1 Application

1.1 Effective date

1.1.1 This Standard is effective 17 March 2025 and replaces the Web Usability Standard 1.3.

1.2 Mandated organisations

1.2.1 Every Public service department, the New Zealand Police, the New Zealand Defence Force, the Parliamentary Counsel Office and the New Zealand Security Intelligence Service is directed by Cabinet [CAB Min (03) 41/2B] to implement this Standard.

2 Requirements for publicly facing websites

2.1 Scope

2.1.1 The requirements in Section 2.2 to 2.5 apply to each publicly facing website (‘Website’) that a mandated organisation (‘the Mandated Organisation’) is responsible for.

2.2 Government identity

2.2.1 The Website’s home page must include the name or logo of the Mandated Organisation.

2.2.2 The Website’s home page must include a visible link to Govt.nz.

2.2.3 The link to Govt.nz on the Website’s home page should use a suitable NZ government identity logo implemented using the recommended NZ Government logo markup.

2.3 Contact information

2.3.1 The Website must provide access to information (‘Contact Information’) for obtaining help related to the Website and contacting the Mandated Organisation.

2.3.2 The Contact Information must be either

• provided on the Website’s home page, or
• linked to from the Website’s home page with a visible link whose text clearly indicates that its target is the Contact Information for example, the link’s text is ‘Contact us’, ‘Whakapā mai’, or equivalent).

2.3.3 The Contact Information must include all of the following for the Mandated Organisation:

1. an email address monitored daily during business hours where emails received are acknowledged within 3 business days with an indication of when a full response can be expected
2. a postal address monitored daily during business hours
3. a physical street address open to the public during business hours, if one exists
4. the number of a telephone line available and monitored daily during business hours
5. the telephone number for each call centre that supports a service provided by the Website
6. a link to the New Zealand Relay Service (NZ Relay) for people who are deaf or hard of hearing, deafblind, or who have a speech impairment.

2.4 Copyright

2.4.1 The Website must provide access to a general copyright statement (‘General Copyright Statement’).

2.4.2 The General Copyright Statement must be either:

• provided on the Website’s home page, or
• linked to from the Website’s home page with a visible link whose text clearly indicates that its target is the General Copyright Statement (for example, the link’s text is ‘Copyright’, or ‘Manatārua’, or equivalent).

2.4.3 The General Copyright Statement must specify:

1. which content on the Website it applies to
2. the copyright status of such content, and
3. the terms under which such content can be re-used by others.

2.4.4 If the Website contains third-party copyright material, the Website must specify, either within the General Copyright Statement or with each item of third-party copyright material:

1. such material in a way that avoids ambiguity as to which content is subject to third-party copyright
2. the source and copyright status of such material
3. that the Website’s terms of content re-use do not apply to such material, and
4. that permission to re-use such material cannot be given by the Mandated Organisation.

2.4.5 The General Copyright Statement should specify that the general licensing terms do not apply to material on the Website that is covered by the Flags, Emblems, and Names Protection Act 1981.

2.4.6 The New Zealand Government Open Access and Licensing framework (NZGOAL) should be applied when selecting the licensing terms that apply to copyright material on the Website.

2.5 Privacy

2.5.1 The Website must provide access to:

1. a privacy statement (‘Organisation Privacy Statement’) that describes how the Mandated Organisation collects and uses personal information, and
2. a privacy statement (‘Website Privacy Statement’) that describes how personal information is collected through the Website and how it is used.

2.5.2 The Organisation Privacy Statement must be provided on a publicly facing website that the Mandated Organisation is responsible for.

2.5.3 The Privacy Statement must be either:

• provided on the Website’s home page, or
• linked to from the Website’s home page with a visible link whose text clearly indicates that its target is the Website Privacy Statement (for example, the link’s text is ‘Privacy statement’, ‘He tauākī matatapu’, or equivalent).

2.5.4 The Website Privacy Statement must include a link to the Organisation Privacy Statement.

2.5.5 Unless an exception under the Privacy Act 2020 applies, the Organisation Privacy Statement must describe, directly or through links to other privacy statements, and at a level of detail reasonable to ensure that individuals are aware of:

1. all the ways the Mandated Organisation collects personal information, including through websites, other digital and non-digital channels
2. the purpose for which that personal information is being collected
3. the intended recipients of that personal information (for example, the Mandated Organisation or third parties)
4. whether the collection of that personal information is voluntary or mandatory (either under a particular law or because it is not possible to provide services without it, and
5. individuals’ rights to request access to or to correct personal information held by the Mandated Organisation responsible for the Website and contact details so individuals can make requests.

2.5.6 Unless an exception under the Privacy Act 2020 applies, the Website Privacy Statement must describe, directly or through links to other privacy statements, and at a level of detail reasonable to ensure that individuals are aware of:

1. how personal information is collected through the Website
2. the purpose for which that personal information is being collected
3. the intended recipients of that personal information (for example, the Mandated Organisation or third parties)
4. whether cookies are used by the Website, including their type (for example, persistent , third party), purpose and duration, and
5. any collections or use of information which, if combined with other information, could be used to identify individuals — this includes, but is not limited to, information such as:
   • IP address
   • operating system
   • device sensors (for example, GPS, camera, microphone)
   • web browser
   • pages visited and search terms.

