Skip to content.
|Networking government in New Zealand.

Control Policies

Policy: Ownership

Data collected by or for a government agency under statutory provisions, or by contract, or through an information-matching agreement under the Privacy Act, is owned by the Crown, not the individual agency. Other data may be supplied for use by agreement with an external owner. Business documents created or collected by or for a government agency are owned by the Crown.

Scope & Interpretation

In the context of these policies and standards, the meaning of ownership is defined within the following statements.

When ownership is vested in the Crown it means that all relevant data and document stores must be treated as Crown assets, and must be managed by government agencies accordingly. In addition, agencies must act as good corporate citizens and apply appropriate care to data acquired from an external owner, or documents copyright to non-government organisations or individuals. Ownership of data refers to control of the Crown's copy of that data for statutory purposes and does not necessarily imply the exclusive transfer of intellectual property rights.

While the Crown asserts ownership of its copy of collected data, any data supplied by groups or individuals remains the property of those groups and individuals, except where statute or explicit agreement transfers exclusive intellectual property ownership to the Crown. See Standards: Transfer of Intellectual Property.

Ownership confers the right of the Crown to instruct agencies and monitor that all relevant statutes and regulations are followed in collecting and managing the asset, and that these policies and standards are being applied.

In some cases data is collected and managed by external organisations under legislation for government purposes. This data is a Crown asset and must be managed accordingly. For a definition of government agency, see Glossary: Government Agency.

Business documents are distinguished from non-business documents (see GLOSSARY: DATA OBJECTS) because non-business documents do not require the same level of active management.

Good management of Crown data and business document assets includes:

  • Adherence to these policies and standards

  • Adherence to statutory provisions of the Archives Act, the Official Information Act, the Privacy Act, Copyright Act and any specific empowering legislation for the agency

  • The capacity to restrict data or documents or make them available to government or non-government agencies as required by government and allowed by law.

  • Keeping abreast of the Mataatua Declaration on Cultural and Intellectual Property Rights of Indigenous Peoples and subsequent developments arising from it.

Supporting Standards: Transfer of intellectual property; Reasons for collection/creation

Rationale

For data and business documents owned by the Crown, the Crown has a duty of care for their management, on behalf of the people of New Zealand.

Data is a key Crown asset without which business would be impossible. Clearly defined accountability and control over that asset is required to ensure that it is managed satisfactorily.

Documents, in many forms, deliver much of the value added to raw data by government employees. Clearly defined accountability and control over these assets is required to ensure that the value is not lost to the Crown.

Policy: Stewardship

The Crown through a responsible minister will appoint a Crown Data Steward with a government-wide mandate to manage and develop the Crown's data and document assets in accordance with established policies and standards.

Scope and Interpretation

Integrity of data is a key requirement to develop effective policy advice, deliver resulting services, and measure the results. Common data management policies and standards applied across government agencies promote integrity and consistent quality. When reliable data is easily available, the costs of delivering information are reduced and quality improves.

The objective of the Crown Data Steward is to ensure integrity and consistency of data as the raw material for the derivation of information and policy. The main responsibilities of the Crown Data Steward are:

Develop and maintain the Data Management Policies and Standards on behalf of the Crown

Exercise the ownership rights of the Crown to monitor that all relevant statutes and regulations are followed in managing Crown data and document assets, that the specified policies and standards are being applied, and report on the results

Approve and ratify data and document management policies, standards and practices developed within government agencies to meet specific requirements

Promote rationalisation of overlapping data stores and cost-effective use of data and document assets within legislative boundaries

Develop the government high level data catalogue and publish in a workspace accessible to all government agencies

Facilitate data and document sharing where appropriate by:

  • Assisting, and arbitrating if necessary, in the development of new sharing arrangements

  • Consulting with the Privacy Commissioner when personal data is included that may involve information matching or other provisions of the Privacy Act

  • Approving and monitoring both existing and new sharing arrangements, ensuring that business objectives and quality requirements are met.

  • Ensure valuable data stores orphaned by agency re-organisation or other changes are transferred to an appropriate business custodian. (see also Standards: Retention requirements, Standards: Transfer between agencies, Standards: Destruction protocols)

Rationale

All parties are in agreement that data collected through the activities of government agencies belongs to the Crown. However, concepts of stewardship, and how the Crown's ownership interests in data should be delivered are relatively recent and still evolving. Significant practical problems are beginning to become apparent with current stewardship arrangements. Problems include:

  • Stewardship responsibilities are broken up among a huge range of departments

  • Departmental stewards are likely to give priority to immediate departmental or narrower sector interests

  • Departmental stewards have limited capacity to see the 'big picture'

  • No central oversight of how departments are delivering their stewardship responsibilities

  • Lack of government-wide strategic oversight of data developments to ensure that the Crown's data assets deliver consistent future returns to the Crown

  • Data developments appear to be moving at too slow a pace to achieve government targets for e-government.

Together these issues demonstrate the need for a Crown Data Stewardship role with government-wide responsibility to manage and develop the Crown's data and document assets in accordance with established policies and standards.

