NZ Police’s ambitious shift to cloud computing marks a crucial chapter in the modernisation of public services, but it is one fraught with significant risks. The move, part of a wider government push toward digital transformation, aims to alleviate frontline pressures and replace ageing 2013-era IT systems. Yet, as the first stages roll out in Wellington, urgent warnings about privacy breaches, legal exposure, and operational vulnerabilities cast a long shadow over the project.
Push for Modernisation Meets Old and New Challenges
The Wellington pilot, which has seen five of 32 workgroups transition so far, is the first tangible step in a broader migration to Microsoft’s cloud services. The shift is designed to ease the unsustainable pressures on frontline officers and meet government mandates to modernise IT infrastructure across the public sector. It also seeks to address compliance demands, following previous controversies such as the illegal retention of thousands of youth photos exposed in 2020.
Despite technical delivery proceeding relatively smoothly, official assessments reveal a precarious path. A May 2022 Privacy Impact Assessment, obtained by RNZ under the Official Information Act, starkly warned that mishandling sensitive data could lead to “death of individuals, extensive injury and hospitalisation,” alongside catastrophic damage to public trust in the police brand.
Grave Privacy Risks and Public Trust at Stake
The data being transferred to the cloud is classified up to the “RESTRICTED” level, encompassing highly sensitive personal information. Any breach could severely impact police operations and reputation. The Privacy Impact Assessment rated the risk level as “Very High,” identifying 12 distinct privacy risks—one deemed Very High and eight High.
If these risks are not appropriately managed, the police would face “Very High health & safety impacts and reputational damage.” Thirty-one mitigation strategies were outlined, including stringent staff training and access controls. However, it remains unclear how many of these measures have been fully implemented during the Wellington trial phase.
Police did not formally consult the Privacy Commissioner about the cloud migration, a notable omission given the scale of potential privacy implications.
Exposure to Foreign Control and Cloud Law Entanglements
The reliance on US-based Microsoft introduces another layer of risk. The US Cloud Act permits American authorities to demand access to data held by US companies, even if stored abroad. Though there’s no public record that such powers have been exercised over New Zealand Police data, the possibility remains concerning.
The assessment also flagged Microsoft and Spark’s operational roles as additional vulnerabilities, particularly around jurisdictional risk and lack of direct oversight. Past experiences have already exposed cracks: a 2020 incident saw sensitive police video evidence quietly moved between Amazon and Microsoft servers without police knowledge, raising concerns about evidence admissibility in court.
Historical Breaches Highlight Systemic Dangers
The hazards of cloud reliance are not hypothetical. In 2019, a significant breach involving SAP allowed unauthorised access to firearms registry data, taking up to 10 hours to fully shut down. This highlighted the intrinsic opacity of cloud services and the dangers of insufficient monitoring.
Such incidents reinforce the warnings about “orphan” servers—untended systems prone to security gaps—and the critical need for exit strategies to maintain control over essential services.
Risk Mitigation Efforts Underway, But Uncertainty Persists
While the police have emphasised that the transition framework is being “fine-tuned,” they have yet to produce a formal evaluation of the Wellington pilot’s outcomes. They insist that technical aspects are performing well, but the absence of a completed review leaves questions about the effectiveness of risk mitigation strategies.
The upgrade has been executed largely in-house, with just a single external contractor engaged for $288,000. A separate digital notebook upgrade, also flagged with high privacy risks, has similarly proceeded under internal management with recommended safeguards in place.
The Broader Government and Global Context
The Police’s cloud migration aligns with a nationwide “cloud-first” directive, which has spurred massive investments from Microsoft, Amazon, and Google, including the construction of new data centres in New Zealand. Yet the experience of the Environmental Protection Authority, where cloud costs ballooned from $2.1 million to $3.38 million annually, illustrates the financial pitfalls of cloud dependency.
Internationally, major US cloud providers like Microsoft have faced fierce criticism for security failures, including a Russian intelligence breach that exploited vulnerabilities in Microsoft’s Azure system. These global developments add urgency to calls for tighter governance and transparency as New Zealand agencies deepen their reliance on foreign tech giants.
Looking Ahead
The New Zealand Police’s cloud journey stands at a critical juncture. While modernisation offers clear operational benefits, the stakes for privacy, security, and public trust could not be higher. The coming evaluations will determine whether this move becomes a benchmark for responsible digital transformation or a cautionary tale of risks underestimated and controls insufficiently applied.