Technology & Outsourcing 2022 Comparisons

New Zealand organisations continue to outsource in-house IT capability to local and global IT service providers and to consolidate previously multi-sourced environments with strategic partners. Key drivers tend to be reducing cost and complexity; taking advantage of specialist capabilities and modernising ageing estates; increasing efficiency and improving the security, performance and user experience associated with IT systems. This trend has been accelerated following New Zealand's COVID-19 pandemic-related lockdowns in 2020 and 2021, in connection with which, many organisations have been forced to invest in the digitisation of previously manual processes and associated back-end systems.

There has been a continued shift towards cloud computing, with organisations now tending to move away from owning or contracting for physical IT assets, in favour of leveraging third-party cloud environments (IaaS) and utilising software (SaaS) and platform (PaaS) solutions. Among other things, this allows organisations to enjoy the cost-efficiencies and other benefits associated with a fully scalable model. Further areas of development include solutions that increasingly offer value-added services powered by AI and machine learning; core systems and functions such as payroll/HR, enterprise resource planning (ERP), finance and – increasingly – security, commonly being outsourced to third parties on an end-to-end "as-a-service" basis; and a focus on Internet of Things (IoT) capability. Increasingly, organisations that have IT at the core of their service offering are also demonstrating a desire to outsource both back-end and customer-facing IT functions to third-party IT outsource service providers. 

Business process outsourcing has grown in line with IT outsourcing developments. However, solutions being procured are increasingly digitalised and a general convergence of BPO and IT outsourcing has been seen in many areas, including in relation to HR, ERP and finance functions. As with IT outsourcing, this trend has been accelerated since New Zealand's COVID-19-related lockdowns in 2020 and 2021, in connection with which, many organisations were forced to invest in the digitisation of previously manual processes.

Emerging technologies, including AI, blockchain, IoT and next-generation robotics, are not new to the New Zealand market and it is well understood that such technologies provide opportunities to solve business issues, improve efficiency and increase profitability. 

However, the adoption of these technologies has not been as widespread in New Zealand as perhaps was initially expected. As is the case in many jurisdictions, emerging technologies are suffering the effects of regulatory lag, which has caused uncertainty as to how regulators and legislators will react to novel or perceived high-risk applications. As such, it seems that many organisations are wary of investing significant resources in these new technologies early on, owing to the risk of potentially costly re-engineering being required as a result of subsequent changes in the law. 

The rate of adoption has also been impacted by a shortage of relevant digital skills within organisations in New Zealand. This change has been exacerbated as a result of COVID-19 – firstly due to government restrictions on entry to New Zealand from 2020 to 2022, and subsequently with the migration of skilled workers to other countries once the restrictions were lifted in 2022. 

However, government-led initiatives are emerging in the technology space, including: 

• the government's proposal to establish a mandatory consumer data rights framework for New Zealand; 
• the development of a national digital strategy (including an AI strategy); 
• the introduction of an AI algorithm charter for public sector agencies; 
• consultation on the use of autonomous weapons as part of its disarmament policy; and 
• other government-led initiatives such as the Digital Industry Transformation Plan (ITP). 

There has also been significant government investment in areas such as digital learning platforms as a result of COVID-19. 

Outsourcing and technology transactions are not separately regulated in New Zealand. Rather, whether a particular outsourcing arrangement or technology transaction will be the subject of a specific regulatory regime largely depends on the customer's industry and the specific nature of the arrangement, including details of the customer, industry and type of outsourcing or technology transaction.   

While not relating to outsourcing or technology transactions specifically, New Zealand's competition law (Commerce Act) contains prohibitions against cartel agreements between competitors. Namely, it is illegal "cartel conduct" for competing businesses to agree:

• what price each will charge customers in a competitive situation (known as "price fixing");
• what each customer or territory will supply, or will not supply, in a competitive situation (known as "market allocation"); and
• to not supply certain goods or services in a competitive situation (known as an "output restriction agreement").

These prohibitions could apply to an outsourcing agreement or other technology agreements where the provider of the relevant services is also a competitor of the customer of those services. Illegal conduct can be found without a written agreement and an informal expectation between competitors that they will act in a certain way is sufficient to breach the Commerce Act. Therefore, discussions with outsourcing and technology partners that are also competitors should not "spill over" into informal understandings as to how each competes for customers, and the parties should avoid sharing commercially sensitive information (such as pricing information) with each other in the areas in which they compete. 

