The Parliamentary Service rollout of Microsoft cloud tools is progressing in stages, with Labour and the Greens unable to use them until a data centre is built in New Zealand
The Prime Minister was advised that storing Parliamentary Service data offshore could come with "jurisdictional risk", because the information wouldn't fall solely under New Zealand's legal regime.
A briefing from the Department of the Prime Minister and Cabinet, obtained under the Official Information Act, shows Speaker of the House Trevor Mallard sought the Government's advice on what to do with Parliamentary data late last year.
Parliament staff had "found it increasingly difficult and costly to deliver required capabilities only on-premises over the past two years. Technology vendors are rapidly shifting investment to Cloud products and retiring support for legacy on-premises versions."
A draft response to Mallard from Ardern, Government Communications Security Minister Andrew Little and Digital Economy Minister David Clark went further in describing woes with the current situation.
"The obsolescence of the non-cloud Parliamentary toolset is a source of tremendous frustration for Members and staff (as encapsulated in Recommendation 58 of the Francis Review)," the draft stated.
"Inadequate work tools hamper productivity but also introduce external security risks, for example when individuals have little choice but to use non-approved apps to get work done. Better productivity, collaboration and mobility can only be achieved through adoption of cloud services and should occur as soon as is safely possible."
"It's my preference to do that when the ability for the cloud-based service – and I'm not a tech expert – are in New Zealand, not offshore and subject to offshore laws." – Trevor Mallard, Parliament's Speaker
At issue is New Zealand's current lack of hyper-scale data centres. Several are in the works, but the most advanced still won't be online until mid-2023.
In his letter to the Government, Mallard said Parliament had begun a rollout of Cloud tools already. The ACT Party had launched a trial with Microsoft 365 in November 2020 and core Service Corporate and Office of the Clerk staff started to gain access to the cloud in January 2021.
All of this data is currently stored in Australia, but Mallard hopes to move it to New Zealand's own Microsoft data centre when construction is completed next year.
As long as data is stored offshore, it could lead to "jurisdictional risks ... where data is subject to the laws of other countries in which cloud service providers may store, process, or transmit data," the DPMC briefing stated.
Much of the briefing is redacted, but it indicates the Parliamentary Service was advised to follow the Government's New Zealand Information Security Manual guidance.
"The Manual notes that the majority of jurisdictional, sovereignty and privacy risks cannot be wholly and completely managed with controls available today," officials wrote. "The agency head or chief executive must therefore carefully consider those risks before adopting Cloud services as, ultimately, it is the responsibility of agencies to assess risks and determine whether they should accept them."
In the meantime, National has begun rolling out the cloud toolset but staff supporting Labour and Green Party MPs aren't currently eligible. The concern is that government parties are more likely to hold information classified above a restricted level, which cannot be stored in a cloud service under government rules.
"It's my preference to do that when the ability for the cloud-based service – and I'm not a tech expert – are in New Zealand, not offshore and subject to offshore laws," Mallard told Newsroom on Thursday.
While he said there was a possibility the Greens could get access before Microsoft's data centre comes online, a spokesperson for the Greens said they were not currently able to because some of their MPs were in the executive.
Mallard also said it would make sense for all government parties to be on one system, rather than Green ministers using cloud-based tools and Labour ministers stuck with the on-premises software.
This isn't the first time Parliament has struggled with this issue. In 2019, it paused a planned migration to Microsoft 365 cloud services after the Australian government passed a so-called backdoor law. That legislation empowered Australian authorities to request access to encrypted information.
A Parliamentary Service spokesperson told Reseller News in 2020 that the law had raised questions about the legal status of Parliamentary privilege for data stored in Australia.
The United States has a legal regime that reaches even farther. Its 2018 CLOUD Act asserts legal jurisdiction over data held by any American technology company, even if the data is stored in another country. Microsoft and Amazon, the two largest cloud providers building data centres in New Zealand, are both covered by that law.