Overstepping its boundaries?
Last month, an e-mail was sent out from the government’s public procurement unit, warning the Irish public sector of pitfalls in cloud computing. Assistant director Tom O’Brien name-checked Microsoft (“among others’‘) when warning that vendor agreements were “little more than a string of disclaimers’‘.
The chief state solicitor’s office had apparently identified issues around data protection, confidentiality, security and liability that did not meet public sector requirements. Legal advice was considered essential before public sector bodies pursued a cloud engagement.
The episode characterises the game-changing challenges of the cloud, and offers a stark reminder that, while the benefits are IT simplicity, handing over technology to a third-party service provider can bring unexpected complexity. “It’s positive that the discussion is getting to a more detailed level,” said Mark Rasdale, a technology lawyer with Matheson Ormsby Prentice.
“Security and privacy issues are coming to the fore and suppliers are showing a willingness to engage and create circumstances where the necessary assurances can be built in.”
Under the terms of the EU Directive 95/46/ EC, which Ireland has implemented, the legal onus is on the cloud provider to ensure data is secure and only used for the purpose it was collected. Personal information cannot be transferred outside the EU economic area unless a number of strict conditions are met.
The bottom line is that, even with the amendments to the original Data Protection Act, it remains outdated and tied to notions of point-to point data movement. “Geolocation calls for a revision of the act which didn’t contemplate these types of solutions, and it has to catch up with technology.”
He said he believed the government e-mail demonstrated a sensible degree of caution, because a lot of contracts didn’t cover the areas that the public sector needed covered. “Government sensitivity is even more heightened because of its responsibility to citizens. There’s a need to demonstrate caution in a very public way.”
Cloud paradox
For the private sector as well as public bodies, it highlights something of a paradox, according to Rasdale, because the appeal of Salesforce-type offerings is that they are affordable and easy to use because they are standardised. The challenge is that the standardization may not always fit with the legal requirements of each territory.
“You have to make sure that their terms and conditions match your requirements, but at the same time I wouldn’t overplay the risks,” he said.
“The good news is that there is a lot of activity in the cloud sector, as organisations try and solve these problems. Attempts are being made to come up with industry standards.”
Rasdale said that organisations could dip their toes in cloud computing in away that didn’t raise data privacy issues. They just needed to adopt a proportionate and common-sense approach.
If it is a low-spend non-business critical cloud contract, then negotiations can be more flexible, but if it is business-critical then the terms of the agreement have to be more stringent. “The solution needs to match the business requirements, and the level of engagement with suppliers needs to match the risk,” he said.
Long-term, Rasdale is confident that the regulatory environment will adapt to reflect the changing IT landscape. Elsewhere in the world, there are signs that it is already happening.
In the US, the government is pushing the cloud delivery model, and has launched an online portal, Apps.Gov. The British government has also launched a cloud initiative. In both instances there is a desire for the public sector to avail of the economic benefits while ensuring that security and privacy issues are taken care of.
“We’re at the early stages of something that will become quite standard in the next five years, because the private cloud is the logical place for governments to go. If we’re saying we are a unique hub for data centre location it seems logical that there’s a business case to be made in our government for using this type of technology.”