The Commerce Act contains an exemption from the cartel prohibition for clauses included in supply contracts (such as an IT outsourcing contract), provided those clauses do not have the purpose of lessening competition between the parties. This is an area to watch in New Zealand, as IT service providers are increasingly outsourcing their IT operations to service providers who may also be competitors in some markets.

While there is no legislation that applies to outsourcing and technology transactions generally in New Zealand, specific guidance is given to these arrangements in particular industries and by particular regulators, including financial services, the public sector, certain infrastructure providers, and regulated businesses more generally.

Financial Services

The financial services sector in New Zealand is regulated by the Financial Markets Authority, and subject to (among other legislative requirements) the Financial Advisers Act 2008 (FAA). The FAA specifically prescribes liability for compliance with statutory duties where brokers and financial advisers outsource their services. 

If a broker contracts out broking services to another business (eg, to a custodian) the broker remains responsible to the client for broking services. The person providing the outsourced broking services is required to register on the Financial Service Providers Register as providing broking services but will not have any broker obligations under the FAA if it is acting on behalf of the other broker's business. 

A new financial advisers' regime that came into force on 15 March 2021, requires financial advisers to take all reasonable steps to ensure that the person or entity to whom they have outsourced services complies with their duties under the FAA.

Banks

Large New Zealand banks are generally subject to a standard condition of registration that requires banks to continue to meet specific outcomes, despite outsourcing.

In 2017, the prudential regulator of New Zealand, the Reserve Bank (RBNZ) introduced a revised outsourcing policy, and banks were given a five-year transition period to comply. Due to the difficulties in resourcing associated with COVID-19, the RBNZ has extended this transition period to six years, requiring implementation work to be complete by 1 October 2023. Banks are required to conduct an independent review each year to ensure progress towards compliance is sufficient. From 1 October 2023, the RBNZ will be empowered to take enforcement action against any New Zealand bank to ensure compliance with these conditions. Relevant requirements under the RBNZ outsourcing policy include that New Zealand banks seeking to implement any outsourcing arrangement must, depending on the circumstances of the outsourcing: 

• have the relevant risk mitigation requirements (as specified for particular circumstances in the outsourcing policy) in place at all times;
• have robust back-up capability in place if the arrangement is with another related or independent third party; 
• ensure that the outsourcing arrangement contains the contractual terms prescribed in the outsourcing policy;
• in some cases, obtain non-objection from the RBNZ before entering into the arrangement;
• maintain, annually review, and provide to the RBNZ on request, a compendium of outsourcing arrangements; and
• have a separation plan (which is tested annually), to provide for the steps a bank would take to ensure the services covered by the outsourcing arrangement would continue to be provided in the event of failure of the arrangement.

The RBNZ maintains an extensive "Exempt List" of outsourcing arrangements that are exempt from the outsourcing policy. 

Public Sector

All public service departments, including the New Zealand Defence Force, New Zealand Police, New Zealand Security Intelligence Service and Parliamentary Counsel Office (collectively, the "Agencies") are directed by the New Zealand government to implement the Protective Security Requirements (PSRs). The PSRs are a set of mandatory requirements, a number of which are focused on information security, which is the government's primary concern in the outsourcing of its Agencies' responsibilities. 

The PSRs include guidelines and policies for managing protected information when outsourcing and offshoring, in particular:

• agencies considering using cloud services must contact the government chief digital officer for advice and guidance and follow that advice and guidance;
• agencies planning to use cloud services must perform a formal risk assessment, which includes identifying the controls needed to manage the information security and privacy risks associated with their use of the service; and 
• agencies must verify that they have put effective controls in place to manage security and privacy risks before certifying and accrediting the service for use. 

More broadly, the Government Procurement Rules are mandatory for all government departments, the New Zealand Police and Defence Force, and most Crown entities when the procurement is worth more than NZD100,000 (or NZD9 million for new construction works). These rules focus on promoting public value and include explicit requirements for agencies to consider in their procurement arrangements (such as increasing the domestic workforce and supporting the transition to a net-zero emissions economy). 

