Thoughts on recent NZ IRD advice on using Cloud Computing services

My Twitter trigger finger went off at record speed earlier today:

NZ IRD gets Cloud Computing WRONG WRONG WRONG

…this in reaction to an open advisory notice from the New Zealand IRD (Inland Revenue Department) on using New Zealand businesses “using Cloud computing services to store business records in electronic form”.

The key phrase in this advisory is:

“It is the Commissioner’s view that only business records stored in data centres physically located in New Zealand will comply with the record keeping obligations in the Inland Revenue Acts. Taxpayers are responsible for ensuring they comply with their record keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be stored in data centres located in New Zealand.

The failure to keep the books and documents in New Zealand as required by the Inland Revenue Acts is an absolute offence under section 143 of the TAA. A person convicted of this offence is liable to a fine.”

In my opinion, although the advisory does raise some serious issues about disaster recovery, business continuity and data sovereignty, it’s clear to me that the law – or at least this interpretation – needs to change urgently. Otherwise NZ inc. will be unable to reap the substantial economic benefits of a 21st Century IT model, and will carry this backward-looking legislation like a dead weight while everyone else in the world runs on ahead…

It seems to me that the IRD’s position boils down to a largely mistaken understanding of technology risk: it assumes that data placed in trust with an (almost inevitably higher priced) on-shore provider is less at risk of loss or security leakage than data placed in trust with an industry-leading international vendor. As a technologist who has been working in the cloud space for over 4 years, my professional opinion is that this is plain wrong: the IT and security maturity of international scale vendors far exceeds the capabilities of our domestic players, who even now sometimes have extremely scary moments. I also think that these international vendors are far better at understanding their own commercial risks around reputation management and know that if they screw up, they’re dog food.

Therefore, any risks that the IRD is thinking of must be non-technical, non-commercial and hence political in character:

Yes, NZ Inc. would be at high risk if both (sigh…) the internet pipes were shut off by overseas governments / terrorist organisations. But then so would NZ Inc if there was a shipping blockade or international sea pirates. At a base level, what fundamental difference is there between shipping containerloads of milk powder internationally (subject to shipping and customs inspections) and shipping cable fibre loads of data back and forth (subject to CIA inspections, natch…)? – other than the value of the items being shipped, carbon emissions involved and ongoing ecological vandalism caused by intensive farming, but hey….

(See also recent commentary from IDC on how this DIY IT position is unsustainable even in the public sector, the NZ Government’s own open-ended advice on using offshore ICT providers and a recent article that quotes a DIA manager saying “the government may have to make sacrifices in such treasured concepts as privacy and sovereignty, so that public sector organisations can take advantage of the “convenience” of the cloud” Some consistency is required!)

Several other counterarguments spring to mind immediately:

– Firstly: precedent – I seem to remember from my time working for a large multinational that all of their primary financial record keeping systems for all of Asia Pacific (including NZ) were certainly not based in NZ – in fact, their superstar CIO was proud of trumpeting the cost reductions from globalization of their IT consolidation from 90 datacentres down to only 6 worldwide.
How does a small NZ business renting a SaaS solution to get the same economies of scale as a major multinational differ from that multinational in terms of data domicile? Not a lot.

– Secondly: With hardly a week going by without NZ’s new government signing another free trade agreement, this is surely a directly discriminatory policy against NZ businesses getting the best value service from offshore.

Rod Drury and co at Xero were onto it immediately (impressive internet media management as always) with this delicately worded blog post: Working with the IRD on cloud computing. Given that Xero are market leaders in this space, and also that they host with Rackspace in the USA, their whole business model (and that of all c.20,000 of their NZ customers) was suddenly deemed illegal by some bureaucrat, no wonder.

“New Zealand legislation hasn’t kept up with developments in technology compared to other countries. We are working towards certification of our current customers and in the longer term expect to see the legislation amended to better reflect contemporary technology. We’d expect this to end up in a similar position to Australia where there is no onshore storage requirement, only that your records are available if requested. There are a number of fall back positions if the industry doesn’t get there.”

Fundamentally: IT and data management risk are just normal business risks to be managed by commercial businesses. The IRD seems to be saying that in fact, they know how to manage IT risk better than business owners and professional IT managers. That is wrong.


Comments are closed.