Summary of key risks and mitigations

Specific key risks

• Adverse effect on public trust in e-government services and government in general
• Loss of autonomy, authority and control, higher risk of data breaches
• Public perception that service or data offshore is riskier or unacceptable
• Loss of control over government information because it would be subject to the laws of other countries
• Trade relationships affected by loss of international confidence in New Zealand systems.

Example mitigations

• Seek appropriate advice (e.g. from MFAT, DPMC, security agencies)
• Seek Ministerial agreement before commencing negotiations
• Seek appropriate legal advice
• Investigate the scope and powers of foreign legislation over New Zealand data and services and offshore support personnel or providers
• Ensure effective security management.
• Avoid offshoring private or sensitive data or services (including remote support) where assurance over the confidentiality of data cannot be assured.
• Limit the scope of the service provider for downstream outsourcing

Specific key risks

• Loss of control over data
• Loss of control over supplier or sub-contractor performance
• Loss of control over service delivery because of unreliable foreign national/international infrastructure
• Inadequate management of information and records created as part of government functions
• Loss of information or records due to non-recovery or lack of authorised disposal following end of contract

Example mitigations

• Seek appropriate legal advice
• Investigate the scope and powers of foreign legislation over New Zealand data and services and offshore support personnel and providers
• Specify requirements for the creation and maintenance of information and records in contracts
• Specify contractual agreements on recovery or disposal of information at the close of a contract
• Avoid offshoring private or sensitive data or services (including remote support) where assurance over the confidentiality of data cannot be assured.
• Limit scope for further outsourcing by the service provider
• Contract and test for redundancy and business continuity

Specific key risks

Governance and management

• Arm's length management
• Delays in identifying problems, adding to fallout
• Poor knowledge of service quality, issues and risks
• Low compliance with audit and other government requirements
• Fragmented governance team leads to misunderstandings
• Reporting difficulties
• Audit difficulties

Project

• Organisational push-back and lack or cooperation
• Poor knowledge of:
  • product quality
  • issues and risks
  • project progress
• Interruption in service because of start-up and transition risks
• High exit costs and difficulty moving the project to new service providers because of knowledge capture by the remote service provider.

Example mitigations

Governance and management

• Contract should include compliance with New Zealand government ICT project controls and audit requirements (see Resources section under risk management)
• Contract should include compliance with best practice (e.g. project methodology, ITIL) governance frameworks
• Contract for effective recording and reporting of issues, risks and non-compliance with government requirements
• Establish auditing and compliance checks as a performance measure affecting revenue
• Establish a governance team including New Zealand-based representatives of the offshore service provider

Project

• Ensure the offshore service provider and government agency adopt a recognised 'best practice' project management methodology (e.g. Prince2, PMBoK).
• Contract should include compliance with New Zealand government ICT project controls and audit requirements (see Resources section under risk management)
• Ensure ongoing project risk management and risk reporting.
• Undertake regular offshore training of key staff to maintain fluency in the solution. If possible, maintain an overseas presence.
• Establish a local capability and backup for services, perhaps by insisting on a local provider of support services.
• Ensure effective change management so that documentation and training material is kept current and accessible.
• Consider the long term strategic value to New Zealand of the skills being outsourced (consult the Department of Labour).
• Don't move strategic intellectual property offshore.

Specific key risks

• Failure to meet international obligations or comply with internal agreements
• Reduced economic benefit to NZ (This is balanced by FTAs, membership in APEC, OECD etc.)
• Domestic capability reduced as technical teams and knowledge move offshore.
• Balance of trade deteriorates and Crown revenue is reduced as large-scale production moves offshore
• Unemployment rates increase as producers move offshore.
• Trade advantages lost and trade relationships affected by security breaches.

Example mitigations

• Conduct all significant procurements in compliance with, where applicable, the Mandatory Rules for Procurement by Departments and other procurement advice from MED and the Auditor General.
• Domestic capability maintained by having New Zealanders closely working with the offshore provider.
• Don't move strategic intellectual property offshore
• Seek advice from the Department of Labour and Treasury.
• Ensure effective security management

Specific key risks

• Loss of domestic capability including loss of organisational knowledge and strategic capability
• Loss of intellectual property - explicitly and embedded in system design or business processes
• Effect of loss of skilled jobs to a particular part of the New Zealand economy
• Limitations on future options due to loss of capability to develop alternatives
• New Zealand Government's capability to deliver service is reduced because:
  • There is a service level reduction compared to New Zealand providers
  • Service providers may not have the understanding required of the New Zealand market, operating environment and local needs and preferences to deliver the best possible services.
  • Staff morale and productivity issues may arise because of impending changes.
  • There are difficulties in communicating performance expectations

