Skip to content.
|Networking government in New Zealand.

Frequently asked questions

Q: So what is this new policy about using offshore ICT service providers?
A: It's not new policy. It's not formal enough even to be guidelines. Our only strong recommendation is to take a risk management approach. But you can learn from the Advice about the risks around offshore contracting and how to manage them.

Q: What is in the Advice?
A:There is:

  • some introductory material - policies, standards, and other formal parts of the ICT procurement framework
  • some pointers on the risk management approach
  • explanations of ten types of risks in offshore outsourcing
  • a summary table of risks and possible mitigation strategies
  • things to discuss with your legal advisors, and
  • a collection of places to go for more information.

For more information, here's a 2-page summary

Q: When should I use it?
A: Some examples of when it might be useful are:

  • You're considering a free/cheap widget for your government website but you're not sure about the terms and conditions attached.
  • You're thinking of running a survey of your website users or your employees and were told about free/cheap access to a survey site but you think it's offshore.
  • You're getting ready to put a tender onto GETS (Government Electronic Tendering Service) and you wonder what you would do if you got a response from an offshore supplier.
  • You're thinking about the potential use of cloud computing and software-as-a-service in your business

More generally, it is most useful when you are thinking about sending government data offshore or outsourcing data processing and management services to offshore ICT service providers rather than when you're trying to negotiate a contract. It does not apply to purchases of hardware, software, or development services unless government data is leaving the country or being manipulated from outside the country.

Q: What if I can get the service for free?
A: Even if the service is free, you'll probably have to sign a contract. That includes a "click through" licence or End User Licence Agreement (EULA) or "click to agree" to Terms and Conditions. You should check with your agency's legal advisers just as you would if you were signing a contract on paper.

If you haven't checked with your legal advisers, please check those licences or terms and conditions for wording like this:

"You agree to hold harmless and indemnify "your supplier" from and against any third party claim arising from or in any way related to your use of the Service, including any liability or expense arising from all ..."

If you find those kinds of words, go talk to your legal adviser about Section 65ZC of the Public Finance Act or Section 163 of the Crown Entities Act or read the section on Big Picture Risks and then talk to your legal adviser.

Q: Is there anything else I ought to check out with our lawyers?
A: The Advice has a page of specifics to help you when talking with your lawyers. But you may want to check for claims to ownership of any information you post or that require you to agree to certain licence arrangements for that information. If there are those kinds of terms, you may want to read the section on Security and Integrity Risks before you talk to your lawyers.

Q: What if there's personal information involved?
A: Your agency is still responsible for meeting requirements under the Privacy Act 1993 for that personal information including security and providing access to it by the person concerned. This does not mean that an offshore provider is automatically excluded and the Advice is not an excuse for a BOTPA (Because of the Privacy Act) response.

You might want to check the information in the Privacy Risks section about your options because you do have options. You should also have a chat with your agency's Privacy Officer. And there is more advice about personal information below.

Q: Why is the Advice only focused on data?
A: The Advice is focused on data because government is in the information business but traditionally we've held it close. New technologies promise that our perceived need to keep it close is no longer true. But there are trade-offs and we need to understand them to make responsible decisions.

For example, will you be able to meet your agency's responsibilities under the Public Records Act 2005? Is what you are doing creating business records? Or, to put it another way, if the activity was being done here in NZ, would you need to keep that information in your agency's records management system? If you don't know, you might want to have a chat with your records advisers. And read the section on Security and Integrity Risks before you do.

Q: We're looking at making it possible for people to do transactions with us online and an offshore service looks really promising. Can we use them?
A: You need to carefully think about the service you want to offer. Is any of the information that might go offshore absolutely essential to the daily responsibilities of your agency? If you lost access to that information would vital services stop? Should you look at a local backup facility just in case? This might become more of an issue in future as more services go online.

From another perspective, is any of the information classified as "in confidence" or higher? Are there any other sensitivities around the information? You might want to talk to someone in your agency who is knowledgeable about responsibilities around classified information.

Q: Can you explain a bit more about what options we have if we are thinking about personal information and an offshore supplier?
A: Here are a couple of scenarios to help and some advice from the Privacy Risks section:

Scenario 1
You've put your tender out. And because you know the project will involve personal information, you made sure to include a clause about compliance with the New Zealand Privacy Act or a similarly protective privacy regime. One response came from an Australian company.

Can/should you automatically exclude that response from consideration? Answer: No

Why?
The New Zealand Privacy Commissioner and the Australian Federal Privacy Commissioner have signed an agreement to cooperate on cross-border enforcement of privacy law.  This is not an automatic "go for it" but does provide you with room to explore how that agreement might be incorporated into a contract or otherwise serve as the basis for mitigating concerns about compliance with the Privacy Act 1993.


Scenario 2
A second response came from a Singaporean company. You don't even know if they have a Privacy Commissioner. What now?
Again, you don't necessarily have to exclude that response.


Why?
Although Singapore does not have a general privacy or data protection law, its commercial law regime is well regarded.  In 2008, they ranked right behind New Zealand in Transparency International's Corruption Perceptions Index. So again, you may be able to adequately address privacy concerns through appropriate contractual terms, including New Zealand for choice of law, and have those terms enforced through Singapore's legal system.

Lawyers again?
And if you find yourself in the situation of needing to discuss contractual terms to protect personal information with your lawyer, the Advice (yes, in the Privacy Section and in the Risks & Mitigations Section) has some useful resources, for example: 

  • The European Commission publishes information on decisions about the adequacy of non-EU- countries' data protection regimes at http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm
  • The EU also publishes Standard Clauses for the Transfer of Personal Data to Third Countries
  • The OECD publishes a Recommendation on Consumer Dispute Resolution and Redress and Recommendation on the Cross-border Enforcement of Laws Protecting Privacy.
  • The International Chamber of Commerce publishes standard contractual frameworks for data protection at  http://www.iccwbo.org/id911/index.html
  • The Electronic Privacy Information Centre  (a US NGO) publishes an annual survey of privacy protection around the world at http://epic.org/bookstore/

So, there's no need to feel you have to create everything from scratch. Judicious adoption and adaptation may be all tha's required. And don't forget the general advice on legal and commercial risks and their mitigations.

Q: I just want a simple answer; yes or no?
A: Sorry, the advice is only that. It's not a cookbook. It's not a set of rules. There are few easy answers and the final decision is yours. But we think the information will be helpful as you work your way through the decision process.

[ Previous ]