Cloud Jurisdictional Risk guidance

This guidance provides advice from the digital, privacy, and security System Leaders about potential jurisdictional risks associated with the use of cloud service providers.

On this page

Purpose of this guidance update

This guidance is intended to support agencies’ case-by-case risk assessments and cloud adoption decisions.

The Cloud Jurisdictional Risk guidance was previously updated in 2017. This 2024 guidance update:

  • provides practical advice and controls, to support agencies’ risk assessments and cloud adoption decisions
  • links to other relevant advice to support agency decisions — such as the Cloud Risk Discovery Tool and other resources.

Cloud Jurisdictional Risk guidance — historical context

In April 2023, the Government’s Cloud First policy was refreshed to reflect changes in technology, society and governmental priorities.

Under the refreshed Cloud First policy, government organisations must adopt public cloud services on a case-by-case basis, following the completion of a risk assessment.

Cabinet also directed the Government Chief Digital Officer (GCDO) to produce updated guidance for agencies about the jurisdictional risk of cloud services and to do this update with support from the National Cyber Policy Office, National Cyber Security Centre and the Ministry of Foreign Affairs and Trade.

For more information

The actions outlined in this guidance inform the assurance and risk assessment approach of the GCDO in procuring public cloud services.

These services are available to agencies through all-of-government agreements. Contact the GCDO or check out the Marketplace website for more information on the benefits of public cloud services for agencies.

Ways to buy public cloud services

Contact us

For inquiries or questions, email:

Cloud First policy

Under the Cloud First policy, government organisations must adopt public cloud services on a case-by-case basis, following the completion of a risk assessment. Agencies are expected to avoid investing in on–premises IT infrastructure where possible.

Cloud First policy

Under the Cloud First policy, in considering the use or adoption of cloud services, agencies are required to:

  • only store data classified as RESTRICTED or below in a public cloud service, whether it’s hosted onshore or offshore
  • over time, host RESTRICTED information in a New Zealand-based data centre, where a suitable onshore service exists
  • have a plan for how to use public cloud services in your organisation
  • consider te ao Māori perspectives for Māori data when making decisions about adopting cloud services
  • consider high-level sustainability principles in cloud-adoption decisions
  • make adoption decisions on a case-by-case basis following a risk assessment.

The use or adoption of cloud services does not hinge solely on consideration of jurisdictional risk. Consideration of jurisdictional risk is one part of the risk assessment that’s undertaken. The Cloud Risk Discovery Tool helps you to identify risks and the security controls to consider when using a public cloud service.

Risk discovery tool for public cloud services

Each agency will need to consider its unique requirements and risk appetite.

For more guidance on how to undertake a risk assessment, see:

Risk assessments for government organisations.

Definitions and scope

This guidance is focussed on the risk of legal access by other states to New Zealand Government data.

Jurisdictional risks

Jurisdictional risks can occur where data is subject to the laws of the country where cloud service providers store, process, or transmit data.

Jurisdictional risks may lead to situations which are disadvantageous to New Zealand’s national interests or inconsistent with New Zealand’s laws — as it’s not possible to fully contract out of the legal framework of another country. For this reason, it’s important that agencies engage with cloud providers to ensure they know in which country their data is transmitted, processed, or stored (a concept sometimes referred to as data residency) and are aware of the laws of the country to which their data will be subject.

Extra-territorial jurisdiction

It’s important that agencies understand that data accessible in a State, which is stored or processed in another State, could be obtained by government agencies in both States.

The authors of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, an authoritative text on cyber issues, concluded the exercise of law enforcement jurisdiction on another State’s territory constitutes a violation of that State’s sovereignty — except when international law provides a specific allocation of authority to exercise enforcement jurisdiction extraterritorially or when the State in which it’s to be exercised consents.

Tallinn Manual 2.0 — Cambridge University Press

However, the authors of the Tallinn Manual agreed that data lawfully accessible in State A and stored or processed in State B, does not engage extra-territorial considerations. This approach is reflected in the Search and Surveillance Act 2012 that enables access to data by a law enforcement officer executing a search warrant on a device that forms part of a computer system in New Zealand. No distinction is drawn between servers that might be located in New Zealand and those which might be offshore.