Example mitigations

• Undertake regular offshore training of key staff to maintain fluency in the solution. If possible, maintain an overseas presence.
• Establish a local capability and backup for services, perhaps by insisting on a local provider of support services.
• Ensure effective change management so that documentation and training material is kept current and accessible.
• Undertake best practice governance, contract and service delivery management.
• Investigate and contract for appropriate levels of technology redundancy, resilience and business continuity capability.
• Consider the long term strategic value to New Zealand of the skills being outsourced (consult the Department of Labour).
• Don't move strategic intellectual property offshore.
• Quality and level of service is specified and managed by a service level agreement.
• Change management strategy implemented.
• Structures and processes established to monitor and manage communications and performance expectations

Specific key risks

Security General

• There is a risk of industrial espionage (initiated by government, commercial organisations or political extremists) aimed at gaining advantage over New Zealand trade or the trade of New Zealand's economic partners. Financial incentives in return for compromises of New Zealand services and data in other jurisdictions may have no criminal or civil remedies.
• Non-compliance with New Zealand government security policy
• Higher risk because of greater volume of information offshore (the classification of individual documents may not reflect value of a collection of information)
• Non-compliance with Protective Security Manual (PSM), impact on physical security, difficulties with enforcing physical security
• Non-compliance with other relevant NZ standards - standards applied may not agree with NZ standards

Confidentiality

• Theft of hardware
• Theft of data or loss of data
• Insertion of backdoors or other extraneous code if software is developed offshore
• Intelligence gathering - commercial and by government(s), including aggregating New Zealand's Government's information about its citizens with information gathered by other means
• External threats - war, revolution, civil unrest, terrorist attack

Availability

• Technical barriers, processes or policy that restrict access to data and services
• Theft of hardware
• Theft of data or loss of data
• Natural hazards such as earthquakes or civil infrastructure breakdowns (power, transport, telecommunications), undersea cables cut

Integrity

• Corruption of data - stored or in transmission
• Poor quality control over data input or processing
• Lack of sustainability of digital information. Digital information needs to be actively managed over time to ensure ongoing accessibility and usability.
• Interception of communications or loss in transit (electronic, courier, etc)

Example mitigations

• Contract for compliance with New Zealand government security requirements
• Undertake regular threat assessments
• Train offshore service providers
• Regularly audit offshore service providers
• Establish a formal security governance structure
• Ensure appropriate security monitoring
• Ensure security incident management processes are in place at the offshore service provider and the government agency
• Contract and test for redundancy and business continuity
• Ensure consideration is given to the potential value of the information, when matched with other sources
• Establish Government agency business continuity planning in case of offshore service failures
• Ensure local backup for data and services in case of extended offshore service failures (e.g. natural disaster, war).

Integrity

• Establish and monitor data quality measures
• Ensure data quality and sustainability are covered in the contract

Specific key risks

• Unauthorised release of personal information
• Inability to provide legitimate access by the data subject to personal information
• Inability to cooperate with Privacy Commissioner over complaints of interference with privacy
• Inability of the Privacy Commissioner to investigate or enforce against offshore offenders
• Inability to guarantee the protection of personal information in foreign jurisdictions which do not have privacy/data protection laws
• Foreign laws which conflict with the Privacy Act or offer less protection for the privacy of personal information
  • Some offshore locations may be less problematic than others. Countries whose privacy legislation is considered 'adequate' under the European Union Directive 95/46/EC may provide acceptable protection for personal information but agencies should check on the applicability of that protection to information from New Zealand and on enforceability from outside the potential hosting country.
  • Conversely, some jurisdictions may have legislation that permits their government access to any source of personal information held in that country. The Privacy Act gives immunity to breaches of the information privacy principles outside New Zealand that result from an agency's compliance with foreign laws (Section 10). The Commissioner reported on the implications of that provision in Necessary and Desirable (1998) Chapter 2.18, and in updates to that report in April 2000 and January 2003.