Other Regulated Sectors

Many businesses in New Zealand that conduct operations in regulated industries are subject to licensing, approval and certification requirements, and other ongoing price, governance and quality obligations set out in statutes, rules and regulations. While outsourcing in these industries is not specifically regulated or prohibited, there are other considerations that those looking to outsource should take into account. For example, in New Zealand, the following sectors are subject to industry-specific regulation:

• aviation is governed by the Civil Aviation Act 1990, Airport Authorities Act 1966 (which will both be replaced by a new Civil Aviation Act in the next year or so), and the Civil Aviation Rules. The Civil Aviation Authority and the Commerce Commission monitor compliance with regulations;
• electricity is governed by the Electricity Industry Act 2010 and Electricity Industry Participation Code, and is regulated by the Electricity Authority and the Commerce Commission; 
• food is governed by a number of acts and codes, and regulated by the Australia New Zealand Food Standards Authority and the Ministry of Health; 
• medicines and medical devices are governed by the Medicines Act 1981 and are monitored by the Ministry of Health;
• road transport is governed by the Land Transport Act 1998, the Land Transport Management Act 2003, and associated rules and regulations. The New Zealand Transport Authority, local authorities and the Ministry of Transport regulate this industry; and
• telecommunications, gas and dairy are regulated under industry-specific legislation and are subject to the oversight of the Commerce Commission. 

Consumer Data Right

The government has confirmed its decision to establish a consumer data right (CDR) framework for New Zealand, with legislation to be introduced in late 2022. 

Once implemented, the CDR will provide individuals (and potentially also businesses) with a statutory right to require data-holders to share information held about them with trusted third parties, and the ability to require that data-holder to carry out some form of action on the relevant individual's behalf. 

The government is still working to identify which sectors should be considered first for designation as in-scope of the CDR. However, it currently appears that the banking, electricity and insurance sectors will likely be the first, on the basis of perceived high search-and-switch costs.

Organisations must comply with the Privacy Act 2020 and the Privacy Regulations 2020 (the "Privacy Act"). New Zealand organisations must ensure that they comply with the information privacy principles in the Privacy Act 2020, which govern the rights of individuals in relation to their personal information. 

The Privacy Act includes a number of regulatory requirements relevant to outsourcing services and technology transactions. These include:

• restrictions on cross-border transfers of personal information, whereby agencies may only transfer personal information overseas if certain exceptions under the Privacy Act apply, noting that the export of personal information to a third party which merely holds that data as an agent on behalf of the first party (eg, for safe custody, such as, a cloud service provider) is expressly excluded from the restrictions on cross-border transfers if the third party only stores or processes the personal information on the relevant agency's behalf (and not for the third party's own purposes);
• a mandatory breach notification regime for certain notifiable privacy breaches, requiring an organisation to notify the New Zealand privacy commissioner and, in most cases, the individuals concerned, as soon as practicable after becoming aware of the breach, or make a public notification regarding the breach;
• public notifications must be published on an internet website maintained by the organisation and in at least one other medium, with a range of requirements for the content of the notice (including a description of the breach and notification of the right to complain about the breach);
• specific reference to foreign agencies, expressly bringing them within the scope of the Privacy Act to the extent that they undertake regulated activities in the course of carrying on business in New Zealand; and
• clarification that the Privacy Act will apply to all actions by a New Zealand agency, whether inside or outside of New Zealand. 

The government is also considering broadening the notification requirements under the Privacy Act to apply to the collection of personal information about an individual by agencies indirectly through a third party, rather than directly from the individual concerned. The government is seeking public feedback on the form and the scope of any such changes. If the notification regime is expanded, agencies that collect personal information indirectly from other agencies may have additional compliance obligations under the Privacy Act. 

Additionally, New Zealand organisations that process the personal data of people residing in the United Kingdom (UK) or European Union (EU) are required to comply with the EU or UK General Data Protection Regulation (GDPR) (as applicable) in some circumstances, including where those businesses offer goods and/or services to such people residing in the EU or UK. 

