1 Application

1.1 Effective date

1.1.1 This Standard is effective 3 February 2025 and replaces the New Zealand Government Web Usability Standard 1.3.

1.2 Mandated organisations

1.2.1 Every Public Service department, the New Zealand Police, the New Zealand Defence Force, the Parliamentary Counsel Office, and the New Zealand Security Intelligence Service is directed by Cabinet [CAB Min (03) 41/2B] to implement this Standard.

2 Requirements for publicly facing websites

2.1 Scope

2.1.1 The requirements in Sections 2.2 to 2.5 apply to each publicly facing website (the ‘Website’) that a mandated organisation (the ‘Mandated Organisation’) is responsible for.

2.2 Government identity

2.2.1 The Website’s home page must include the name or logo of the Mandated Organisation.

2.2.2 The Website’s home page must include a visible link to Govt.nz.

2.2.3 The link to Govt.nz on the Website’s home page should use a suitable New Zealand Government Identity logo implemented using the recommended New Zealand Government logo markup.

2.3 Contact information

2.3.1 The Website must provide access to information (‘Contact Information’) for obtaining help related to the Website and contacting the Mandated Organisation.

2.3.2 The Contact Information must be either:

• provided on the Website’s home page, or
• linked to from the Website's home page with a visible link whose text clearly indicates that its target is the Contact Information (for example, the link’s text is ‘Contact us’, ‘Whakapā mai’, or equivalent).

2.3.3 The Contact Information must include all the following for the Mandated Organisation:

1. an email address monitored daily during business hours where emails received are acknowledged within 3 business days with an indication of when a full response can be expected
2. a postal address monitored daily during business hours
3. a physical street address open to the public during business hours, if one exists
4. the number of a monitored telephone line available during business hours
5. the telephone number for each call centre that supports a service provided by the Website, and
6. a link to the New Zealand Relay Service (NZ Relay) for people who are deaf or hard of hearing, deafblind, or who have a speech impairment.

2.4 Copyright

2.4.1 The Website must provide access to a general copyright statement (‘General Copyright Statement’).

2.4.2 The General Copyright Statement must be either:

• provided on the Website’s home page, or
• linked to from the Website’s home page with a visible link whose text clearly indicates that its target is the General Copyright Statement (for example, the link’s text is ‘Copyright’, ‘Manatārua’, or equivalent).

2.4.3 The General Copyright Statement must specify that:

1. it applies to the content of the Website (for example, ‘Copyright material on service.govt.nz and organisation.govt.nz is protected by copyright owned by the Ministry on behalf of the Crown.’)
2. copyright material on the Website is protected by copyright, and
3. licensing terms under which the Website’s material can be re-used by others.

2.4.4 If the Website contains third party copyright material, the Website must specify, either within the General Copyright Statement and/or within or near to each item of third party copyright material:

1. the source and copyright status of such material in a way that avoids ambiguity as to which content items are subject to third party copyright
2. that the Website’s re-use licence does not apply to material that’s subject to third party copyright, and
3. that permission to re-use third party copyright material cannot be given by the Mandated Organisation.

2.4.5 The General Copyright Statement should specify that the general licensing terms do not apply to material on the Website that’s covered by the Flags, Emblems, and Names Protection Act 1981.

2.4.6 The New Zealand Government Open Access and Licensing framework (NZGOAL) should be applied when selecting the licensing terms that apply to copyright material on the Website.

2.5 Privacy

2.5.1 The Website must provide access to:

• a privacy statement (‘Organisation Privacy Statement’) that describes how the Mandated Organisation collects and uses personal information, and
• a privacy statement (‘Website Privacy Statement’) that describes how personal information is collected through the Website and how it is used.

2.5.2 The Organisation Privacy Statement must be provided on a publicly facing website that the Mandated Organisation is responsible for.

2.5.3 The Website Privacy Statement must be either:

• provided on the Website’s home page, or
• linked to from the Website’s home page with a visible link whose text clearly indicates that its target is the Website Privacy Statement (for example, the link’s text is ‘Privacy statement’, ‘He tauākī matatapu’, or equivalent).

2.5.4 The Website Privacy Statement must include a link to the Organisation Privacy Statement.

2.5.5 The Organisation Privacy Statement must specify, directly or through links to the Website Privacy Statement:

1. all the ways that the Mandated Organisation collects personal information, including through websites, other digital and non-digital channels
2. the purposes for collecting that personal information
3. who will hold that personal information (for example, the Mandated Organisation and/or third parties)
4. whether the collection of that personal information is voluntary or mandatory (either under a particular law or because it’s not possible to provide services without it)
5. whether that personal information will be disclosed to any third party and, if so, which third party, the purpose of that disclosure, any law requiring that disclosure, and contact information for that third party
6. how long that personal information will be held
7. individuals’ rights to request access to or to correct personal information held by the Mandated Organisation responsible for the Website, and contact details so individuals can make requests.

