Jurisdiction - Australia
News
Cloud computing – what you need to know.

18 January 2012

 
 
Cloud computing is one of the fastest-growing global trends in the delivery of IT services, and the Australian Government Information Management Office recently released draft best practice guides that are a useful reminder of what to consider in deciding whether to use cloud computing services. 
 
How does it affect you?
 
  • Any business thinking of implementing cloud computing solutions should carefully assess both their risks and potential benefits.

 

  • The best practice guides are a useful introduction to a number of issues that any business should consider as part of such an assessment. These include privacy, security, confidentiality, subcontracting, performance management and ownership of information.
 
Background
 
Many organisations are turning to cloud computing to take advantage of the efficiencies and cost savings that it delivers. The Federal Government is no exception. In order to assist government agencies transition to cloud computing, the Australian Government Information Management Office released three draft best practice guides in November. The guides follow on from the Cloud Computing Strategic Direction Paper released in April, and address privacy, legal and financial considerations.
 
Issues to consider
 
The guides are a useful reminder of a number of issues to consider when determining whether cloud computing services are appropriate in a particular circumstance.
 
Privacy
 
The privacy guide recommends that, to ensure compliance with privacy obligations, an impact assessment be carried out before implementing any cloud computing solutions. Such an assessment should take into account:
 
  • what personal information will be handled;
  • how it will be collected;
  • how it will be used;
  • internal flows of information within the service provider;
  • disclosures by the service provider;
  • security and data quality measures in place to protect information; and
  • any privacy, secrecy or other relevant legislation applying to the information.
 
Contracts should include stringent privacy and information security provisions, and include an express obligation on the service provider to comply, or assist, with any obligations arising as a result of privacy law reform. The provisions should make clear which party has the ultimate obligation for ascertaining or notifying the obligations.
 
Where privacy issues cannot be addressed adequately through contractual provisions, it may not be appropriate for personal or sensitive information to be transferred to the cloud. However, simply not transferring any personal information will be practically impossible in most cases if an organisation wishes to use infrastructure-based cloud computing services. In these cases, an alternative cloud computing service provider, alternative cloud model or a non-cloud solution should be used.
 
Data security
 
The legal issues guide recommends that there be a contractual requirement that the service provider destroy or sanitise sensitive information they hold at the end of the agreement. This requirement should be extended to all personal information, both to mitigate risk and to reflect the likelihood that this will be a requirement under reformed privacy legislation.
 
Confidentiality
 
It is important to keep information transferred to cloud computing service providers confidential, particularly when there is a regulatory obligation to do so. Also worth considering is the fact that any confidential information and trade secrets so transferred are likely to lose their secret or confidential nature if disclosed by the service provider in breach of an obligation of confidence. A duty to keep data confidential will not necessarily prevent breaches and the available responses to such a breach will rarely provide adequate compensation. Often, prevention is the only true cure for the loss of information's confidential or secret nature, and businesses should keep this in mind when deciding what information to include in the cloud.
 
Subcontracting
 
The legal issues guide recommends that contracts require that any subcontractors are obliged to meet the same privacy and security requirements as the service provider. This fails to address adequately the risks inherent in allowing work to be subcontracted. Although there may be some circumstances where subcontracting is necessary and appropriate, the risks involved mean that subcontracting should only be allowed at the customer's discretion. Businesses should seek a clause in contracts requiring that services only be subcontracted with the advance express consent of the business and allowing for such consent to be withheld at the business's sole discretion.
 
Performance management tools in contracts
 
The legal issues guide recommends that contracts include:
 
  • appropriate service levels that are meaningful and measurable;
  • response time requirements that meet the business's needs;
  • flexibility provisions, such as flexible pricing models and an ability to increase or decrease usage easily; and
  • business continuity and disaster recovery provisions.
 
It is also important that contracts:
 
  • ensure that businesses do not encounter any barriers when seeking to have whole or part of their cloud computing services provided by alternative sources;

 

  • provide for the business to have immediate and free access to its own data, and transfer that data to another service provider with minimal disruption of business, in the case of cessation of a service provider's business; and

 

  • adequately contemplate the service provider's accountability for ensuring the quality of service, to the extent that it is dependent on aspects of the public network links (such as reliability, bandwidth or latency), so that the business has a clear avenue of redress where service problems stem from network issues.
 
Ownership
 
The legal issues guide mentions that it is important to ensure that the agreement does not transfer any intellectual property ownership in the stored data to the service provider. Businesses should also be careful to avoid granting any unnecessary intellectual property licences. Some standard cloud computing services agreements contain broad licences to reproduce, publish and communicate data. While the rights to undertake such actions are likely to be necessary for the provision of the service, it is important that they are strictly limited to that purpose and not stated more broadly.
 
Privacy law reform
 
Australia's privacy law is currently being reformed. Proposed changes relevant to the use of cloud computing services include that:
 
  • Australian entities transferring personal information to an overseas recipient will, subject to narrow exceptions, be liable for the recipient's actions in relation to that information – including any breaches of the Privacy Act 1988 (Cth); and

 

  • entities will be required to notify individuals if personal information they collect is likely to be disclosed to overseas recipients and, if so, in which countries.
It will be important for businesses to be aware of the changes to their obligations under the new laws. For more information see Senate reports on Australian Privacy Principles here and we will update on further developments as they occur.
 
 
Conclusion
 
While cloud computing processes and the technology that drives them are rapidly developing, there remain inherent risks and vulnerabilities. Businesses should seek advice on mitigating these risks. However, many of the measures that can be taken to mitigate risks in cloud computing can result in a corresponding decrease in the service's financial efficiency. There is also a danger in cases of a fast-growing trend such as cloud computing that take-up can be based on the trend itself more than on business need, or suitability, for it. Throughout each step of a consideration and negotiation process, businesses should have as their primary consideration their reasons for entering into such arrangements.
 
 
For further information, please contact:
 
Niranjan Arasaratnam, Partner, Allens Arthur Robinson
niranjan.arasaratnam@aar.com.au
 
Margaret Walsh, Allens Arthur Robinson
 
Joelle Vincent, Allens Arthur Robinson
 

 

Leave a Reply

You must be logged in to post a comment.