Cloud computing is essentially access over the internet to business software or user data stored on servers at a remote location or locations. Although not a new concept, cloud computing is still a relatively unfamiliar and complex area
of ICT that many people
find challenging.
Benefits
There are many potential benefits of the cloud model including:
- Device and location independence – users can access from anywhere.
- On-demand self-service – users can unilaterally obtain and deploy resources.
- Scalability and elasticity – no need for users to engineer for peak loads.
- Cost – reduced cost of acquisition and ownership.
Risks
Cloud computing can also bring risks including:
- Data security – giving supplier control over security.
- Privacy – ensuring personal information is not accessed without authority.
- FOI and archives – ensuring access to data for FOI and archives compliance.
- Data ownership and access – customer needs to own and access data when needed.
How to manage the risk
Although some procurement advisors might secretly hope cloud computing goes the same way as the dinosaurs, the substantial benefits it offers means it is here to stay, and procurement and legal advisors need to try and help their clients manage the risks.
Some examples of terms that reduce risk are:
Responsibility for services – clearly allocate responsibility for the services between the customer and the supplier.
Data location, access and ownership – make it clear where the data can be stored, from where and by whom it can be accessed, and that the customer always owns the data.
Data privacy and protection – ensure the supplier has to comply with relevant privacy laws, and be aware of the European Union’s General Data Protection Regime (GDPR). Ensure the supplier has to protect customer data from unauthorised access by a third party (including its other customers), comply with the customer’s security requirements (including security accreditation requirements), and follow a clear process for data return.
Business continuity and disaster recovery – include clauses covering data loss, corruption and back-ups and requiring the supplier to develop and maintain a detailed and robust business continuity and disaster recovery plan (and ensure the supplier can’t rely on force majeure provisions unless all business continuity and disaster recovery obligations have been complied with).
Flexibility and scalability – ensure the customer can easily ramp up/ramp down its use of the service based on pre-agreed pricing and within reasonable time periods.
Performance requirements – ensure there are performance standards for critical service requirements, including availability/uptime, response and processing time for key functions, security, data access and portability, and customer support response and resolution times.
Supplier suspension and termination – ensure any right for the supplier to terminate for late payment only occurs if payment is 60+ days late, and two late notices are received from the supplier. Also ensure the supplier can’t suspend services if there is a dispute under the contract.
Liability and indemnities – try not to have force majeure provisions and any exclusions to the supplier’s liability should be specifically listed (e.g. loss of profit). Make sure any limit on liability doesn’t apply to IP infringement, breaches of privacy, confidentiality, security or data loss and ensure you get an indemnity for third party IP infringement claims against the customer.
Need help?
The team at Proximity has significant experience assisting government sector clients procure cloud services.
Contact us on 1800 959 885 or enquiries@proximity.com.au
