NEW ZEALAND Law and Practice Contributed by: Liz Blythe, Troy Pilkington, Emma Peterson and Craig Shrive, Russell McVeagh
(a) appointing a privacy officer (or data protection officer); (b) providing training to staff; and (c) meeting other general requirements regarding the security of information. The customer may also seek to require that the service provider comply with the customer’s security poli - cies and/or other specified standards. The customer would also typically include audit rights in respect of the security standards and obligations on the service provider to provide the customer with the results of its security testing. The privacy, data protection and associated security obligations may also be supported by an express acknowledgement that the service pro - vider’s liability for a breach of the same is uncapped or subject to a separate, higher cap (as further discussed in 4.3 Liability ). Business Continuity Customers typically require suppliers to provide assur - ances regarding business continuity – for example, by requiring the supplier to: • create and maintain an effective business continu - ity and disaster recovery plan; • have effective back-up and disaster recovery solu - tions in place to ensure that critical systems are not impacted by a cyber-attack (for example) or other outage; and • undertake regular testing of their business continu - ity plans to ensure they are effective when imple - mented in a real-time setting. Customers will often contract for resiliency in criti - cal systems by, for example, requiring the supplier to maintain a warm standby system or otherwise procur - ing or maintaining fully resilient failover functionality. 4.6 Performance Measurement and Management Service levels (and associated performance reporting) and related credits or other rebates for failures are commonly used as a mechanism for supplier perfor - mance measurement and management under tech - nology transactions and outsourcing arrangements. Please refer to the comments in 4.1 Customer Protec- tions (Service Levels and Service Credits).
The following are among the other mechanisms that are commonly included in IT contracts to help the customer manage and measure the supplier’s perfor - mance. • Key performance indicators (KPIs) or milestones, together with associated reporting obligations on the supplier, are usually time-bound (eg, the sup - plier has to perform a requirement by a particular date or within a specified timeframe). There can be consequences linked to a supplier not meeting KPIs – for example, the customer can terminate the contract without liability if three or more KPIs are not met within a three-month period. • Performance notice mechanisms typically involve the customer issuing a performance notice to the supplier in the event of a service-level failure or other supplier breach and an obligation on the sup - plier to rectify the relevant issue. The customer will usually have the right to terminate the agreement if the supplier receives a specified number of perfor - mance notices in a period (eg, three are received in a six-month period). • Specific reporting and governance requirements are commonly included to ensure the supplier shares relevant information with the customer and meets regularly with the customer to discuss any performance issues. This could include a review of any service levels, KPIs or milestones that are included in the agreement. • Customer audit rights are also commonly included so the customer can gather information regarding the supplier’s performance of the services or visit supplier premises to observe performance of the services. 4.7 Digital Transformation The contract terms discussed in 4. Contract Terms would also apply to technology or outsourcing con - tracts for cloud-based solutions. However, it is not always the case that the supplier of the cloud-based solution will provide all of the relevant services. It is common for third-party service providers to provide implementation and/or support services in relation to a cloud solution provided by the supplier. In these circumstances, it is likely that customers will place certain obligations on the supplier of the cloud solu - tion with regard to:
35 CHAMBERS.COM
Powered by FlippingBook