Tēnā koe Marcus,

 

Thank you for your Official Information Act request.

 

We will endeavour to respond to your request as soon as possible and, in
any event, no later than 20 working days after the day that your request
was received. If we are unable to respond to your request by then, we will
notify you of an extension of that timeframe.

 

If you have any queries, please feel free to contact
[1][GCSB request email].

 

Ngā mihi,

GCSB

 

-----Original Message-----
From: Marcus <[FYI request #34231 email]>
Sent: Wednesday, 25 March 2026 1:08 AM
To: Information (GCSB) <[GCSB request email]>
Subject: Official Information request - Unvetted Third Parties Test

 

[You don't often get email from
[2][FYI request #34231 email]. Learn why this is
important at [3]https://aka.ms/LearnAboutSenderIdentific... ]

 

Dear Government Communications Security Bureau,

 

Recently, RNZ published an article about a lengthy OIA covering "unvetted
third parties", which is available here:
[4]https://aus01.safelinks.protection.outlo...

 

I have a few questions in regards to this OIA.

 

1) I would like to request a copy of the response that was provided to RNZ

 

The further questions I have are quite hard to be precise about, because I
don't know exactly how the GCSB responded in their report but I noted the
following excerpts in the mentioned article:

 

> "Providing this information would likely have commercial implications
for these vendors"

 

> "I am refusing those parts of your request where you have asked for
information that has been provided to the GCSB in confidence by agencies,"
was the reply, otherwise it might prejudice the supply of such info in
future.

 

> The unvetted third parties were not disclosed, and neither were the
risks to service delivery that Treasury had told ministers were in play.

 

2) What considerations did the GCSB weigh, and/or tests did it apply to
determine that it is not in the public interest to disclose information
that might have commercial implications for vendors? Under Section 9(1) of
the Official Information Act, commercial interests is one of the possible
options for withholding information but only if it is not found that "in
the circumstances of the particular case, the withholding of that
information is outweighed by other considerations which render it
desirable, in the public interest, to make that information available."

 

3) I would like to mention Section 3 of NZLC Report 40 Appendix F Office
of the Ombudsman Practice Guidelines No 3
([5]https://aus01.safelinks.protection.outlo...)
which provides some guidelines around "considering requests for commercial
information" as far as the Ombudsman's approach at the time of the report,
some of which is still timely I believe.

 

In general, it emphasises that the spirit of the commercial exemptions in
Section 9 are not strictly intended to provide protection for commercial
entities and information they provide by default:

 

> the clear intention was not to protect all commercial information held
by the central and local government as a special exempt class of
information.

 

and

 

> While Parliament recognised that there is a legitimate interest in
citizens, including central and local government departments and
organisations, being able to conduct commercial activities without
prejudice or disadvantage, it also recognised that not all information
relating to commercial activities needed to be protected to avoid
prejudice or disadvantage.

 

Further, it notes that it is up to each agency (and the Ombudsman for
review) to decide how much information should need to be retained to avoid
prejudice, rather than all information being retained by default.

 

> it may not be necessary to withhold all the information; or it may be
possible to provide a summary of the information without disclosing those
elements which prejudice the particular interest of concern.

 

With all that said, I would like to ask:

 

4) With the above in mind, is there any part of the RNZ OIA response that
the GCSB would respond differently to?

 

5) Would the GCSB be able to provide a summary of the various concerns
that were described ie ("risks to service delivery", "offshor[ing of] some
services" resulting in government data "being managed or held by unvetted
third parties", "poor security controls" and "unpatched software" etc)
without identifying who the involved parties are? I would imagine that an
anonymised description would be enough to remove the concern for
prejudicing commercial interests if done in the right way.

 

6) Could you elaborate a bit more on what the mentioned "digital
investment and procurement" underway entails, if it is not already
answered in the RNZ OIA

 

Yours faithfully,

 

Marcus

 

-------------------------------------------------------------------

 

This is an Official Information request made via the FYI website.

 

Please use this email address for all replies to this request:

[6][FYI request #34231 email]

 

Is [7][GCSB request email] the wrong address for Official Information
requests to Government Communications Security Bureau? If so, please
contact us using this form:

[8]https://aus01.safelinks.protection.outlo...

 

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:

[9]https://aus01.safelinks.protection.outlo...

 

If you find this service useful as an Official Information officer, please
ask your web manager to link to us from your organisation's OIA or LGOIMA
page.

 

 

-------------------------------------------------------------------

 

--------------------------------------------------------------------------

This electronic message, together with any attachments, contains
information that is provided in confidence and may be subject to legal
privilege. Any classification markings must be adhered to. If you are not
the intended recipient, you must not peruse, disclose, disseminate, copy
or use the message in any way. If you have received this message in error,
please notify us immediately by return email and then destroy the original
message.  The New Zealand Intelligence Community (NZIC) and the
departments comprising the NZIC accepts no responsibility for changes to
this e-mail, or to any attachments, after its transmission from NZIC. This
communication may be accessed or retained for information assurance
purposes. Thank you.

--------------------------------------------------------------------------

References

Visible links
1. mailto:[GCSB request email]
2. mailto:[FYI request #34231 email]
3. https://aka.ms/LearnAboutSenderIdentific...
4. https://www.rnz.co.nz/news/national/5902...
5. https://www.nzlii.org/nz/other/nzlc/repo...
6. mailto:[FYI request #34231 email]
7. mailto:[GCSB request email]
8. https://fyi.org.nz/change_request/new?bo...
9. https://fyi.org.nz/help/officers

hide quoted sections