Penalties for Breach of Such Laws

The maximum fine under the Privacy Act is NZD10,000 for failure to comply with an access order, compliance notice or transfer prohibition notice, and failure to notify a privacy breach where required under the Privacy Act. 

In addition, there is a process to escalate privacy complaints to the Human Rights Review Tribunal, which may grant a number of remedies including a declaration that the business has interfered with the privacy of the individual and the award of damages. It can award damages to a maximum of NZD350,000 (with the maximum award for a privacy matter to date being just over NZD168,000). 

Outsourcing contract models in New Zealand vary depending on the specific circumstances of the particular outsourcing arrangement, including the types of services being procured and the size of the customer's business. 

Direct Contracting

Although there is no one standard approach to outsourcing contracts in New Zealand, direct contracting tends to be the prevailing model and it is increasingly common for customers to aggregate service providers by contracting with a core outsourcing provider directly for a number of different services, often involving third-party managed services or subcontracting arrangements. This allows these customers to take advantage of relative administrative simplicity, cost-efficiency and a single point of end-to-end service provider responsibility, while still making use of specialist third-party capability. These outsourcing arrangements are typically governed by a master services agreement, with each service falling under a separate service schedule or statement of work. 

The master services agreement contains the general legal terms relating to the arrangement as a whole and will typically include provisions relating to the initial term of the engagement, a process for agreeing to additional services, liability caps and exclusions, warranties, indemnities, a dispute resolution process and termination rights, as well as the overarching principles and standards to which the services will be provided to the customer. The specific details of the arrangement are detailed in the service schedules, which will set out the service levels and service credit regime, pricing, customer dependencies, assumptions, customer requirements and other specific service terms. 

Existing Templates and Drafting Outsourcing Contracts

It is common for service providers to push to use their existing contractual template as the base for the outsourcing contract. Depending on the type of IT services being procured, the size (and relative bargaining power) of the customer and the value of the transaction, it can be more challenging to negotiate amendments to such template agreements (or to use the customer's terms as a base for negotiation) in the New Zealand market than it is in other larger markets where this practice is more widespread.

The drafting of outsourcing contracts in New Zealand has shifted in line with global developments in outsourcing. Parties are increasingly contracting on terms that focus on agility and partnership, rather than more traditional adversarial-style obligations. Furthermore, there is a trend towards customers becoming much more sophisticated purchasers of these types of services, with several larger organisations now at the second or third-generation outsourcing stage. Contracts are increasingly focused on service outcomes, rather than prescribing the method of service provision in detail.

Indirect Outsourcing

Indirect outsourcing is fairly common with respect to the procurement of services to perform discrete business functions or processes (eg, ERP, finance, accounting, HR processing or complex lease management). This is typically because the underlying provider of the service or technology is not based in New Zealand and, instead, the New Zealand customer entity would contract with a local supplier entity who subcontracts out to the foreign third-party service provider. In these cases, it is typical for the local entity to provide second-level support services and on-site implementation, transition and configuration services to augment the overseas service provider's remote service offering. 

Liability arrangements in these circumstances can become complex and, except with respect to very large customers, the underlying services are often contracted on the underlying foreign service provider's standard terms without significant negotiation.

Multi-sourcing

Multi-sourcing involves the outsourcing of different services and/or different components of services to multiple service providers. Some organisations may have developed a multi-source outsourcing model without any particular planning, through contracting for different IT services on an ad hoc basis over time. The key benefit of multi-sourcing is that it allows organisations to contract with the best service provider for each particular service or component of a service. 

However, it can result in complex chains of responsibility and accountability and, as a result, can be difficult to administer from the customer's perspective. As such, conscious multi-sourcing can often be a preferred approach whereby the customer's ecosystem of suppliers is subject to common terms which mandate common governance rules, inter-supplier collaboration and a well-designed and managed service integration and management layer (SIAM). 

Other Models of Outsourcing

Alternative models of outsourcing arrangements are less common in the New Zealand market but may be selected in response to the unique commercial circumstances of the parties. These include joint ventures, captive centres and build-to-operate transfers.

Joint ventures

Parties may wish to set up a joint venture or partnership, with both entities having voting rights in connection with the provision of the services. This affords the customer a greater degree of control over the operations of the service provider than simply agreeing to a contract on an arm's length basis. However, this model is typically perceived to be an expensive option and can result in the customer taking on additional obligations that may not be within its expertise.