Data surveillance

This guidance is concerned with lawful access to data by other governments. It does not address the risks of data surveillance (espionage) or data theft by other governments or actors. The risks posed by data surveillance are out of scope of this advice.

Identifying jurisdictional risks

Agencies must carry out jurisdictional risk assessments when an agency adopts cloud services via:

  • all-of-government agreements
  • Marketplace contracts
  • individual services, including free trials
  • contract renewals.

The objectives of identifying and assessing jurisdictional risks are to:

  • enable informed decision making about selecting a provider
  • ensure agencies apply the relevant controls to help manage jurisdictional risks.

Jurisdictional risk is one class of risks that need to be considered in procuring cloud services. Being aware of and understanding the risks posed by data residing in or transiting through a jurisdiction is helpful for managing that risk, but it does not remove the need for good cyber security practice. It’s important to be aware that jurisdictional risks:

  • may span multiple jurisdictions depending on where data transits and resides
  • are still present in onshore data centres where IT products and services are owned by offshore vendors.

The nature of cloud services is that they may be delivered globally or across multiple jurisdictions. Data centres and cloud services are growing rapidly and expanding into a broader range of jurisdictions. Agencies may need to include multiple jurisdictions for their risk assessment, as cloud providers have multiple points of presence and can shift data due to latency requirements — or the provider may have subsidiaries in other countries.

Assessing jurisdictions

Agency risk assessments of public cloud services should be informed by an assessment of how governments lawfully access data which is stored, processed, or transmitted in their territory.

Agencies must also understand their own organisation’s security needs to determine the level of confidence that a cloud service is appropriate for the information being stored. After completing their risk assessments, agencies may decide that some jurisdictions are only appropriate for some types of data.

The level of jurisdictional risk can vary depending on:

  • the nature of the information being placed in the jurisdiction
  • the type of cloud service provided
  • the ease with which an agency can bring information back to New Zealand
  • changes in legal frameworks or political leadership of another jurisdiction — which could affect their interest in gaining information about New Zealand Government activities.

It’s recommended that agencies assess jurisdictions using all of the following 3 criteria:

  • lawful access — an assessment of the laws that regulate a government’s lawful access to data
  • legal institutions — an assessment of the robustness of legal institutions that oversee a government’s lawful requests for access to data
  • privacy frameworks — an assessment of the protections available to personally identifiable information.

Global/region-less/multi-region cloud services

The nature of cloud services is that many cloud services may be delivered globally or across multiple jurisdictions. Data centres and cloud services are growing rapidly and expanding into a broader range of jurisdictions.

As a result, agencies should identify each relevant jurisdiction and assess the risks associated with each.

For example, for many cloud services, it would be relevant to consider the jurisdictional risks associated with the United States (as it’s often the home jurisdiction of the provider) along with other relevant jurisdictions.

Other risks

The scope of this guidance is limited to jurisdictional risk, but there may be other risks and considerations that apply to selection and use of foreign cloud service providers. These may include business continuity risks, diplomatic, trade or other implications.

State specific threat guidance is available for officials. Send a request to fi@dpmc.govt.nz.

We recommend consulting with the Department of the Prime Minister and Cabinet (DPMC) and/or the Ministry of Foreign Affairs and Trade (MFAT) if you’ve got any questions about this guidance or wider questions.

Resources:

Assessing cloud service providers

In addition to assessing jurisdictions, agency risk assessments of public cloud services should be informed by an assessment of how cloud service providers respond to requests by other governments for access to the data they store, process or transmit.

After completing their risk assessments, agencies may decide that some public cloud services are only appropriate for some types of data.

It’s recommended that agencies assess cloud service providers using the following 5 criteria.

