Dear Government Communications Security Bureau,

Recently, RNZ published an article about a lengthy OIA covering "unvetted third parties", which is available here: https://www.rnz.co.nz/news/national/5902...

I have a few questions in regards to this OIA.

1) I would like to request a copy of the response that was provided to RNZ

The further questions I have are quite hard to be precise about, because I don't know exactly how the GCSB responded in their report but I noted the following excerpts in the mentioned article:

> "Providing this information would likely have commercial implications for these vendors"

> "I am refusing those parts of your request where you have asked for information that has been provided to the GCSB in confidence by agencies," was the reply, otherwise it might prejudice the supply of such info in future.

> The unvetted third parties were not disclosed, and neither were the risks to service delivery that Treasury had told ministers were in play.

2) What considerations did the GCSB weigh, and/or tests did it apply to determine that it is not in the public interest to disclose information that might have commercial implications for vendors? Under Section 9(1) of the Official Information Act, commercial interests is one of the possible options for withholding information but only if it is not found that "in the circumstances of the particular case, the withholding of that information is outweighed by other considerations which render it desirable, in the public interest, to make that information available."

3) I would like to mention Section 3 of NZLC Report 40 Appendix F Office of the Ombudsman Practice Guidelines No 3 (https://www.nzlii.org/nz/other/nzlc/repo...) which provides some guidelines around "considering requests for commercial information" as far as the Ombudsman's approach at the time of the report, some of which is still timely I believe.

In general, it emphasises that the spirit of the commercial exemptions in Section 9 are not strictly intended to provide protection for commercial entities and information they provide by default:

> the clear intention was not to protect all commercial information held by the central and local government as a special exempt class of information.

and

> While Parliament recognised that there is a legitimate interest in citizens, including central and local government departments and organisations, being able to conduct commercial activities without prejudice or disadvantage, it also recognised that not all information relating to commercial activities needed to be protected to avoid prejudice or disadvantage.

Further, it notes that it is up to each agency (and the Ombudsman for review) to decide how much information should need to be retained to avoid prejudice, rather than all information being retained by default.

> it may not be necessary to withhold all the information; or it may be possible to provide a summary of the information without disclosing those elements which prejudice the particular interest of concern.

With all that said, I would like to ask:

4) With the above in mind, is there any part of the RNZ OIA response that the GCSB would respond differently to?

5) Would the GCSB be able to provide a summary of the various concerns that were described ie ("risks to service delivery", "offshor[ing of] some services" resulting in government data "being managed or held by unvetted third parties", "poor security controls" and "unpatched software" etc) without identifying who the involved parties are? I would imagine that an anonymised description would be enough to remove the concern for prejudicing commercial interests if done in the right way.

6) Could you elaborate a bit more on what the mentioned "digital investment and procurement" underway entails, if it is not already answered in the RNZ OIA

Yours faithfully,

Marcus