

Scope & Interpretation

This policy deals with situations where government is creating or changing information, and therefore can choose whether to encumber the information with digital restrictions, and to what extent. In these situations, government is the originator of the encumbrance. There are other policies in this framework that address the issues arising when government is instead the recipient of encumbered information.

Digital encumbrances may vary along several dimensions - who can access the information, what functions they can perform upon it (e.g. view, print), and how long the rights or restrictions last for. Applying the 'minimum necessary degree of constraint' means imposing the least amount of restriction along each of these dimensions.

When considering the 'minimum necessary degree of constraint', agencies should include the dimension of time. The need for restrictions may be for a limited time only, in which case the restrictions could be set to expire after a certain date, or could be removed after that date.

7. Common privilege definitions

Agencies protecting information with TC/DRM encumbrances will use a common set of digital rights definitions, to ensure that access requirements are met consistently.

Rationale

When agencies wish to apply TC/DRM encumbrances to their information, they will need to identify the access requirements of other government agencies for their data, and design access rights definitions that support these requirements. There are requirements that apply to all government agencies, such as:

• future availability to Archives New Zealand
• access by the Office of the Controller and Auditor-General
• meeting the requirements of the Protected Disclosures Act

Without a coordinated approach being taken, the cost of analysing the requirements and designing appropriate definitions will be repeated many times, and the results are likely to be inconsistent. Where the results are inadequate, this may not be discovered until a long time after (e.g. hand-over of archival material to Archives New Zealand), and correction could be very expensive at that point.

• By taking a coordinated approach, government can develop a uniform, best-practice approach to support generic inter-agency information usage requirements.

Supports Information Availability Policy.

Scope & Interpretation

There may be circumstances where government agencies consider it appropriate to apply TC/DRM encumbrances to information they create or hold. An all-of-government standard will be developed to provide a set of definitions that meet the minimum requirements for sharing of information across government.

Each agency will be able to develop an internal set of definitions to meet needs specific to itself, as long as they are compatible with the all-of-government standard.

8. Independent usage capability

Agencies will apply TC/DRM encumbrances to information only if a means to take full control of the access rights is vested in a designated independent government agency.

Rationale

This policy protects against situations in which information has become locked down to such an extent that:

• digital preservation, e.g. migrating to a different platform or application, is hampered, e.g. the agency has lost its key to the information;
• the legitimate whistle-blower process is thwarted;
• investigations by monitoring or investigative agencies (Police, Serious Fraud Office, Audit New Zealand etc) are thwarted;
• on-going use by the agency itself is compromised.

Supports Information Availability Policy.

Scope & Interpretation

To ensure a consistent, all-of-government approach, a suitable agency will be assigned this role.

The ability for the designated agency to take full control must not be revocable by any other agency or person, including the originating agency (except by a carefully controlled and documented process with fail safe checking).

Full control means the ability to re-assign the rights, or to remove restrictions altogether, so that any functions that could be performed on the information in unrestricted form are then possible. These might include, for example, the abilities to:

• modify the information and save it with the modifications;
• save the information to a different format.

Full control of the access rights, rather than allowing read access only, is required to enable any necessary transformations required for digital preservation, e.g. migration from an obsolete data format.

It is not envisaged that the designated agency's powers would be used routinely. This policy is intended as a contingency plan to counter the risk of an unintended loss of access to government information.

9. Modification/deletion by hardware/software

Agencies must not operate hardware or software with functionality that could modify, or hinder access to, information held by government, without explicit government approval.

Rationale

This policy is intended to protect government information from unauthorised modification or deletion by TC/DRM solutions.

Supports Information Availability Policy.

Scope & Interpretation

One of the risks addressed by this policy is the possibility of software being instructed by the provider to delete (or render inaccessible) files considered unacceptable by the provider, such as those that may appear to have been created using an unlicensed product, or that may otherwise appear to breach the terms and conditions for use of the hardware or software.

'Explicit government approval' means that any such modification or deletion of information would happen only with approval by a government official with appropriate authority, rather than through action by software not under government control. This approval process could be effected within an agency; the policy is not intended to suggest the establishment of a centralised "government approval" role.

The policy is not intended to address unintended system malfunctions, such as if software was found to have a bug that resulted in the modification or deletion of information. Rather, it is intended to cover circumstances for which such functionality could have been anticipated - and disclosed to the government - because it was included as part of the product's design.

[ Previous | Next ]