3 Requirements for all websites

3.1 Scope

3.1.1 The requirements in Sections 3.2 and 3.3 apply to each publicly facing and each internally facing website (the ‘Website’) that a mandated organisation (the ‘Mandated Organisation’) is responsible for.

3.2 Links to non-HTML files

3.2.1 Except for links on inactive web pages:

1. links to a non-HTML files must be accompanied by information indicating the file’s format and size
2. links to non-HTML files should include the file’s format and size in their link text.

3.3 Printable web pages

3.3.1 The main content of each web page in its current state must be printable on A4 paper, except for inactive web pages.

3.3.2 Printed web pages must include at least 1 instance of the Mandated Organisation’s name or logo

3.3.3 Printed web pages should not include the following web content:

• primary content navigation
• secondary content navigation
• persistent search form
• decorative elements.

3.3.4 A web page’s text content should be printable by default as black text on a white background.

4 Requirements for assessment and reporting

4.1 Conformance, risk assessment and management plan

4.1.1 Each Mandated Organisation must, when notified by the Government Chief Digital Chief (GCDO):

1. assess how the websites and web pages it’s responsible for conform to this Standard
2. submit to the GCDO a report on the conformance to this Standard of the websites or web pages it’s responsible for
3. submit to the GCDO a risk assessment and risk management plan regarding the non-conformance to this Standard of the websites or web pages it’s responsible for.

4.2 Methodology

4.2.1 The GCDO will provide each mandated organisation with the methodology for completing the requirements in Section 4.1.

5 Glossary

Assess

In the context of conformance, assess means to determine the rate, level or amount of conformance to a given standard, guideline or specification.

Home page

A website’s main landing or entry web page.

For many websites, this is the web page at the root domain or subdomain level, e.g. http://ministry.govt.nz/ or http://site.ministry.govt.nz/.

For some websites, for example, single web page applications, the home page is the initial state of the web application.

Inactive web page

A web page whose main content:

• is no longer needed for active administrative purposes
• is neither modified nor updated after the date of inactivity
• is clearly marked as inactive or archived, and
• includes accessible instructions for users to request an accessible version of the same main content.

Internally facing

Can be accessed only by peoples who are employees, staff or paid personnel of a New Zealand government public sector organisation.

Examples of internally facing websites include an organisation’s:

• intranet
• web-based document management system

Main content

The content specific to a web page and directly related to that web page’s principal topic or functionality.

Mandated organisation

The Public Service department, the New Zealand Police, the New Zealand Defence Force, the Parliamentary Counsel Office or the New Zealand Security Intelligence Service, directed by Cabinet to apply the Web Standards.

Must

As defined in IETF RFC 2119, indicates an absolute requirement.

Publicly facing

Can be accessed by members of the general public or people who are not employees, staff or authorised paid personnel of a New Zealand government public sector organisation.

This includes a website or web page behind a login authentication mechanism that controls access by members of the general public or people who are not employees, staff or paid personnel of a New Zealand government public sector organisation.

Examples of publicly facing websites include an:

• organisation’s corporate website
• extranet for liaising with service providers.

Risk assessment

An evaluation of the potential risks of non-conformance with a standard’s requirements.

Risk management plan

A plan to mitigate the potential risks of non-conformance with a standard’s requirements.

Should

As defined in IETF RFC 2119, indicates a recommended course of action that there may be valid reasons under certain conditions to ignore, the full implications of which must be understood and carefully weighed before doing so.

Should not

As defined in IETF RFC 2119, indicates a course of action that is not recommended but that may be acceptable or even useful to take under certain conditions, the full implications of which must be understood and carefully weighed before doing so.

Website

A group of web pages that share a common topic or purpose. This includes web services and single page applications.

A website can have smaller sub-sites within it, each servicing as an individual website. For example, a government department’s corporate website (for example, agency.govt.nz) might comprise multiple sections (for example, agency.govt.nz/service-a and agency.govt.nz/service-b) that are owned or administered by organisationally distinct units within the department. For the purposes of this standard, these individual sections may be considered separate websites.

Note that collections of 1 or more web pages located at different fourth-level domains belonging to the same third-level domain, for example, projectA.agency.govt.nz and serviceB.agency.govt.nz, constitute separate websites.

Definition of website in the Website Accessibility Conformance Evaluation Methodology (WCAG-EM) 1.0

Web page

A file downloaded from a single URI (Uniform Resource Identifier) using HTTP (Hypertext Transfer Protocol), along with any extra files needed to display it properly in a web browser.

Web pages include web applications, web services and single page applications.

Most web pages are downloaded from a URL (Uniform Resource Locator) that starts with https://.

Definition of web page in WCAG 2.2