NZ Parliament faces ‘jurisdictional risk’ from storing data offshore

Share

The New Zealand Parliament is pushing to improve its data storage capabilities, as keeping its Parliamentary Service data in Australia was said to come with a ‘jurisdictional risk’ due to the information not falling solely under the country’s legal regime. 

A briefing from the Department of the Prime Minister and Cabinet revealed that it has become increasingly difficult and costly to deliver required capabilities only on-premises in the last two years as tech vendors were shifting their investments to cloud and retiring support for legacy on-premises versions.  

While much of the briefing was redacted, it was shown that storing data offshore was a jurisdictional risk since the data is subject to the laws of other countries where cloud service providers may store, process, or transmit data.

Aside from this, a draft response from NZ Prime Minister Jacinda Ardern, Government Communications Security Minister Andrew Little and Digital Economy Minister David Clark to Speaker of the House Trevor Mallard further described the issues they were facing.  

“The obsolescence of the non-cloud Parliamentary toolset is a source of tremendous frustration for Members and staff (as encapsulated in Recommendation 58 of the Francis Review),” the draft stated. 

“Inadequate work tools hamper productivity but also introduce external security risks, for example when individuals have little choice but to use non-approved apps to get work done. Better productivity, collaboration and mobility can only be achieved through the adoption of cloud services and should occur as soon as is safely possible.” 

Following this is the rollout of cloud tools across government, with the ACT Party launching a trial with Microsoft 365 in November 2020 and core Service Corporate and Office of the Clerk staff starting to gain access to the cloud in January 2021. 

While the data is currently stored in Australia, Mr Mallard hopes to move it to NZ’s own Microsoft data centre once construction is completed next year. 

Meanwhile, several hyper-scale data centres are being set up across the country. The centres are expected to be online by mid-2023.

The Parliamentary Service has been advised to follow the New Zealand Information Security Manual guidance to carefully consider risks before adopting cloud services. 

While National has begun rolling out the cloud toolset, staff supporting Labour and Green Party MPs aren’t currently eligible until a data centre is opened within the country. This is because government parties are more likely to hold information classified above a restricted level, which cannot be stored in a cloud service under government rules. 

This isn’t the first time the NZ Parliament has struggled with this issue. In 2019, it paused a planned migration to Microsoft 365 cloud services after the Australian Government passed a law that empowered its authorities to request access to encrypted information. 

This, in turn, raised questions about the legal status of Parliamentary privilege for data stored in Australia.