Skip to main content

Sovereignty over the information

Questions 14 to 22 — assess if it’s appropriate for data to be stored and processed outside of Aotearoa New Zealand.

Storing and processing information

All service models for public cloud have aspects of storing and processing data.

Service models for public cloud

For the information you’re looking to use with a public cloud service, the questions you need to answer about where it’s stored and processed depend on the data’s value to your organisation, the NZ government and New Zealanders.

High-value information — answer questions 14 to 22

For information that is highly valuable to your organisation, the NZ government and New Zealanders, government organisations must get the answers to all of the questions, 14 to 22. The service provider is responsible for answering some of them.

Example — high-value information and data sovereignty questions

With a public cloud service, you’re planning to use data that has personal information.

You need to answer all of the questions about data sovereignty, 14 to 22, because government organisations must safely and respectfully use NZ government and New Zealanders’ information.

Low-value information — answer questions 19 to 21

For information that is less valuable, it can be wasteful and an unnecessary delay to answer questions 19 to 21. If no harm will come from the information being lost or made public, then not answering questions 19 to 21 might be the best option for your organisation, the NZ government and New Zealanders.

Tips for right-sizing your risk assessment

Example — low-value information and data sovereignty questions

Through a public cloud service, you’re setting up an event using UNCLASSIFIED information that does not have any personal information.

If the information is low in value, you usually do not need to answer questions 19 to 21. There’s no personal information in the data and answering questions 19 to 21 would be disproportionate to the low risk to your organisation, the NZ government and New Zealanders.

Low information classifications with high values

Sometimes UNCLASSIFIED or IN-CONFIDENCE information can have impacts or risks that are greater than their classifications. In other words, they can be more valuable than their classification levels suggest.

Business impact levels can help you decide if the information is of greater value to your organisation, the NZ government and New Zealanders.

Applying Business Impact Levels — Protective Security Requirements

Questions 14 to 22 — sovereignty over the information

Table 1 lists who is responsible for answering each question. Depending on the level of assurance you need, both your government organisation and the service provider need to answer question 19.

Context and help for questions 14 to 22

Record your answers to these questions in either:

Questions to answer

  1. Where is the registered head office of the service provider?
  2. Which countries are the cloud services delivered from?
  3. In which legal jurisdictions will the agency’s data be stored and processed?
  4. Does the service provider allow its customers to specify the locations where their data can and cannot be stored and processed?
  5. Does the service have any dependency on any third parties that introduce additional jurisdictional risks — for example, outsourcers, subcontractors or another service provider?
    • If yes, for each third party involved in the delivery of the service, ask the service provider to list the:
      1. registered head office of the third party
      2. country or countries that their services are delivered from
      3. access that they have to client data stored, processed and sent by the public cloud service.
  6. Have the laws of the country or countries where the data will be stored and processed been reviewed to assess how they could affect the security or privacy, or both, of the information?
  7. Do the laws actually apply to the service provider or its customer’s information, or both?
    • For example, some privacy laws exempt certain types of businesses or do not apply to the personal information of foreigners.
  8. Do the applicable privacy laws provide an equivalent, or stronger, level of protection than the Privacy Act 2020?
    1. If no, are customers able to negotiate with the service provider to ensure that the equivalent privacy protections are specified in the contract?
  9. How does the service provider deal with requests from government agencies to access customer information?
    1. Do they only disclose information in response to a valid court order?
    2. Do they inform their customers if they have to disclose information in response to such a request?
    3. Are they prevented from informing customers that they have received a court order requesting access to their information?

Table 1: Who answers each question

Entity Questions to answer
Government organisation 19, 20, 21
Service provider 14, 15, 16, 17, 18, 18a, 18b, 18c, 19, 21a, 22, 22a, 22b, 22c

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 14 to 22

The following guidance gives you context and help for answering questions about who has sovereignty over your information.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Why government organisations must check the data sovereignty

Using public cloud services can involve risks from laws in other countries when a service is:

  • outside of New Zealand’s jurisdiction
  • in New Zealand, but owned by a foreign company.

Example of risk in another jurisdiction

A foreign law enforcement agency requires a provider of a public cloud service to hand over data belonging to their customers.

As part of the order, the service provider may be legally prohibited from telling its customers about this exchange of data.

Pay attention to outsourcing and sub-contracts

If the service provider outsources or sub-contracts any aspect of the delivery of its service, government organisations must also identify if this creates more risks to the information’s sovereignty.

Data used for improving the provider’s services

Many public cloud services reserve the right to use your data to improve their services.

This is generally okay for ‘UNCLASSIFIED’ and ‘IN-CONFIDENCE’ information. For higher classification levels, you’ll need to answer more questions in the risk discovery part of the risk assessment tool.

Risk discovery for public cloud services

Where to find information about data sovereignty

You should be able to get a lot of the information about data sovereignty from the provider’s policies on their website. These help you to understand how the:

  • relevant government lawfully accesses data that is stored, processed or transmitted in their territory
  • service provider responds to requests by other governments for access to the data they store, process or transmit.

Māori data rights

If the information you’re looking to use with a public cloud service has information from or about Māori, make sure using the service allows you to respect Māori data rights:

More information for high-value data

Question 62 of the risk discovery part of the risk assessment tool affects data sovereignty.

Encryption — questions 60 to 63

The Government Chief Digital Officer (GCDO) has information to help with assessing countries and service providers for data sovereignty.

Data sovereignty

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated