Te tuku mā waho e whakahaere

Outsourcing business

Your organisation may need to use an external party to carry out business functions and activities. This has implications for information and records management.

It’s important to identify and address information and records management requirements before you make any agreement to outsource business. Make sure any related contracts include provisions for contractors and service providers to make, keep and properly manage relevant information and records.

This guidance helps New Zealand public offices and local authorities (public sector organisations) understand the implications of outsourcing for information and records management.

The information on this page is intended as general guidance for meeting your information and records management responsibilities when outsourcing – it’s not comprehensive advice on how to manage outsourcing. When entering contractual arrangements to outsource business, seek legal and procurement advice.

Outsourcing refers to the activities involved in arranging, procuring and managing the performance of work – or the provision of services – by an external contractor or consultant.

Outsourcing can take many forms. It often involves core business functions. For example, an organisation might outsource an infrastructure construction project or customer services.

Some activities can be outsourced to other public offices or local authorities. Although these organisations are covered by the Public Records Act 2005 (the Act), it’s still important to clarify information and records management responsibilities as part of these arrangements.

Outsourcing a business function or activity does not mean your organisation is less responsible for ensuring it’s carried out properly. You still need to make sure all information and records requirements are met.

Key responsibilities

When outsourcing business, you’re responsible for ensuring that:

• appropriate information and records of the outsourced functions or activities are made and securely managed and stored – both during and after the period of the contract

• ownership is clearly addressed and understood.

You should also make sure that information and records:

• are accessible as appropriate and when required

• needed after the contract has ended are returned

• are disposed of lawfully.

Risks of outsourcing business

If information and records of an outsourced business function or activity are not created or managed appropriately by your service provider, you could be exposed to risks including:

• failure to meet legislative obligations

• loss of information or incomplete information on which to base decisions, provide services, or defend actions

• loss of public accountability and transparency.

Under the Act, an administrative head is considered to have failed in their obligations if their organisation does not meet information and records management expectations when outsourcing business.

The importance of your contract and establishing controls

The Act does not extend to a private sector service provider or outsourced organisation. This means you should clearly articulate what their information and records management obligations are in your contract with them to ensure they understand and meet legislative requirements.

Documenting appropriate requirements is the primary way your organisation can meet its information and records management obligations. Managing the contractual relationship is key to ensuring these requirements are met at all stages of the outsourced arrangement.

Outsourcing arrangements need to be monitored

You have a responsibility to follow up with the monitoring of service providers. You should also undertake other checks to ensure contractual arrangements are being met.

Your organisation’s relationship with your service provider is based on the contract you share. This is the official documentation of the agreement between the parties. Both the initial tender and contract are important for communicating information and records management requirements.

When making decisions about a provider, you need to be confident they can meet all legislative and policy needs. This includes proper management of information and records.

Clauses to include in your outsourcing contract

Any contract with an outsourced provider should include clauses relating to:

• the information and records management requirements of the business being outsourced

• compliance with the Act (and other relevant legislation)

• compliance with standards for information and records management

• ownership (including intellectual property) of information and records

• timely information and records disposal

• the return of information and records at the end of the contract

• information and records security (including systems security and records storage security)

• privacy management and protection of personal information

• rights of access and arrangements for access to information and records

• monitoring and inspection arrangements for compliance

• the processes and penalties that apply when information and records requirements are not met.

Any contract between your organisation and an outsourced service provider needs to specify access rights and restrictions related to records and information. The contract must also require that:

• privacy obligations are met

• all private or sensitive information is protected.

Ensuring access to information held by a service provider

Under the Act, you must ensure any contract with an outsourced service provider states that your organisation has immediate right of access to all information and records they hold. Your contract should also address privacy, confidentiality and public access considerations.

This ensures you’ll have access to information and records to assess the service provider’s compliance with the requirements of the contract, and to meet other legal obligations.

Meeting privacy obligations and securing information

You need to make sure your service providers are aware of their obligations to meet the requirements of the Privacy Act 2020 and the Government Chief Privacy Officer where appropriate.