The contract models for cloud computing, SaaS and IaaS services are similar to that of an outsourcing arrangement – they are typically governed by a master or framework agreement, with each service falling under a separate service schedule or statement of work. As such, the comments in 3.1 Standard Supplier Customer Model for Outsourcing also apply to contract models for such services. 

Customer protections in outsourcing contracts differ depending on the nature of the services being provided. However, a few commonly used customer protections are discussed below.

Warranties

The customer will typically require warranties from the service provider in order to protect the customer in key risk areas. Such warranties commonly relate to the quality of service, expertise and personnel of the service provider, obtaining (and maintaining) required consents and licences and intellectual property-related warranties. A breach of the warranties by the service provider would typically entitle the customer to bring a damages claim against the service provider for breach of the agreement. 

Service Levels and Service Credits

Service levels and service credits are a further protection typically included in IT outsourcing contracts. Service levels are agreed performance metrics in respect of the services and/or components of the service. These vary depending on the type of service being provided but commonly include availability, response and resolution times and reporting obligations. Service levels can be used as a measure of the service provider's performance under the contract and the customer will usually seek to supplement these with a service credit regime in the event of service-level failures. 

A service credit is an agreed reduction in price to reflect that the service provider's performance has not met the agreed standards. However, it is worth noting that service credits that amount to a "penalty" are unenforceable in New Zealand, as discussed further in 4.3 Liability. A customer will typically also include reporting and audit rights in relation to the service levels, to ensure that it is able to monitor and verify the service provider's performance against the same (which it may otherwise be unable to do). 

A customer may also seek to include milestones in particular statements of work, with the service provider receiving a specific payment if it meets the relevant date for achievement of that milestone. Conversely, failure to meet the relevant date may result in a discount on the price for the relevant service and/or deliverable. This incentivises the service provider to complete work on time and in an efficient manner, and provides the customer with protection against unreasonable delays and additional costs, particularly in relation to the initial transition phase. 

Termination and Termination Assistance

The customer will want to ensure that it has sound termination rights in the contract, as further discussed in 4.2 Termination. The customer may also seek to include a termination assistance regime, which requires the service provider to assist the customer to transition the services to a replacement service provider or in-house, in the event that the agreement comes to an end. The outsourcing contract will typically require the parties to agree on an exit plan at the outset of the agreement, with obligations to continually refresh the same throughout the term of the agreement.

Relationship Management and Governance

Practising good contractual management is another way that a customer may obtain some protection and mitigate its risks in an outsourcing contract. To achieve this, the customer may seek to include specific governance requirements such as regular meetings, the appointment of a dedicated service-provider relationship manager, rights in respect of the replacement and removal of key personnel, and strong reporting and audit rights. These rights are particularly important in the context of outcomes-based outsourcing arrangements. 

The contractual rights should be supported by a capable in-house team and relationship manager who are able to monitor the service provider's performance against contracted standards and enforce contractual protections afforded to the customer where required.

Indemnities 

The customer may seek indemnity protection from the service provider in respect of certain key losses, including third-party breach of intellectual property rights and breach of data protection laws. The liability regime in respect of a breach of these indemnities is discussed in 4.3 Liability.

Business Continuity and Disaster Recovery

The customer will also typically seek to receive assurances from the service provider in respect of its business continuity and disaster recovery plans and may include obligations to review, test, update and report to the customer regularly or on request. This is also a mandatory regulatory requirement imposed on New Zealand banks, as discussed in 2.2 Industry-Specific Restrictions.

Step-In Rights

Step-in rights were once commonly requested by customers in outsourcing arrangements for critical services, whereby the customer would have the right to step into the shoes of the service provider in the event that the service provider materially failed to perform. However, "soft" step-in rights (eg, the right to make recommendations to the service provider and work with the service provider to improve service delivery in the event of significant failures) are far more commonly agreed as a solution.