Policy: Custodianship

Every item of data and every business document held by, or maintained for a government agency on behalf of the Crown, will have a Business Custodian and a Physical Custodian.

The role of Business Custodian is assumed by the agency's Chief Executive, who may delegate day-to-day responsibility to an appropriate employee. The role of Physical Custodian will be assigned to the service provider holding the data under an explicit directive or agreement.

Scope & Interpretation

The Business Custodian is accountable for maintaining the quality, integrity, availability, and security of data and documents at the levels expressed in these policies and any derived standards or better.

The Business Custodian normally has the exclusive right to control the updating or alteration of data, although this may be initiated by others e.g. under provisions of the Privacy Act. In some cases external organisations collect and maintain data on behalf of, or in partnership with, the Crown. The Business Custodian will agree a data management regime based on these policies and any derived standards with the external organisation.

In some cases the business and physical custodian may be the same person or group. The agreement will then take the form of a detailed definition of each role. Even though day-to-day duties may be delegated, there will always be one business and one physical custodian responsible for every data element and business document.

In particular, the Business Custodian will ensure:

  • Maintenance of an explicit directive or agreement with a Physical Custodian and monitoring of performance for all data and document stores under his/her control

  • Inclusion of these policies and standards in all relevant service, purchase or development contracts

  • Application of the policies and any derived standards within the agency

  • Participation in relevant shared management arrangements or other inter-agency initiatives

  • Transfer of data stores orphaned by agency restructuring or other causes to an appropriate custodian.

Over time, the prime authoritative source may move to different Business and Physical Custodians. In some cases the same logical data element could have different custodians based on length of retention, particularly if it loses operational value over time but retains analytical or historical value.

The Physical Custodian is responsible for the continued physical existence, availability, integrity and security of data or documents for as long as is required by the Business Custodian and defined in an explicit directive or agreement.

Supporting Standards: Physical Custodian Agreement; The position, not the person

Rationale

The concept of custodianship of data and documents allows agencies the day-to-day control they need over the assets for which they are held accountable. It does not confer ownership, which is vested at a higher level.

The Physical Custodian performs a key role in maintaining the agency data and document resources on behalf of the Crown. It is essential that clear lines of accountability be maintained between the Business Custodian and both internal and external service providers.

Policy: Treaty of Waitangi Obligations and Cultural Awareness

Each agency will recognise and meet Treaty of Waitangi obligations and, where Maori are affected, consult with Maori in all issues relating to access, capture, usage, storage, transfer and retention of data and business documents. Each agency will also attempt to accommodate identified cultural, ethnic and religious issues related to data and document management, where they do not conflict with statutory and explicit business requirements.

Scope and Interpretation

The Crown acknowledges the potential cultural sensitivity of some data and business documents, and has the intent to be a good corporate citizen. However, a cultural perspective may be in conflict with statutory or business requirements and different cultural perspectives may be in conflict with each other. Agencies should therefore manage data and business documents so that both Treaty obligations and cultural issues are considered and managed in a transparent and sensitive manner, even if each agency decides it cannot satisfy the wishes of all groups on some issues.

When determining explicit business requirements for data and document management, agencies should identify obvious key points where Treaty of Waitangi obligations or cultural issues may arise. Examples are requesting, supplying, or disposing of data or documents:

  • About individuals

  • About cultural practices

  • For Maori, also about land and places.

In addition, where Treaty of Waitangi or cultural issues are brought to their attention, agencies must be able to demonstrate how they have responded.

Treaty obligations and cultural awareness can encompass a broad range of issues including information capture, intellectual property rights, availability/security, contextual/metadata, usage, storage and retention.

Examples:

  • Some cultures define family relationships very broadly e.g. who is an "aunt" or "brother", and have various family naming conventions. Individuals can have different names to be used in defined contexts. Agency systems are typically set up to handle data and documents within a narrow set of conventions. This can lead to confusion in descriptions of relationships, and the handling of family and individual names, titles etc. Agencies could respond by clarifying what family relationships are being described and by allowing for a broader range of naming conventions.

  • Naming geographic features with significance to several different groups.

Agencies may also seek to have statutory requirements reviewed where it is judged that they conflict unnecessarily with Treaty obligations and cultural issues.

Rationale

  • Responds to the Crown's Treaty obligations to know the effects of its policies on Maori

  • Demonstrates the agency's commitment to the Treaty of Waitangi

  • Improves the ability of agencies to meet the needs of their customers, and to demonstrate awareness of their cultural differences

  • Aligns agencies with Te Puni Kokiri , Ministry for Pacific Island Affairs and SSC guidelines, and assists agencies to demonstrate a commitment to the Treaty of Waitangi

  • Allows agencies flexibility in managing cultural, statutory and business requirements.

Policy: Charging/Cost Recovery

Agencies may need to recover costs in some cases where information is disseminated from government data or document stores.

Agencies must apply the PFGHI (Policy for Government Held Information) pricing principle where information is disseminated from government data or document stores.

