negotiating-the-cloud-legal-issues-in-cloud-computing-agreements-v1.1
negotiating-the-cloud-legal-issues-in-cloud-computing-agreements-v1.1
negotiating-the-cloud-legal-issues-in-cloud-computing-agreements-v1.1
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Agencies should also consider <strong>the</strong> practical implications of <strong>the</strong>ir Privacy Act obligations,<br />
<strong>in</strong>clud<strong>in</strong>g whe<strong>the</strong>r specific contractual measures enabl<strong>in</strong>g <strong>the</strong>m to meet <strong>the</strong>ir obligations are<br />
required. For example, IPP 7 Alteration of records conta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation requires<br />
agencies, where an <strong>in</strong>dividual’s request to alter a record has been refused, to attach a statement<br />
to <strong>the</strong> record on request. Agencies would need to ensure that a <strong>cloud</strong> service provider is obliged<br />
to meet this requirement.<br />
Future privacy compliance<br />
From March 2014, 13 new Australian Privacy Pr<strong>in</strong>ciples (APP’s) will apply to both <strong>the</strong> public and<br />
private sector. For Australian Government agencies <strong>the</strong>se APP's will replace <strong>the</strong> current IPP's.<br />
The APP's are structured to reflect <strong>the</strong> <strong>in</strong>formation life cycle from notification and collection,<br />
through to use and disclosure, security, access and correction.<br />
While <strong>the</strong> changes to <strong>the</strong> Privacy Act will not take effect until March 2014, agencies should start<br />
prepar<strong>in</strong>g now to ensure compliance with <strong>the</strong> new APP's. This may <strong>in</strong>clude consider<strong>in</strong>g <strong>the</strong><br />
impact of <strong>the</strong> APPs <strong>in</strong> any <strong>cloud</strong> comput<strong>in</strong>g procurements agencies anticipate undertak<strong>in</strong>g.<br />
The OAIC will produce detailed guidance published on <strong>the</strong> OAIC website 12 to assist agencies to<br />
understand <strong>the</strong> impact of <strong>the</strong> reforms and make <strong>the</strong> necessary changes to agency <strong>in</strong>formation<br />
handl<strong>in</strong>g practices.<br />
Security<br />
Clearly one significant issue for any <strong>cloud</strong> comput<strong>in</strong>g agreement where <strong>the</strong> provider holds, or is<br />
able to access, an agency's data is <strong>the</strong> security of that data. This issue is heightened from a risk<br />
perspective where <strong>the</strong> data is sensitive (<strong>in</strong>clud<strong>in</strong>g personal <strong>in</strong>formation).<br />
Agencies should refer to <strong>the</strong> Defence Signals Directorate's Cloud Comput<strong>in</strong>g Security<br />
Considerations 13 for detailed guidance on <strong>issues</strong> to consider from a security perspective. In<br />
follow<strong>in</strong>g this guidance, agencies should develop a comprehensive risk assessment to make an<br />
<strong>in</strong>formed decision on <strong>the</strong> suitability of adopt<strong>in</strong>g a <strong>cloud</strong> based solution and assess <strong>the</strong><br />
appropriate security protections it requires. The follow<strong>in</strong>g are contractual measures that may,<br />
depend<strong>in</strong>g on <strong>the</strong> circumstances <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> type of <strong>cloud</strong> service used, be appropriate to<br />
<strong>in</strong>clude <strong>in</strong> an agreement for <strong>cloud</strong> comput<strong>in</strong>g services:<br />
<br />
<br />
<br />
<br />
where <strong>the</strong> service is to be provided from a location with<strong>in</strong> Australia, a prohibition on <strong>the</strong><br />
provider transmitt<strong>in</strong>g data outside of Australia without <strong>the</strong> prior approval of <strong>the</strong> agency<br />
<strong>the</strong> level of security and encryption to be applied to agency data held and transmitted by <strong>the</strong><br />
provider<br />
<strong>the</strong> level of access security protocols to be implemented by <strong>the</strong> provider to defeat<br />
unauthorised attempts to access <strong>the</strong> data by third parties, provider personnel and o<strong>the</strong>r<br />
customers of <strong>the</strong> provider<br />
where physical media is damaged and replaced, requirements for <strong>the</strong> sanitisation or deletion<br />
of data <strong>in</strong> <strong>the</strong> damaged media<br />
12<br />
13<br />
http://www.oaic.gov.au/<br />
http://www.dsd.gov.au/<strong>in</strong>fosec/<strong>cloud</strong>security.htm<br />
Negotiat<strong>in</strong>g <strong>the</strong> <strong>cloud</strong> – <strong>legal</strong> <strong>issues</strong> <strong>in</strong> <strong>cloud</strong> comput<strong>in</strong>g <strong>agreements</strong> | 8