New Zealand Government Information Security and Privacy Considerations

In April 2023, the New Zealand government agreed to a refreshed cloud first policy. This policy and previous decisions require New Zealand government organizations to take the following actions before using public cloud services:

  • Move away from on-premises systems and infrastructure
  • Safely store information
  • Have and use a cloud plan
  • Consider Te Ao Māori perspectives
  • Adopt sustainability principles
  • Assess the risks

The New Zealand government requires that certain organizations comply with the New Zealand Government Information Security and Privacy Considerations. This requirement applies to organizations that fall under the Government Chief Digital Officer (GCIO) mandate, including the public and nonpublic service departments, district health boards, and Crown entities. These organizations must adhere to the framework when they're deciding on the use of a cloud service. Several questions in the framework relate to the Privacy Act 2020. Microsoft's responses to these questions are based on the New Zealand Privacy Act 2020 where applicable.

They also published a set of guidelines for agencies on how to adopt cloud services. This framework includes the following steps:

  • Classify information properly
  • Know the benefits of using public cloud services
  • Use your organization’s cloud plan
  • See how to buy public cloud services
  • Use the risk discovery tool
  • Use your organization’s process for assessing risks

The New Zealand government expects all State Service agencies to work within this framework when assessing and adopting cloud services. Requirements for Cloud Computing outlines what agencies must do when adopting cloud services along with an overview of the history of the government's cloud policy.

Required risk assessment

To assist New Zealand government agencies in conducting consistent and robust due diligence on potential cloud solutions, the GCIO published the Risk Discovery Tool for Public Cloud Services. This tool contains around 100 questions focused on data sovereignty, privacy, security, governance, confidentiality, data integrity, availability, and incident response and management. This tool doesn't define a New Zealand government standard against which cloud service providers must demonstrate formal compliance. Many of the questions set out in the document do, however, point toward the importance of understanding how cloud service providers comply with a wide array of relevant standards.

Microsoft's responses to the risk assessment

To help agencies undertake their analysis and evaluation of Microsoft enterprise cloud services, Microsoft is producing documents showing how its enterprise cloud services address the questions set out in the risk assessment tool by linking them to the standards against which Microsoft cloud services are certified. These certifications are central to how Microsoft assures both public and private sector customers that its cloud services are designed, built, and operated to effectively mitigate privacy and security risks and address data sovereignty concerns.

If your agency is required to undertake certification and accreditation of its Information and Communications Technology (ICT) system under the New Zealand Information Security Manual, then you can use these responses as part of your analysis.


Microsoft is working on publishing updated content for Azure, Dynamics 365, Microsoft 365, and Microsoft Fabric. Check back soon for the latest information.