Cloud computing offers many benefits. It is scalable, flexible and, as both infrastructure and software can be hosted online, it helps reduce an organisation’s IT costs. In the age of austerity this final factor is perhaps the most important for government bean counters. Mark Adair considers some of key legal risks that cloud based solutions present to government and how the UK government is practically addressing these risks in its new G-Cloud cloud computing procurement and contracting model.
Government special requirements in cloud computing contracts
By their very nature, governments have sector specific needs and requirements that a typical cross-jurisdictional ‘one size fits all’ cloud services contract does not meet. Cloud computing is in its relative infancy, but large government and financial institutions are becoming aware of the cost savings and efficiencies associated with cloud based commodity services (i.e. off-the-self cloud services). I believe that this will drive a change in the contracting model for cloud based services and may signal the death knell for the supplier-biased cloud computing contracts that currently swamp the market.
An example of how some governments are facing the challenges of procuring cloud based services is the UK government’s G-Cloud initiative. G-Cloud establishes an umbrella Framework Agreement with a large number of cloud vendors for cloud based commodity services (i.e. off-the-self cloud services). Interested public sector bodies can then enter into a Call Off Agreement made pursuant to the terms of the G-Cloud framework. The government customer reviews the following types (or ‘lots’) of cloud based services via a searchable online catalogue called CloudStore and can purchase the cloud services it requires without needing to go through a full tender process:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
- Specialist Cloud Services (SCS)
The UK government’s ‘Cloud First Policy’ mandates central government to consider the use of G-Cloud in the first instance and “strongly recommends” that all other public bodies to consider the use of G-Cloud when carrying out IT procurements.
G-Cloud Cloud computing is not all about the data security
The most common concern raised by public servants when moving to the cloud is privacy and data security. To try to alleviate these data security concerns the UK government has published a list of ‘Summary of Cloud Security Principles’. These principles set out the essential security standards that a government customer should consider when evaluating cloud services. Cloud vendors should pay particular attention to the ‘data segregation’ and ‘personnel security’ principles.
For those still concerned about data security, a portable storage device containing private data is arguably less secure than an encrypted private cloud service. Private data has in fact been lost or stolen from the UK local councils more than 1,000 times between 2008 and 2011 and this is usually when a CD or USB memory stick goes astray.
To illustrate how data protection can be addressed in practice, the G-Cloud framework puts onerous data security obligations on cloud vendors, such as:
“CO 3.4 To the extent that the Supplier Processes Service Personal Data the Supplier shall:
CO 3.4.1 Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement;
CO 3.4.2 Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body;
CO 3.4.3 implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected;
CO 3.4.5 take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data;
CO 3.4.6 ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause;”
Automatically incorporating online terms
Sometimes a cloud vendor’s standard form of agreement purports to incorporate separate documents and software licence terms that are located on the vendor’s website. The cloud vendor often reserves the right to update these external terms at any time. This is problematic for government customers as they need to follow the correct internal legal and regulatory approvals for contractual terms, including approval for any subsequent changes to the signed agreement. A typical G-Cloud agreement addresses this by setting out an order of precedence, so that a term in a document higher in the list overrides any contradicting terms lower in the list:
- the Framework Agreement
- the Call-Off agreement
- Order Form;
- Supplier’s terms and conditions – which can only be set out in the Framework Schedule 1
- any other document referred to in the clauses of the Call-Off agreement
Assurance – if something goes wrong
In a previous article I discussed at length how any potential customer of cloud based services can approach negotiating service levels with a vendor who tries to disclaim all liability for faults with the cloud service. For government it is a ‘non-negotiable’ that the cloud service has built in performance level standards. If these are not met, government customers should insist on some sort of compensation, whether financial liquated damages/service rebates or the provision of free additional services from the cloud vendor to correct the fault or as a ‘value add’.
Schedule 1 of the G-Cloud framework states that service levels and financial recompense will be set out in the Service Definition that the cloud vendor will provide:
“S1-2.1.8 Service Levels (e.g. performance, availability, support hours, severity definitions etc.);
S1-2.1.9 Financial recompense model for not meeting service levels;”
Confidential Information – important for government customers
Government customers should be cautious when agreeing to a cloud vendor’s standard confidentiality clause. These often permit the cloud vendor to disclose confidential information to subcontractors who could be located anywhere in the world and who may not be required to comply with the strict obligations in the main contract between cloud vendor and government.
The G-Cloud framework covers off these risks as follows:
“FW 26.3 The Supplier shall ensure that the Supplier Staff (which includes Sub-Contractors) are aware of the Supplier’s confidentiality obligations under this Framework Agreement and shall use its best endeavours to ensure that the Supplier Staff comply with the Supplier’s confidentiality obligations under this Framework Agreement and in relation to the Call-Off Agreements.
CO 3.6 The Supplier shall:
CO 3.6.1 obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services;”
Disengagement – don’t leave them hanging
A government customer should strongly advocate for a disengagement regime on expiry or termination that provides for the destruction or return of confidential information and a seamless transition either to another cloud provider to back to the government’s own operations. The G-Cloud framework requires a cloud vendor to:
“CO 10.3 Within ten (10) Working Days of the earlier of the date of expiry or termination (howsoever arising) of this Call-Off Agreement, the Supplier shall return (or make available) to the Customer:
CO 10.3.1 any data (including (if any) Customer Data), Customer Personal Data and Customer Confidential Information in the Supplier’s possession…save that it may keep one copy of any such data or information for a period of up to 12 Months to comply with its obligations under the Framework Schedule FW-5, or such period as is necessary for such compliance (after which time the data must be deleted); and
CO 10.4 The Customer and the Supplier shall comply with the exit and service transfer arrangements as per the Supplier’s terms and conditions identified in Framework Schedule 1 (G-Cloud Services).”
A cloud computing service that ‘works’
The most common comment I see from government customers in respect of a cloud vendor’s standard contract is along the lines of “The contract is intended to secure the delivery of a fully functioning cloud service to [customer] and at the end of the day the cloud solution must work”. In other words, the government customer is saying that regardless of what the cloud vendor is obliged or not obliged to do under the contract, the government customer just wants a cloud service that operates correctly to their standards for the quoted price.
Conclusion: G-Cloud around the world
In my view, more governments around the world will begin to adopt the UK approach to ‘government cloud’. Individual government customers will be discouraged from the expensive and time consuming process of trying to negotiate bespoke cloud solutions with single vendors. Governments will instead create a panel and appoint hundreds if not thousands of cloud vendors who can provide differing cloud based commodity off-the-shelf services. During the procurement process the government customer will have to understand what it wants and determine the off-the-shelf solution from the panel that best fits its needs rather than requesting a bespoke solution. Undoubtedly though those cloud vendors who can in a timely and effective manner address the needs of government customers and customise their off-the-shelf solution as much as possible will be best placed to win ongoing business.
Photo credit: Pixabay