Information and records generated during business can be confidential because they relate to individuals or have significant commercial value. This is particularly important where these are used, linked, or analysed in conjunction with other information or databases.

This means contracts with service providers should include provisions to protect private or sensitive information. Where appropriate, they should also point to the relevant policy statements of your organisation.

You need to consider information security in all your outsourcing arrangements. This includes the use, transmission and storage of the information and records.

The Act requires safe storage and proper preservation of information and records. You should address this in your outsourcing arrangements.

You need to make sure your service providers:

• store and manage information and records securely

• manage information and records through migrations, system changes and upgrades

• protect information and records from loss and disaster

• handle and transport information and records in a safe and secure manner.

You have a responsibility to ensure that information and records are disposed of (for example, by destruction or transfer) in accordance with the Act. The best way to achieve this when outsourcing is to specify, in a contract, which information and records disposal processes the service provider can use – and which they cannot.

You must ensure providers do not unlawfully dispose of any information and records in their possession during an outsourcing arrangement. Unlawful disposal includes:

• unauthorised destruction (for example, destruction contrary to the requirements in an authorised current disposal authority)

• transfer to a third party

• loss, damage, or alteration.

You need to:

• be aware of the main methods for authorised disposal

• communicate to service providers, through their contract, the authorised disposal processes they can use, as well as those that are prohibited.

Some outsourcing arrangements last a long time. In these cases, it can be practical to expect your service provider to destroy information and records as authorised periodically. Similarly, you might expect them to periodically transfer information and records back to your organisation.

Some forms of information and records disposal should be prohibited in an outsourcing contract. This should include any disposal which is carried out:

• contrary to expectations set out in the outsourcing contract

• corruptly or fraudulently

• for concealing evidence of wrongdoing

• for any other improper purpose.

Certain information and records created, received, or generated during outsourced business are essential to the ongoing conduct of that business. If you don’t ensure these are transferred back to your organisation at the end of the contract, it can seriously impact your business continuity and accountability. It would also constitute a breach of the Act.

Your outsourcing contract must make clear which information and records are to be returned at the end of the contract. We recommend you include provisions such as:

• restrictions on the service provider using the information and records for commercial profit, unless otherwise allowed in the contract

• arrangements for information and records to be returned in a certain manner or format

• agreed timeframes for the return of the information and records

• deletion of any copies of information and records from the service provider’s systems once transferred.

Sometimes at the end of a contract, an organisation can identify an ongoing need for information and records from the service provider. Reasons for this can include the:

• need for future referral for any reason

• continuing protection of sensitive or confidential information

• use of the information and records to establish or protect the rights, entitlements or obligations of your organisation or an individual

• need for information and records to properly manage facilities or capital works or to document the expenditure of public funds, such as the purchase of equipment or other assets

• need for future research.

In your contract with your service provider, make sure you have:

1. documented and provided details of the information and records management requirements for the contracted business

2. provided details of the information, data and records to be returned at the end of the contract – or periodically

3. specified any technical standards needed to enable interoperability between your information and records system and the service provider

4. specified what format information and records need to be returned in at the end of the contract

5. included a statement of who owns the intellectual property

6. included a statement about access rules and details of access arrangements for the information and records of the outsourced business, for the duration of the contract

7. included that the service provider must maintain basic control of information and related metadata to facilitate management, access and retrieval

8. included that the service provider must abide by your organisation's privacy management plan (or equivalent privacy statement) for the purpose of the contract

9. included that the service provider must classify or identify information and records as specified

10. authorised the service provider to carry out specific (lawful) disposal processes for specified information and records

11. specified restrictions on any use of information and records by the service provider for commercial or other purposes during the period of the contract

12. provided details of dispute resolution procedures

13. provided details of penalties for breach of contract, such as failure to return information and records at the completion of the contract

14. included that the service provider must manage, secure and store information and records of the outsourced business in accordance with the Act and relevant standards (such as the mandatory Information and records management standard)

15. provided details for measuring the service provider's compliance with the information and records management requirements of the contract – including during and at end of the contract period.