Negotiating in the cloud - legal issues in cloud ... - About AGIMO

More documents

Recommendations

Info

the inclusion of standard Commonwealth exceptions to confidentiality including the right toprovide information to the relevant minister as well as houses of Parliament.Records management requirementsAgencies should refer to Records management and the cloud - a checklist 6 prepared by theNational Archives of Australia for records management considerations in cloud computing. Thatadvice requires agencies to include appropriate controls and protections (for example throughagreement with the cloud service provider) that match the value of the records and address therisks of cloud computing for an agency’s records.AuditAll the protections described in this section may potentially be worthless unless the agency isable to confirm that required information protection requirements are in fact being met. Audit ofcloud computing arrangements is one way of checking compliance. Audit of such arrangementsis however potentially complicated by:the location of the data – which, unless specifically identified and locked down in theagreement, may be unknown to the agency, and could be located in one or more discretesites in foreign countriesthe nature of cloud computing itself which may involve agency data being spread across alarge number of different provider computing devices (in order to harness the economies ofscale and on-demand provision of computing that cloud computing services offer).As a result, agencies should consider including the following rights in any agreement: restricting the locations/countries in which agency data may be held (with movement tonew locations permitted with advance approval in writing from the agency) rights to audit the provider’s compliance with the agreement including rights of access to theprovider’s premises where relevant records and agency data is being held audit rights for the agency (or its nominee), the Auditor-General and the InformationCommissioner a right for the agency to appoint a commercial auditor as its nominee (as this allows theagency to appoint an auditor in the same location as the provider’s data centre to save costsand ensure compliance with relevant jurisdictional laws) where technically available, the right for the agency to remotely monitor access to its dataand where this is not possible, a requirement that the provider maintain an audit log ofaccess to the agency's data and provide that log to the agency on request.Compensation for data loss/misuseIt is possible that data could be permanently lost by a cloud computing services provider in anumber of circumstances such as technical or operator error as well as fire or other disasters.Similarly, there is always the risk of misuse of data by rogue employees of the provider orcompromise by external parties.While the probability of such problems can be minimised by the provider ensuring offsite databack-up, proper technical and security training and hardware maintenance, it is important for6 http://www.naa.gov.au/records-management/publications/cloud-checklist.aspxNegotiating the cloud – legal issues in cloud computing agreements | 8
an agency to consider how to address data loss or misuse in its agreement with the provider.This is particularly the case where the data is provided by third parties (such as members of thepublic) and the agency risks legal liability in the event data is unrecoverable or usedinappropriately.An agency, in determining the risks posed by a cloud computing arrangement, should considerwhich party is best placed to manage those risks and therefore whether the agreement with thecloud service provider should:require the provider to be responsible for indirect and consequential losses (which willtypically be the type of losses that flow from data loss and misuse)include an indemnity from the provider in respect to data loss or misuse as a result of thenegligent, illegal or wilfully wrong act or omission of the provider or its personnelhave a separate liability cap for data loss or misuse that is sufficiently high to cover potentialliability arising from such loss or misuse.For more detail on the above terms, refer to the Liability section of this guide.SubcontractorsA critical component of ensuring that an agency has proper protection for its information is toensure, in the agreement with the provider, that any subcontractors of the provider are alsoobliged to meet the same requirements as the provider. If this is not done, an agency may findthat any protections it has negotiated into the agreement with the provider do not end up givingit the desired protection where the services are carried out by subcontractors. It will also beimportant to know who a provider’s subcontractors are so that an agency understands whatcompanies may have access to the agency’s systems and data.LiabilityLimitations on liabilityIn common with traditional information technology agreements, cloud service agreementstypically seek to minimise the provider's liability for any loss that arises from the provision ofthe service. This may include:excluding indirect and consequential losses (such as data loss)setting low liability caps (typically equivalent to one year’s fees under the agreement) or insome cases excluding liability entirelynot excluding key types of liability from any liability cap.Agencies should seek to comply with the Commonwealth's policy on capping supplier liability ininformation technology contracts (see Finance Circular 2006/03 7 ) when negotiating limitationswith providers. The starting point is that the Commonwealth will accept a cap on the provider'sliability as a default position in information technology contracts provided that a list ofexceptions to the cap is agreed by the provider. These exceptions are:personal injury (including sickness and death)loss or damage to tangible propertybreach of privacy, security or confidentiality obligations7 http://www.finance.gov.au/publications/finance-circulars/2006/03.htmlNegotiating the cloud – legal issues in cloud computing agreements | 9
Page 1 and 2: Negotiating the cloud - legal issue
Page 3 and 4: IntroductionLike cloud computing it
Page 5 and 6: This guide canvasses typical issues
Page 7: the level of security and encryptio
Page 11 and 12: The service levels have to be meani
Page 13 and 14: Legal advice on terminationTerminat
Page 15 and 16: laws) as may data that is transferr
Page 17 and 18: General legal guidance AGS Legal Br
Page 19: AcknowledgmentsThis guide was writt

Negotiating in the cloud - legal issues in cloud ... - About AGIMO

Create successful ePaper yourself

Delete template?

Save as template?