  1. Location — an assessment of whether the provider identifies the location of where customer data is stored and backed-up, including what points of presence the data may be transmitted, processed or stored.
  2. Informed — an assessment of whether the cloud provider informs its customers in the event of lawful requests to access customer data.
  3. Disclosure — an assessment of whether the provider only discloses customer data when required by a warrant.
  4. Reviewed — an assessment of whether the provider dedicates resources to reviewing lawful requests to access customer data.
  5. Deletion — an assessment of whether the provider deletes customer data after the termination of contract.

How to manage risks

A best practice cloud service provider will:

  • commit in its service terms to never disclose customer data except as directed by the customer or required by the law (noting any potential exceptions, such as imminent threat to life, and the processes that must be followed in these cases)
  • set out a process for responding to government requests that includes:
    • always attempting to redirect the requesting agency to contact the customer
    • if possible, seeking to narrow the scope of government demands
    • always contacting the user when information is released (unless legally prevented from doing so)
    • disclosing only that information which is specified in the legal order.
  • have a dedicated team for reviewing government demands for user data
  • report publicly on the frequency of data requests by country and the results of data requests (particularly for commercial services)
  • allow the customer to determine where their content will be stored and specify the circumstances when it may be moved to another jurisdiction
  • notify customers of any relevant local law changes affecting their data or cloud services.

Additional considerations

In addition to assessing the cloud service provider, agencies should take steps to manage risks, including:

  • knowing in which country their data is transmitted, processed, or stored (a concept sometimes referred to as data residency) and be aware of the laws of the country to which their data will be subject
  • monitoring for law changes in the jurisdictions they transmit, process and store data, and re-assess risk as required
  • checking whether providers with data centres in New Zealand have been certified by the Government Chief Digital Officer (GCDO). See: Public Cloud Data Centre Certification.
  • applying the controls in the Cloud Risk Discovery Tool. This will not mitigate legal risks, but it can inform agency risk assessments, including the need to:
    • understand the range of logging capabilities provided by cloud service providers and determine whether they’re sufficient for agency needs
    • ensure that logs associated with public cloud services are collected, protected, and that their integrity can be confirmed in accordance with the agency’s documented logging requirements.
  • ensure that cloud service provider logs are incorporated into overall enterprise logging and alerting systems or procedures. These should be logged in a timely manner to detect information security incidents
  • ensure that the mechanisms used to protect data meet agency requirements
  • update key management plans to account for differences in public cloud before storing organisational data in a public cloud environment
  • if relevant, ensure the service provider is clear about how backup and archiving services are provided, so that the agency can assure itself that its needs are met — and that the method introduces no additional risks (for example, another third party holding a copy of personally identifiable information (PII)).

Risk discovery tool for public cloud services

Māori interests in cloud

In making decisions on the use of a particular cloud service or provider, the assessment of risks (jurisdictional and others) needs to be considered alongside the benefits.

Māori Data Sovereignty is often raised in discussions of jurisdictional risk. For Māori, data is a taonga and where data is stored and processed, how it’s accessed and controlled impacts on Māori data sovereignty.

Māori data sovereignty

Te Kāhui Raraunga explains that Māori data sovereignty refers to the inherent rights and interests that Māori have in relation to the collection, ownership, and application of Māori data. This is regardless of where Māori data is processed or stored.

As agencies consider their use of cloud, they should also consider He Aratohu Kapua — guidance to support Te Tiriti-based Government Cloud adoption.

He Aratohu Kapua has been made available to public service agencies. Contact the GCDO if you require a copy.

Email: gcdo@dia.govt.nz.

More information about Māori data sovereignty has been published online by Te Mana Raraunga and Te Kāhui Raraunga.

Resources

Agencies can draw on a wide range of publicly available information to support their assessments.

Many cloud providers will also have a range of documentation available for a range of issues. In Australia and New Zealand, this is also known as compliance documentation. For example, requests for information from governments, privacy, and sometimes data residency and data sovereignty.

The Cloud Risk Discovery Tool is a good start and includes many questions that providers should include information on as part of an overall risk assessment.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated