Big picture risks
Some risks are sufficiently serious to warrant being described as "show stoppers". These would typically relate to the integrity and reliability of the legal system in the target jurisdiction. One guide to the relative risk of countries' integrity can be found in the annual Global Corruption Report at Transparency International's website. A second would be any formal advice from the Government Communications Security Bureau (GCSB) or the New Zealand Security Intelligence Service (NZSIS) on security hazards around hardware, software, or services from certain countries.
A different warning flag could be the existence of legislation which could allow foreign governments to silently take New Zealand Government data which was within their borders.
Government's role as a steward of information held on behalf of all New Zealanders requires that agencies take into consideration not just the impact on their agency but how their actions will impact other agencies that may require access to that information and the individuals and organisations that are the subjects of the information. Decisions that might be perfectly acceptable in isolation may become questionable when viewed from an all-of-government or an all-of-New Zealand perspective.
Some information should perhaps never be considered as the subject of contracting with an offshore provider. Agencies are best placed to identify their own sensitive resources but such things as information vital to national security, sensitive personal information such as criminal records, and company confidential information provided under obligation, including intellectual property and trade secrets, would probably fall into that category. Agencies should consider the likely public reaction to a data breach of that information if they have any doubts about its suitability for outsourcing or sending offshore.
One way to address these concerns may be to consider worst case scenarios to bring the broader picture to light. Those scenarios could also be used to explore how the sensitivity of the information may change over time and whether the information in aggregate (and as that volume grows over time) may require better protection and more security than individual records might require.
After completing a comprehensive risk analysis, government agencies should assess also whether the level of residual (untreated) risk for any offshoring initiative is acceptable. Generally, the agency can make this assessment based on the expected benefits of the initiative and the agency's appetite for risk. Agencies need to bear in mind that there are certain risks and issues that cannot be accepted. Agencies should note the mandatory requirements for securing official and classified information (see Security in the Government Sector - SIGS and NZ ICT Security Manual NZSIT402).
Similarly, one needs to be mindful that the standard contract terms of multinational companies often contain indemnities in favour of those companies (in essence, an indemnity is a contractual provision by which the indemnifying party agrees to keep the other party harmless against loss for specified acts or defaults). Such terms can raise issues under the Public Finance Act 1989, section 65ZC of which renders it unlawful for any person to give a guarantee or indemnity on behalf of the Crown (defined principally as Ministers and departments) unless expressly authorised by an Act. Authorisation may be granted by the Minister of Finance under section 65ZD or the granting of an indemnity may be expressly authorised by the Public Finance (Departmental Guarantees and Indemnities) Regulations 2007.
When considering whether the giving of a particular form of indemnity is authorised under those Regulations, one needs to be careful to compare the scope of the indemnity in question against the statutory wording, because standard form indemnities often exceed the statutory permission. Where that is the case, Ministerial approval would be required before the indemnity is given. The alternative is to endeavour to "negotiate out" the indemnity from the company's standard terms or reduce its scope so as to render it compatible with any statutory permission that may be available. Crown entities should note that separate indemnity provisions apply to them. These provisions can be found in sections 160 and 163 of the Crown Entities Act 2004 and regulation 14 of the Crown Entities (Financial Powers) Regulations 2005.
These standard contract provisions or terms and conditions may also stipulate a non-New Zealand choice of law and jurisdiction for the resolution of contractual issues and disputes.
Government agencies should also be cognisant of the government's foreign relations position with certain jurisdictions before entering into commercial negotiations there. For example, it may be inappropriate for a government agency to enter into commercial negotiations or contracts in the jurisdiction of a foreign government if the NZ government has officially protested against or condemned the actions of that government. Advice should be sought from the Ministry of Foreign Affairs and Trade in these circumstances. Note also that New Zealand government agencies, citizens and companies must comply with regulations implementing NZ Security Council sanctions.
Government agencies are advised to seek the opinion of monitoring agencies on any issues or risks that might be deemed unacceptable by government.