Customary termination rights in outsourcing contracts vary depending on the nature of the services being provided. Where the services involve a significant portion of the customer's business (eg, an infrastructure outsourcing contract), the service provider will generally have very limited rights to terminate the contract, often only in the event that the customer has failed to pay an overdue invoice after receiving notice and a chance to settle that overdue invoice. However, a contract for discrete services or services that are readily replaceable by the customer may provide the service provider with additional termination rights, such as for material breach by the customer.

Right to Terminate

Customers typically seek to include a right to terminate for the service provider's material breach if that remains unremedied for a certain period of time (or that cannot be remedied) and in circumstances where the service provider suffers an insolvency event or a persistent "force majeure" event (noting that following the advent of COVID-19, customer organisations have been increasingly careful to ensure that known pandemics, epidemics and associated government rules and restrictions do not constitute events of force majeure that would provide the service provider with relief from its responsibilities). In addition, the agreement may include a right for the customer to terminate in the event of specific contractual failures that do not meet the standard of a "material" breach, such as serious or repeated service-level failures or failure of the service provider to meet specific milestones in respect of the services or deliverables. 

The customer may also wish to include a right to terminate the agreement for convenience, although this may be subject to a minimum term and it is common for the service provider to require the payment of termination compensation in these circumstances (particularly if the service provider plans to invest significant resources at the beginning of the arrangement on the basis that those costs will be recouped over the full term of the contract). 

Additional termination restrictions may also apply in respect of the outsourcing of services by New Zealand banks, which largely operate to limit a service provider's ability to terminate contracts in the event that the bank goes into statutory management.

If no specific termination rights have been agreed in the contract, each party generally has a right to terminate the agreement for a "material breach" of the other party under common law. However, it is commonplace for contracts to include a detailed contractual termination regime. 

Liability at Law

The liability provisions are typically heavily negotiated in outsourcing contracts. It is common for the liability of both parties to be subject to a liability cap, with the quantum of that liability cap varying depending on the circumstances. In New Zealand, the courts will generally enforce such clauses where they are negotiated at arm's length between commercial parties. There is scope, under the Fair Trading Act 1986 (FTA), to challenge their enforceability if one of the parties is a "consumer", or for standard-form business-to-business contracts with a value of less than NZD250,000.

Liability in Contract and Loss of Profit, Goodwill and Business

Service providers will usually seek to exclude all "indirect" or "consequential" losses. Whether a loss is "direct", "indirect" or "consequential" depends on the context of the contract in which the words were used and, as such, is a question of fact depending on the circumstances of the situation. 

The New Zealand courts adopt an objective approach to this question, with the aim being to ascertain the meaning that the clause would convey "to a reasonable person having all the background knowledge which would reasonably have been available to the parties in the situation in which they were at the time of the contract". In circumstances where the meaning of "consequential and indirect loss" is ambiguous, and the court is unable to discern what the clause from the contract is intended to mean as a whole and the factual matrix, the courts have been prepared to adopt the contra proferentem rule. This "tie-breaker" rule construes the meaning of these words against the party who drafted the clause in which these words were included.

To create more certainty as to what is recoverable in the event of a loss, the parties will often specify certain key losses as deemed direct (and recoverable) losses. Common examples of specified "deemed direct" losses include (but are not limited to):

• the reasonable cost of procuring alternative systems;
• the reasonable cost of implementing workarounds; and
• the costs incurred in taking steps to remedy the other party's breach.

The parties may also seek to include certain key uncapped heads of loss in the contract, such as breach of confidentiality, breach of the provisions relating to intellectual property rights, wilful default and fraud. In addition, in the event that service providers will have access to the personal information of the customer, customers are increasingly seeking uncapped liability for the service provider's breach of its data protection obligations or to agree a separate higher cap for such breaches. 

Service Credits

Customers often seek to include service credits in the event of service-level breaches, or other amounts that are payable should the service provider breach relevant terms of the contract (eg, failure to meet specific milestones). Such clauses are known as "liquidated damages" and disproportionate liquidated damages clauses in contracts (ie, penalty clauses) are unenforceable in New Zealand. 

The test for whether or not a damages clause is a penalty is the same as in the United Kingdom and a provision will be a penalty only if it is a secondary obligation that imposes a detriment out of all proportion to any legitimate interest of the customer in the enforcement of the primary obligation. This is important to keep in mind when drafting liquidated damages clauses and it may be helpful to provide a justification that outlines the interest being protected, and the interest in enforcement, when drafting the relevant clause.