2.5.6 The Website Privacy Statement must specify, directly or through links to the Organisation Privacy Statement:

1. how personal information is collected through the Website
2. the purposes for collecting that personal information
3. whether cookies are used by the Website, including their type (for example, persistent, third party), purpose, and duration.
4. any collection or use of information which, if combined with other information, could be used to identify individuals—this includes, but is not limited to, information such as:
   • IP address
   • operating system
   • device sensors (for example, GPS, camera, microphone)
   • web browser
   • pages visited and search terms.

3 Requirements for all websites

3.1 Scope

3.1.1 The requirements in Sections 3.2 and 3.3 apply to each publicly facing and internally facing website (the ‘Website’) that a mandated organisation (the ‘Mandated Organisation’) is responsible for.

3.2 Links to non-HTML files

3.2.1 Except for links on archived web pages, links to non-HTML files must be accompanied by information indicating the file’s format and size.

3.3 Printable web pages

3.3.1 The main content of each web page, except for archived web pages, should be printable in its entirety on A4 size paper.

3.3.2 Printed web pages should include by default the following information. The:

• web page’s complete URL
• web page’s title as specified in the HTML < title > element
• name of the Mandated Organisation
• copyright notice.

3.3.3 Printed web pages should not include by default the following web content:

• primary content navigation
• secondary content navigation
• decorative elements
• search form.

3.3.4 A web page’s text content should be printable by default as black text on a white background.

4 Requirements for assessment and reporting

4.1 Conformance, risk assessment and management plan

4.1.1 Each mandated organisation must, when notified by the Government Chief Digital Officer (GCDO):

1. assess how the websites and web pages it’s responsible for conform to this Standard
2. submit to the GCDO a report on the conformance to this Standard of the websites or web pages it’s responsible for
3. submit to the GCDO a risk assessment and risk management plan regarding the non-conformances to this Standard of the websites or web pages it’s responsible for.

4.2 Methodology

4.2.2 The GCDO will provide each mandated organisation with the methodology for completing the requirements in Section 4.1.

5 Glossary

Archived web page

A web page that meets all the following conditions:

• it’s no longer needed for active administrative purposes
• it’s neither modified nor updated after the date of archiving
• its main content is marked as archived
• its main content includes accessible instructions for users to request an accessible version of that main content.

Assess

In the context of conformance, assess means to determine the rate, level or amount of conformance to a given standard, guideline, or specification.

Home page

A website’s main landing or entry web page.

For many websites, this is the web page at the root domain or subdomain level, for example, http://ministry.govt.nz/ or http://site.ministry.govt.nz/.

For some websites, for example, single web page applications, the home page is the initial state of the web application.

Internally facing

Can be accessed only by people who are employees, staff, or authorised personnel of a New Zealand Government public sector organisation.

For example, an intranet is an internally facing website.

Main content

The content specific to a web page and directly related to that web page’s principal topic or functionality.

Mandated organisation

The Public Service department, the New Zealand Police, the New Zealand Defence Force, the Parliamentary Counsel Office, or the New Zealand Security Intelligence Service, directed by Cabinet to apply the Web Standards.

Must

As defined in IETF RFC 2119, indicates an absolute requirement.

Publicly facing

Can be accessed by members of the general public.

This includes a website or web page behind a login authentication mechanism that controls access by members of the general public.

Responsible for

Most legally accountable for the website or web page in question.

Risk assessment

An evaluation of the potential risks of non-conformance with a standard’s requirements.

Risk management plan

A plan to mitigate the potential risks of non-conformance with a standard’s requirements.

Should

As defined in IETF RFC 2119, indicates a recommended course of action that there may be valid reasons under certain conditions to ignore, the full implications of which must be understood and carefully weighed before doing so.

Should not

As defined in IETF RFC 2119, indicates a course of action that’s not recommended but that may be acceptable or even useful to take under certain conditions, the full implications of which must be understood and carefully weighed before doing so.

Website

A group of web pages that share a common topic or purpose. This includes web services and single page applications.

A website can have smaller sub-sites within it, each serving as an individual website. For instance, a government department’s corporate website (for example, agency.govt.nz) might comprise multiple sections (for example, agency.govt.nz/service-a and agency.govt.nz/service-b) that are owned or administered by organisationally distinct units within the department. For the purposes of this Standard, these individual sections may be considered separate websites.

Note that collections of one or more web pages located at different fourth-level domains belonging to the same third-level domain (for example, projectA.agency.govt.nz and serviceB.agency.govt.nz) constitute separate websites.

See the definition of website in the Website Accessibility Conformance Evaluation Methodology (WCAG-EM) 1.0.

Web page

A file downloaded from a single URI (Uniform Resource Identifier) using HTTP (Hypertext Transfer Protocol), along with any extra files needed to display it properly in a web browser.

Web pages include web applications, web services, and single page applications.

Most web pages are downloaded from a URL (Uniform Resource Locator) that starts with https://.

See the definition of web page in WCAG 2.2.