Cloud computing may be convenient but guides are needed to avoid procurement pitfalls
15 February 2013
The State Procurement Policy mandates the Government Information Technology Contracting (GITC) framework for all ICT product and service procurement by Queensland Government departments.
Various important legal issues are raised for government by cloud computing, including privacy, confidentiality, security and liability, all of which need to be properly addressed in each customer contract entered into under the GITC framework.
The consideration of legal and operational challenges and opportunities presented by cloud computing has been assisted with the publication of two recent government guides.
The Federal Government, through its Australian Government Information Management Office, published a useful guide in February 2012 entitled Negotiating the cloud – legal issues in cloud computing agreements, which covers a broad range of cloud-computing service issues.
In May 2012, the Office of the Queensland Government Chief Information Officer released the Cloud Computing Guideline as part of the Queensland Government Enterprise Architecture for departments and agencies contemplating using cloud-computing services. The Queensland guide has as its primary focus the issue of conducting appropriate risk assessments.
It is generally consistent with the federal guide, identifying similar legal issues, and contains references to various Queensland materials, including policies, standards and guidelines that apply to Queensland departments and agencies.
Section 1.4 of the Queensland guide sets out the definition of cloud computing adopted by the Queensland and Federal Governments, as developed by the US National Institute of Standards and Technology:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models and four deployment models.
The Queensland guide is designed to assist agencies to develop and conduct a proper risk assessment when considering the procurement and use of cloud-computing services (refer section 3, p.7). This assessment places considerable emphasis on the classifications of data ranging from public to non-public information, whether unclassified, non-national security information or national security classification.
A data-based risk assessment – where data are classified according to the Queensland Government Information Security Classification Framework – informs a department’s determination of the particular model or form of cloud computing appropriate for its business requirements.
Whether a new module or set of provisions specifically designed to address cloud computing is desirable has been the subject of some consideration by GITC and its equivalents in other Australian jurisdictions. To date, no jurisdiction has taken the decision to develop a dedicated cloud-computing module or set of provisions.
GITC v 5.02 generally affords flexibility, enabling it to be adapted to respond effectively to the significant challenges arising with the procurement of cloud services, whether in the form of software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS) or whether the deployment model selected is through a private cloud, a community cloud, a public cloud or a hybrid cloud.
‘Module 10 – Managed Services’ in the current GITC framework most readily lends itself to addressing various issues raised by cloud computing services. However, this module is not sufficient in itself and various other components of the GITC framework need to be applied to address the various legal and operational challenges.
The GITC framework also provides important flexibility through a process of permitting ‘Additional Provisions’ to be included in a Customer Contract but any additions having the effect of derogating from the balance between rights and obligations in the GITC framework will be invalid unless the approval of the overseeing Contract Authority is first obtained.
Legal and operational issues
In considering and demonstrating the ways in which GITC is adaptable and may be applied to cloud services, the same sequence of legal issues adopted in the federal guide will be followed here.
The federal guide deals directly with the Privacy Act 1988 (Cth). Substantially similar provisions are also contained in the Information Privacy Act 2009 (Qld).
The standard privacy provisions in GITC are extensive. For example, ‘Part 2 – Customer Contract Provisions’ addresses the transfer of personal information overseas, a common feature of cloud service arrangements unless specific provision is included to ensure the Contractor is required to retain and store all such information onshore. Express consent of the customer department is required prior to transfer of personal information outside Australia.
Standard GITC also provides that the Contractor must fully cooperate with the Customer department to enable it to respond to privacy complaints and applications made by citizens under the Information Privacy Act 2009 to access and amend personal information. The standard provisions contemplate that the parties may agree on further customised provisions to apply to their particular procurement with these provisions taking the form of Additional Provisions. These may be agreed to at the outset and apply from the commencement date of the Customer Contract or be agreed to later during the term of the Contract.
In relation to subcontractors, GITC gives a right to the Customer to require the Contractor to arrange for a subcontractor to execute a privacy deed directly enforceable by the Customer. The federal guide supports the inclusion of further similar provisions which extend beyond the subcontractor to its employees and officers from the commencement date of the Contract. This would require the inclusion of an Additional Provision.
The federal guide emphasises security and the appropriate measures which need to be taken and the Queensland guide strongly endorses and emphasises the need for a risk assessment process to be undertaken. The standard GITC provisions do not include all the security measures recommended in the federal guide. However, GITC allows a Customer department to specify the particular secrecy and security requirements in the General Order, which forms part of the Customer Contract. This is a matter for negotiation between the Contractor cloud service provider and the Customer.
Especially where sensitive or mission-critical departmental data is covered by the cloud services, security requirements to be specified in the General Order may also include the right for the Customer to arrange independent testing. This may include penetration testing to establish whether or not the Contractor’s ICT systems satisfy its contractual obligations. The testing would be conducted at the location of the data, which may be offshore.