The service provider will typically also have insurance obligations in order to support the liability regime.

Businesses may be protected against unfair commercial practices in New Zealand through the FTA, which prohibits a service provider from misleading or deceiving another person and making unsubstantiated representations in trade.

"Fair and Reasonable" Contract Terms

It is common for the parties to expressly exclude the terms of the FTA and other implied consumer protections, such as pursuant to the Consumer Guarantees Act 1993, in outsourcing and technology contracts and to instead document the specific warranties and service commitments expressly applicable to the arrangement in the contract terms. However, it is worth noting that certain provisions cannot be contracted out of in business-to-business transactions, where to do so would not be "fair and reasonable" (noting that the test of fairness explicitly considers the relative bargaining power of the two parties). The unfair contract terms regime in the FTA (which traditionally only applied to consumer contracts) has been extended to also apply to standard form, non-negotiated, business-to-business contracts with an annual value of less than NZD250,000 under the Fair Trading Amendment Act 2021 ("Amendment Act"). The Amendment Act has also been expanded to introduce a statutory prohibition on unconscionable conduct in trade. While "unconscionable conduct" is not defined,  the government has provided that the intention is for the prohibition to address similar conduct as in Australia, where the courts have found that conduct is unconscionable if it is "against conscience by reference to norms of society". The Australian courts have stated that such norms can include acting honestly, fairly, and without deception or unfair pressure, and the New Zealand courts are likely to take a similar approach when assessing such conduct.

Implying Terms into a Contract

Given the nature of outsourcing and technology contracts for core, business-critical technology (being typically high value and heavily negotiated), the New Zealand courts will be reluctant to imply terms into the contract on the basis that if the parties wanted the term to be part of the bargain they would have set that out in the contract expressly. In particular, unlike the UK and Australian positions, New Zealand courts have tended to be reluctant to imply a universal doctrine of good faith into commercial contracts. The agreement of warranties, standards and prescribed obligations is, therefore, an important stage in the negotiation of outsourcing and technology contracts. However, the courts may still imply terms into outsourcing and technology contracts in some cases, such as where it is necessary to make the contract work. The courts adopt the following test to determine whether a term should be implied in the contract: 

• the term relates to a business custom which is so well known that the parties must be taken to have known of it and intended that it should form part of the contract;
• the term must be certain and reasonable; 
• there is clear and convincing evidence of the custom (unless the doctrine of judicial notice applies); and
• the term must not be contrary to an express term of the contract or inconsistent with the tenor of the contract as a whole.

Contractual Protections on Data and Security

Privacy, data protection and security have had an increased focus in outsourcing and technology contracts. Where an outsourcing arrangement or particular piece of technology relates to or involves the processing of data, and in particular personal data, the underlying contract will likely include provisions regarding the following matters:

• ensuring that consent has been given to the sharing of that data with the service provider;
• when data is shared, requiring the service provider to monitor and report security, data and privacy breaches and provide the customer with all information and assistance reasonably required in respect of the same;
• restrictions on the transfer of information outside of New Zealand;
• restrictions or limitations on onward transfers of information from the service provider to sub-processors or other third parties;
• ensuring that individuals are provided with the requisite rights in relation to their personal data; and
• demonstrating that they comply with the Privacy Act and, where applicable, the EU or UK GDPR by appointing a privacy officer (or data protection officer), providing training to staff and meeting other general requirements regarding the security of information.

The customer may also seek to require the service provider to comply with the customer's security policies and/or other specified standards. The customer would also typically include audit rights in respect of the security standards and obligations on the service provider to provide the customer with the results of its security testing. The privacy, data protection and associated security obligations may also be supported by an express acknowledgement that the service provider's liability for a breach of the same is uncapped or subject to a separate, higher cap as further discussed in 4.3 Liability.

