legal issues in cloud computing agreements - Australian ...
legal issues in cloud computing agreements - Australian ...
legal issues in cloud computing agreements - Australian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Records management requirements<br />
Agencies should refer to Records management and the <strong>cloud</strong> - a checklist 14 prepared by the<br />
National Archives of Australia for records management considerations <strong>in</strong> <strong>cloud</strong> comput<strong>in</strong>g. That<br />
advice requires agencies to <strong>in</strong>clude appropriate controls and protections (for example through<br />
agreement with the <strong>cloud</strong> service provider) that match the value of the records and address the<br />
risks of <strong>cloud</strong> comput<strong>in</strong>g for an agency’s records.<br />
Audit<br />
All the protections described <strong>in</strong> this section may potentially be worthless unless the agency is<br />
able to confirm that required <strong>in</strong>formation protection requirements are <strong>in</strong> fact be<strong>in</strong>g met. Audit of<br />
<strong>cloud</strong> comput<strong>in</strong>g arrangements is one way of check<strong>in</strong>g compliance. Audit of such arrangements<br />
is however potentially complicated by:<br />
<br />
<br />
the location of the data – which, unless specifically identified and locked down <strong>in</strong> the<br />
agreement, may be unknown to the agency, and could be located <strong>in</strong> one or more discrete<br />
sites <strong>in</strong> foreign countries<br />
the nature of <strong>cloud</strong> comput<strong>in</strong>g itself which may <strong>in</strong>volve agency data be<strong>in</strong>g spread across a<br />
large number of different provider comput<strong>in</strong>g devices (<strong>in</strong> order to harness the economies of<br />
scale and on-demand provision of comput<strong>in</strong>g that <strong>cloud</strong> comput<strong>in</strong>g services offer).<br />
As a result, agencies should consider <strong>in</strong>clud<strong>in</strong>g the follow<strong>in</strong>g rights <strong>in</strong> any agreement:<br />
restrict<strong>in</strong>g the locations/countries <strong>in</strong> which agency data may be held (with movement to<br />
new locations permitted with advance approval <strong>in</strong> writ<strong>in</strong>g from the agency)<br />
rights to audit the provider’s compliance with the agreement <strong>in</strong>clud<strong>in</strong>g rights of access to the<br />
provider’s premises where relevant records and agency data is be<strong>in</strong>g held<br />
audit rights for the agency (or its nom<strong>in</strong>ee), the Auditor-General and the Information<br />
Commissioner<br />
a right for the agency to appo<strong>in</strong>t a commercial auditor as its nom<strong>in</strong>ee (as this allows the<br />
agency to appo<strong>in</strong>t an auditor <strong>in</strong> the same location as the provider’s data centre to save costs<br />
and ensure compliance with relevant jurisdictional laws)<br />
where technically available, the right for the agency to remotely monitor access to its data<br />
and where this is not possible, a requirement that the provider ma<strong>in</strong>ta<strong>in</strong> an audit log of<br />
access to the agency's data and provide that log to the agency on request.<br />
Compensation for data loss/misuse<br />
It is possible that data could be permanently lost by a <strong>cloud</strong> comput<strong>in</strong>g services provider <strong>in</strong> a<br />
number of circumstances such as technical or operator error as well as fire or other disasters.<br />
Similarly, there is always the risk of misuse of data by rogue employees of the provider or<br />
compromise by external parties.<br />
While the probability of such problems can be m<strong>in</strong>imised by the provider ensur<strong>in</strong>g offsite data<br />
back-up, proper technical and security tra<strong>in</strong><strong>in</strong>g and hardware ma<strong>in</strong>tenance, it is important for<br />
an agency to consider how to address data loss or misuse <strong>in</strong> its agreement with the provider.<br />
This is particularly the case where the data is provided by third parties (such as members of the<br />
14<br />
http://www.naa.gov.au/Images/Cloud_checklist_with_logo_and_cc_licence_tcm16-44279.pdf<br />
Negotiat<strong>in</strong>g the <strong>cloud</strong> – <strong>legal</strong> <strong>issues</strong> <strong>in</strong> <strong>cloud</strong> comput<strong>in</strong>g <strong>agreements</strong> | 10