GITC’s standard confidentiality provisions are strong and align well with the recommendations in the federal guide. Issues arising with privacy also have application here. The appropriateness of including tailored secrecy and security provisions in the General Order needs to be considered. Alternatively, customised provisions could be included as Additional Provisions. As with privacy, the Customer needs to address whether it requires a provision for deeds of confidentiality which may be enforced directly against the officers and employees of the Contractor or subcontractors.
GITC contemplates audits being used to review the observance of contractual provisions by the Contractor. The standard GITC provisions do not, however, cover many of the detailed recommendations included in the federal guide. The detailed recommendations address the challenges raised by the possibility that the location of data, or the different locations of various parts of the data, may not be clear and may change from time to time.
Other audit requirement recommendations include contractual provisions addressing clear identification of the Customer’s data in the cloud environment, notice periods required prior to the audit and methods of accessing the data for audit purposes. The federal guide also recommends a specific provision for the appointment of a local (offshore) commercial auditor to conduct the audit. These specific provisions would be included in GITC as Additional Provisions.
Liability and indemnity
The standard GITC provisions dealing with liability and indemnity are broadly consistent with the federal guide.
Scope and exclusion of liability: As the federal guide notes, it is common practice for cloud service providers to seek to exclude their liability for ‘indirect and consequential losses’ due to data loss or misuse of data.
In Part 2 (Customer Contract Provisions) of GITC, the standard or default position is that liability for ‘indirect and consequential’ loss is excluded, leaving the Customer to bear such losses. Despite this default position, Part 2 does entitle the Customer to identify certain types of losses required to be removed from the exclusion. This is done by specifying the selected losses in the General Order, which forms part of the Customer Contract. The effect is to make the Contractor liable for the losses selected. It is important for Customer departments and agencies not to overlook the opportunity presented by this provision.
Indemnity: The federal guide recognises that Contractors may require strong indemnities to be provided by the Customer. Care and caution needs to be exercised here. If the extension of the scope of the indemnity represents a derogation from the GITC Framework provisions this may be deemed invalid without the prior approval of the oversighting Contract Authority.
The federal guide’s recommendations cover various further issues including performance management, disengagement (portability) and intellectual property. These issues need to be addressed either in the detailed description of the services to be provided under the Customer Contract or as Additional Provisions. As mentioned above, it is important to be aware that any Additional Provision which derogates from the GITC Framework will be invalid unless approved by the oversighting Contract Authority.
Performance Management: Important operational issues and outcomes such as service levels, response times and flexibility of the cloud services are covered under this concept. Highly-informed and very practical recommendations are included in the guide. These issues can be addressed in the service description or as Additional Provisions.
Disengagement and transition (transition out/portability): Provision for the preparation of transition-out plans and the periodic review of plans are included as standard terms in Module 12 (Managed Services) in GITC. The parties need to reach agreement and include relevant particulars to meet the Customer’s business requirements. This is an important consideration not to be overlooked as an effective transition-out plan is essential to enable a Customer department to retain portability of the cloud services and to avoid being captured by or ‘locked in’ to a particular Contractor. When the Contract comes to an end, the Customer department needs to be able to transition-out efficiently and effectively to whatever new arrangement it has chosen.
Intellectual Property: The ownership of information and data must remain with the Customer department. Standard provisions used by providers of cloud computing services often provide for the transfer of ownership to the provider. These supplier provisions must be resisted. The provisions of the Public Records Act 2002 apply to all public records including records stored in a cloud computing application.
Business Continuity and disaster recovery arrangements: The Queensland guide identifies nine factors to be considered by agencies in determining whether acceptable provision has been made for these issues, including ongoing availability of data and data recovery (refer section 3.8). These matters are not dealt with in standard GITC provisions. The appropriate arrangements need to be captured either in the service description or as Additional Provisions.
Discovery requirements – litigation: Data and documents must remain accessible to Customer departments to enable the Customer to meets obligations to make the material available under the process of discovery relating to court procedures and proceedings.
The GITC v 5.02 framework provides considerable flexibility and scope to enable Customer Contracts to address effectively the challenges and opportunities presented by the procurement of cloud services by Government departments. The efficient operation and conduct of an ICT contract depends not only on the appropriateness of its written provisions but equally on the manner in which it is managed and implemented in practice. The same is true for ICT procurement by government under the GITC v 5.02 Framework.
The information in this publication is provided for general purposes only. It is not to be relied on as a substitute for legal advice. Crown Law and the Department of Justice and Attorney-General accept no liability for losses caused by reliance on the material in this publication. Formal legal advice should be obtained for particular matters.
Published: 15 February 2013
Author: Melinda Pugh