Agencies should refer to Cabinet Committee Minute CGA(97)M10/1, 16 July 1997, "Government Information Supply Activities" to determine an appropriate charging regime for the service.

The Ministry of Justice Charging Services Guidelines will set the actual price for the service, to ensure consistent pricing across Government.

Charges relating to an information privacy request where an individual requests access to, or correction of personal information, are governed by the Privacy Act.

Agencies will work in consultation with Treasury when establishing charging or cost recovery schemes.

Scope and Interpretation

In many cases charges are either set by legislation, or can be agreed between the parties involved in a data sharing arrangement.

Where there is disagreement, or where charges to individuals or private organisations are not mandated in legislation, the policy papers above must be adhered to, along with any subsequent guidelines issued or endorsed by Treasury. In all cases, Treasury rules take precedence.

Where there is doubt about existing guidelines produced by other government agencies, Treasury must be consulted.

Each agency should develop its own guidelines, based on those of the policies described above, where more detailed rules are required.

Rationale

Dissemination of information derived from Crown data or document stores extracts value from a government funded asset. Treasury must set or endorse the policy for any charging to ensure that individual agencies follow the same regime.

Policy: Access Rules

The Business Custodian will establish and maintain access rules for the categories of data and business documents under his/her control. Access rules must be based on the principle of public and equitable access to information unless explicit reasons preclude this.

Scope and Interpretation

The intention of this policy is to ensure that rules are in place to govern access to documents and data. Sensitive material needs to be secure; access to other data and document assets should not be unnecessarily restricted. Each agency must preserve the security of material with a government security classification. In order to complete this task it will be necessary to define the prime authoritative source for all data elements and document categories (see SOURCE).

Complex datasets e.g. geospatial databases, may contain several categories of data that need to be viewed together in context to provide meaningful information. In these cases it is necessary to apply a security classification to the dataset at the level of the most sensitive data it contains.

Where data is extracted from multiple datasets or data stores and combined, the resulting dataset or report may require greater security than its constituent parts.

A document may also contain several categories of data with different security requirements that cannot be separated without editing. Documents must be assigned a security classification according to the most sensitive data they contain.

Rules will be consistent with relevant legislation and government requirements for inter-agency data and document sharing, and access by external organisations or individuals. The main acts governing this area, apart from those governing individual agencies, are: the Privacy Act, the Official Information Act, the Statistics Act, the Copyright Act and the Archives Act. Rules will also be consistent with Department of Prime Minister and Cabinet security guidelines.

Security systems implemented around data and document stores must follow the access protocols established under this policy. This will achieve a consistent approach to security across agencies that can work both internally and for external interfaces.

The table 'Indicative Categories of Data and Access Protocols' shows an indicative rule set and may be used to assist preparation of data access rules for a particular agency. Once data is categorised for access and security, document access rules may be based on their data content.

Supporting Standards: Publishing; Security; The position, not the person; Secure electronic exchange; Individual privacy and confidentiality; Commercial sensitivity; Equity of access

Rationale

Clear and well-known access rules allow government agencies to get maximum use out of the Crown investment in data and document assets. This can improve performance through:

  • Retention of "Corporate memory"

  • Improved quality and consistency of outputs

  • Quality decision making at strategic and operational levels

  • Reduced duplication

  • Improved ability to respond to customers' needs

  • Improved ability to respond to requests for information

  • Increased confidence in the availability of data and documents.

Indicative Categories of Data and Access Protocols

Data Pertaining to:

A Private Individual

An Employee

The Agency

External Organisation

The Physical Environment

Data views, Summary Data & Statistics

Data Matching Interchange

Provided by

The individual Crown Agencies

Other third parties

The employer

Former employees

Employment agencies

Other third parties

Agency Business units

External organisations

Credit agencies

Other third parties

Internal collection or external source, observation equipment

Data Warehouse Research bureaux

Other third parties

Other agency matching agreement

In custody of

Agency CEO

Agency CEO

Agency CEO

Agency CEO

Agency CEO

Agency CEO

Agency CEO

Authority to maintain

Business Custodian

Business Custodian

Business Custodian

Business Custodian

Business Custodian

Business Custodian

Business Custodian

Use in data matching programme?

Only with legal authority (Privacy Act)

Only with legal authority (Privacy Act)

N/A

Only with legal authority (Privacy Act)

N/A

N/A

Only with Legal authority (Privacy

Act)

Must inform provider of purpose formally?

YES

YES

N/A

NO

N/A

N/A

NO

Use for other purposes?

NO

NO

N/A

YES

N/A

N/A

NO

OK to release to third parties without consent?

Crown Agencies for data matching & subject to legal authority

NO

Subject to OIA request

Subject to legal authority, copyright, or prior expression of confidentiality

Subject to copyright and commercial sensitivity

Subject to confidentiality & copyright+ Official Information

Act

NO

Subject has the right of access, update, and review and to have dissenting view recorded?

YES

YES

YES

YES

N/A

N/A

YES

[ Previous | Next ]