The contract terms discussed above would also apply to technology or outsourcing contracts for cloud-based solutions. However, it is not always the case that the supplier of the cloud-based solution will provide all of the relevant services. It is common for third-party service providers to provide implementation and/or support services in relation to a cloud solution provided by the supplier. In these circumstances, it is likely that customers will place certain obligations on the supplier of the cloud solution with respect to:

• co-operating with the third-party implementation and/or support partner; 
• limiting the customer's liability for any delays caused by the implementation partner during transition; and
• the right to terminate the contract with the supplier of the cloud solution should implementation under the customer's contract with the implementation partner fail. 

A customer is likely to seek similar corresponding provisions in its contract with a third-party implementation and/or support partner. 

While not common for commercial off-the-shelf SaaS solutions, suppliers of more business-critical and/or customised software may sometimes agree to place the source code of their proprietary software in escrow for the customer's benefit. The parties may engage a third-party escrow agent who will keep the source code in escrow and oversee its release. The "release" events for the source code are usually negotiated by the parties and may include termination for cause by the customer, or the supplier suffering an insolvency event.

There are no rules that apply specifically to employee transfers for outsourcing (as opposed to transfers for other commercial reasons) in New Zealand. Employees are divided into two groups for the purposes of a transfer that arises in the context of a "restructuring" (which includes the outsourcing of work or the sale or transfer of all or part of a business).

Cleaning, Food Catering and Security Employees

Employees who perform cleaning, food catering or security work have the right to elect to transfer to the new service provider of the work on the same terms and conditions of employment, with service with the past provider recognised by the new provider. Leave entitlements transfer with the relevant employee. However, there are no additional restrictions on subsequent redundancies by the new service provider. 

All Other Employees

There is no statutory right for any other employees to transfer to the new service provider. As such, the new service provider may, but is not required to, offer such employees employment on whatever terms and conditions it may choose (provided that minimum New Zealand employment law entitlements are met).

If an employer contemplates outsourcing that could lead to redundancies, it must consult with affected employees prior to making a decision. This is the case even if the new service provider would offer employment to all affected employees on the same terms and conditions of employment. Should the obligation to consult be triggered, the employees may decide whether they involve their union. However, if employees belong to a union, it would be typical for the union to be involved in consultation as the representative of affected employees. There is no independent obligation to consult with a union. 

Unlike other larger jurisdictions, New Zealand does not have workers' councils.

The potential for employee transfers is generally considered part of the broader commercial terms to be negotiated between the parties in New Zealand. This is the case regardless of whether the employees have the right to transfer (see 5.1 Rules Governing Employee Transfers) in which case, the additional potential liability may affect the contract price, or whether employment would need to be offered to, and accepted by, the employees that were to transfer. 

There is often a tension between the motivations of the customer and the new service provider in considering the terms and conditions of employment to be offered by the new service provider. While these are ultimately a matter for the new service provider, this is something about which the customer usually has an interest and may wish to make recommendations. The new service provider will typically want to ensure that the terms offered to such transferring employees are consistent with the market and the terms of other similar employees. 

The customer will often want to ensure that the terms are the same as, or close to, the current terms and conditions of employment, as this is the best practical way to minimise employment issues. In addition, if the customer's employees will transfer with the outsourcing and there is a contractual entitlement to redundancy compensation, the customer will usually want to ensure that, if possible, the offer of employment by the new service provider is such that this compensation is not triggered. There is no statutory entitlement to redundancy compensation or severance in New Zealand.

Several legal issues arise when considering the possibility of remote working by employees. 

First, it is important to consider whether an employee is requesting to work from home, or whether the request is being made by the employer. Outside of a government-mandated lockdown situation, an employer may only require an employee to work from home if the employee agrees. Consent could be obtained in the "place of work" clause in an employee's employment agreement.  While an employee can ask to work from home (and an employer has an obligation to consider this request), an employee will require permission from their employer to work from home. An employee is able to make this request in the context of a request for flexible work, but an employer is only required to genuinely consider such a request and cannot be compelled to agree. 

Second, if an employee is to work from home, the following legal considerations apply. 

• Health and safety obligations: the employer will need to be satisfied that the employee has a safe place to work; this may require a workstation review or the provision of equipment. 
• Employment obligations: an employer will need to ensure it has systems in place to monitor hours of work to ensure minimum rates of pay are met. 
• Confidentiality obligations: depending on the nature of the work, the employer may wish to ensure that the employee is able to comply with confidentiality obligations in a home environment.