In April 2023, Cabinet endorsed an update to the Government's "Cloud First" policy. The updated Cloud First policy, which applies to public service agencies and some Crown entities:
- Requires agencies to consider Māori data and sustainability when adopting cloud services
- Revokes the 2012 directive to use the 'Infrastructure as a Service' (IaaS) panel
- Provides that, over time, information classified as RESTRICTED should be hosted in New Zealand
- Requires that public service agencies and some Crown entities do not invest in on-premise ICT infrastructure unless specified criteria are met or it is otherwise approved by the Government Chief Digital Officer (GCDO).
Cabinet also reconfirmed the fundamental elements of the existing Cloud First policy (introduced in 2012), which directs agencies to:
- Adopt public cloud services in preference to traditional ICT systems when facing new procurements or contract extensions
- Create a plan for how they intend to use public cloud services
- Make adoption decisions on a case by case basis following a risk assessment
- Only store data classified as RESTRICTED or below in a public cloud service.
Below is additional detail on the changes introduced by the refreshed policy.
Māori data
Agencies must:
- Consider accountability, ethics, transparency, and collaboration in relation to Māori data when making decisions about the adoption of cloud services
- Make adoption decisions which consider high level sustainability principles in the public sector’s use of cloud services.
In terms of Māori data, the Department of Internal Affairs, in partnership with Statistics New Zealand and the Data Iwi Leaders Group, is developing guidance that will help agencies give effect to Māori interests. This seeks to provide mutual benefits to both Iwi and agencies, including increased trust in public service agencies and their use of cloud services, and appropriate protection of Māori data determined by tikanga and kawa (protocols).
Sustainability
In terms of sustainability, Cabinet directed officials from the Ministry for the Environment, Ministry of Business, Innovation and Employment, and Department of Internal Affairs to:
- Work with Iwi to develop principles to support sustainable adoption / use of cloud technologies
- Produce updated guidance in line with those principles to support agencies to adopt cloud technologies in sustainable ways through their procurement activities.
Revoking the 2012 IaaS directive
The refresh has revoked the 2012 directive to use services from the IaaS panel, to remove confusion for agencies transitioning to cloud services. Such confusion is said to arise due to some of the technology supplied through the IaaS panel agreements conflicting with more modern global definitions of public cloud services.
RESTRICTED information to be hosted in NZ data centres
The policy requires that, over time, information classified as RESTRICTED should be hosted in New Zealand, where a suitable onshore service exists. This change coincides with plans of major global cloud providers (Microsoft, Amazon Web Services (AWS), and Google Cloud) and other specialist hyperscale data centre providers to create onshore cloud infrastructure. The GCDO, supported by the National Cyber Policy Office, National Cyber Security Centre and Ministry of Foreign Affairs and Trade, will produce updated guidance for agencies on the jurisdictional risks of cloud services. Further, the creation of a centralised certification process for onshore hyperscale data centres is underway, which is intended to provide agencies with confidence in terms of security.
Transition from on-premise ICT infrastructure
Finally, the refresh seeks to reduce the investment in on-premise ICT infrastructure. Agencies must not invest in on-premise ICT infrastructure unless specified criteria are met, or the investment is otherwise approved by the GCDO. The GCDO will undertake a review of current and planned expenditure of on-premise infrastructure and will engage with agencies to provide guidance to support transition to cloud adoption and determine what future support may be required.
For more information please see:
This article was co-written by Krishant Singh (Solicitor), Damien Steel-Baker (Special Counsel) and Renee Stiles (Partner).