Example mitigations

• Consult with your agency's Privacy Officer (all agencies are required to have a Privacy Officer under s.23 Privacy Act)
• Conduct a Privacy Impact Assessment before putting out a tender.
• Consider not sending personal information offshore and not allowing offshore service providers to collect personal information from New Zealanders.
• Consider whether the information covered by an offshore contract can be restricted to public and static information.
• Know the technological capabilities of proposed offshore locations and their ability to deal effectively with connection loss.
• Develop contracts to cover all eventualities, specifying forum and choice of law and have it reviewed for enforceability under private international law. Contracts can explicitly reference the Privacy Commissioner's guidance on handling data breaches.
• Consider standard contractual frameworks such as those from the International Chamber of Commerce. 
• The EU publishes Standard Clauses for the Transfer of Personal Data to Third Countries and has recently issued an opinion that addresses a chain of possible sub-processing operations rather than a single sub-contract..
• OECD covers cross border disputes in Recommendation on Consumer Dispute Resolution and Redress. It says it is not limited to the examples used in the document but might equally apply to other situations.
• In June 2007 the OECD adopted its Recommendation on the Cross-border Enforcement of Laws Protecting Privacy.
• The Privacy Commissioner provides information about international activities and contact information for her international colleagues and their organisations.
• One reasonably up-to-date and inexpensive guide to the state of privacy laws around the world is the annual survey Privacy and Human Rights published by the Electronic Privacy Information Centre, a US-based NGO.
• The European Commission publishes its formal findings on the adequacy of data protection in "third countries" (i.e. non-EU states) online at Commission decisions on the adequacy of the protection of personal data in third countries.
• The EU also has proposed a framework for Binding Corporate Rules that multi-national companies can adopt to ensure their intra-firm transfers of personal information are acceptable under the EU Directive. See the consultation documents and see the Resources section for the Working Documents.
• The EU has an arrangement with the US government about personal information transfers called Safe Harbor. This permits companies to self-certify to the US Federal Trade Commission that they abide by certain principles in the handling of personal information.
• The EU has also published Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries.

Specific key risks

• Non-compliance by the offshore provider with New Zealand's legislative requirements - Official Information Act 1982, Public Finance Act 1989, Privacy Act 1993, Public Records Act 2005.
• Subject to laws in another jurisdiction - simple differences in legislation or interpretation of laws, stability of laws, quality of legal system (independent judiciary), differences in standard contracts, choice of law in contracts, venue for disputes, laws affecting data privacy (e.g. US Patriot Act).
• Software licensing risks - unlicensed use of software, outsourcer software needs to be installed on local systems, unlawful distribution of software
• International law implications on commercial contracts
• Costs and difficulty of any foreign legal court action
• Bankruptcy, takeover, merger of or further outsourcing by contractor
• Effort required for maintenance of New Zealand third party support relationships
• Poor or variable outsourcer performance
• Contract lock-in

Example mitigations

• Design contract to cover all eventualities including, where relevant, any unacceptable Terms and Conditions or Acceptable Use Policy in the offshore provider's standard contracts. (see the section on topics to discuss with your legal advisors)
• Where practicable, contract for New Zealand governing law and jurisdiction.
• Check for indemnities that may be inconsistent with Public Finance Act and negotiate them out of the contract or seek Ministerial approval.
• Engage appropriate legal advice for contracts under foreign law
• Consider the value of New Zealand assets of the offshore service provider and whether the existence of those assets is likely to encourage compliance with the contract and relevant NZ legislation.
• Choose country very carefully - perform a risk analysis of host country and, where possible, the impact of likely legislative changes
• Understanding the process, costs, remedies and likely timeframes for litigation prior to contracting.
• Consider alternative dispute resolution mechanisms, being mindful of the forum for such resolution and the nature of any institutional or other mediation or arbitration rules that may be proposed.
• Impose performance and non-compliance penalties.
• Ensure sufficient opportunity exists for early termination of the contract due to poor performance.
• Evaluate what is the best mode of operation with local support providers (e.g. prime/sub-prime contracts)
• Limit scope for further outsourcing by the service provider
• Consider the need for a financial surety and/or performance guarantees
• Investigate insurance options to cover the risk of service provider failure - note that this does not prevent risks to service continuity; adequate disaster recovery, business continuity and early termination arrangements may need to be in place.
• Ensure sufficient financial reserves exist in case of litigation.

Specific key risks

• Currency fluctuations - cost movements exaggerated and fixed price contracts
• Lock-in risks - price changes by suppliers, high set up costs, high compliance costs, fixed prices achieved by varying quality in response to changing demands and conditions, costs of repatriation or transfer to another supplier
• Unplanned liabilities and costs (e.g. taxes).

Example mitigations

• Consider money market hedging, forward contracts and option hedging for significant future payments
• Implement contractual controls on price changes by suppliers
• Contract for flexibility to reflect changing financial market conditions
• Engage expert advice on the legal/financial concerns in the foreign jurisdiction.