Human Rights
Commercial and Property
Client Newsletter
Head in the Cloud, Feet Firmly Planted
August 2011
Introduction
In 2008, it was predicted that cloud computing
would be as influential as e-business itself. Cloud
computing can be defined as information
technology infrastructure that hosts data or
applications in the 'cloud'; that is, offsite and
geographically remote software or data storage,
which is accessed via the internet. The
enthusiasm for cloud computing has continued
into 2011, with a large number of organisations
world-wide adopting it, including many
government organisations in Australia. For
example, the Australian Taxation Office has a
number of administrative support systems which
employ cloud service types, such as eTax and the
Electronic Lodgement System. The rapid
adoption of cloud computing is not surprising,
given the numerous benefits it presents to
organisations. These include cost savings,
resource scalability, efficiency and availability.
However, cloud computing also presents a
number of risks to organisations and businesses.
This newsletter discusses the key risks to a
government organisation posed by cloud
computing, as well as a number of contractual
safeguards which can be employed in order to
mitigate those risks.
Summary
Cloud computing has been at the forefront of
information technology trends and developments
in recent times. Despite extensive media and
other coverage on this new approach to
information technology, many organizations are
still reluctant to make the leap into cloud
computing.
This newsletter discusses the key risks posed by
cloud computing from a government perspective
and suggests a number of contractual safeguards
which can help to mitigate those risks.
Key risks posed by cloud computing
for government organisations and
contractual mitigation methods
Security
In contrast with traditional methods of data
storage, hosting data in a cloud environment
means that an organisation relinquishes physical
control of the data and is instead reliant on the
service provider to adopt appropriate security
measures to protect the data. It is therefore
particularly important for government
organisations to ensure that service providers
have stringent security measures, which are
reflected in contractual provisions.
Page 2
The following factors should be considered by a
government organisation prior to adopting a
cloud-based model and addressed in the contract
with the service provider:

data is appropriately partitioned,
segregated and encrypted;

the service provider has the ability to
prevent unauthorised access and has
strict access controls, including in
relation to visits to the service
provider's premises;


access to data is logged, and the
organisation has appropriate monitoring
capabilities, including the ability to
monitor access to its data;
the service provider has appropriate
procedures and mechanisms to respond
effectively to security incidents and
breaches, and is required to notify the
government organisation of any
security incidents;

there are appropriate employment
checks and vetting of personnel by the
service provider;

all subcontracting by the service
provider is approved by the
government organisation;


the government organisation is notified
of any material changes to the service
procured, for example, changes in the
physical location of the cloud service,
the applicable security framework
(including changes in security standards
and processes) and any change in
control of the service provider;
the government organisation has the
ability to conduct audits and obtain
access to third party certification
reports;

the government organisation has the
ability to direct the service provider to
destroy certain data on request; and

the government organisation has the
ability to conduct forensic
investigations if required.
Privacy
If a government organisation wishes to use cloud
technology to host its data, and that data includes
personal information, the organisation should
ensure that it is capable of complying with the
Information Privacy Principles under the
Information Privacy Act 2000 (Vic), in
particular:
1.
IPP 4.1, which requires that an
organisation take reasonable steps to
protect personal information from
misuse, loss, unauthorised access,
modification and disclosure; and
2.
IPP 4.2, which requires that an
organisation take reasonable steps to
destroy or permanently de-identify
personal information if it is no longer
needed for any purpose.
Offshore considerations
If the service provider is an offshore entity, has a
foreign parent company, or stores its data
offshore, additional risks will be present.
Government organisations will need to consider
whether IPP 9, relating to transborder data
flows, will apply to the proposed cloud
arrangement. If IPP 9 applies, the service
provider will typically be required to be subject
to a privacy regime which is similar to that
contained in the Information Privacy Act, or
agree to be contractually bound by the
Information Privacy Act.
In addition, the organisation will need to be
mindful that its information may be subject to
foreign laws and requirements. Jurisdiction is
commonly asserted over data which is physically
located within that jurisdiction. Therefore, data
located offshore has the potential to be accessed
by foreign governments, particularly law
enforcement agencies.
Page 3
If the data to be stored contains personal
information, this may infringe the unauthorised
access restriction in IPP 4. Law enforcement
agencies may have the ability under law to
require a service provider to remove information
from its server, which will affect an
organisation's ability to comply with record
keeping obligations (see below). Organisations
should ensure that the service provider is
required to notify it of any access to its data by a
law enforcement agency, and of any changes in
the regulatory framework in the jurisdiction in
which the data is located.
Having data located offshore will also limit the
ability of a government organisation to take
remedial action and may present enforcement
difficulties, should the organisation be required
to take action against a service provider.
Record keeping and auditing
Before adopting a cloud computing model,
government organisations should ensure that it
will continue to be able to comply with all
applicable record-keeping requirements.
A number of record-keeping considerations
apply. The Public Records Act 1973 (Vic)
requires that government records be managed in
a way to ensure that the records can be proven to
be authentic and reliable. Government
organisations will also need to ensure that the
evidential value of records is not diminished in
any way by the use of cloud computing.
Otherwise, this may affect its ability to comply
with the Evidence Act 2008 (Vic). Data must be
readily accessible in order for a government
organisation to be able to comply with its
requirements under the Freedom of Information
Act 1982 (Vic) and to be able to respond to any
requests for discovery under common law.
Government organisations must also ensure it
will be able to comply with various financial and
performance audit requirements under the Audit
Act 1994 (Vic).
In order to ensure that the government
organisation can comply with these recordkeeping and audit obligations, the service
contract should contain the following:

near-continuous service availability for
business continuity, comprehensive
data backup mechanisms, disaster
recovery mechanisms including the
ability to restore data promptly, and
redundancy mechanisms; and

the return of data in useable form
following the termination of the service
agreement, in addition to other
transition-out arrangements.
Conclusion
This newsletter outlines a number of key risks
posed by cloud computing for government
organisations, and sets out a number of
contractual safeguards which can assist to
mitigate those risks.
While contractual safeguards play a key role in
minimising the risks presented by cloud
computing, the contract is only one aspect of the
cloud computing deployment strategy which
government organisations need to adopt.
Organisations will need to perform a thorough
risk analysis to identify and assess relevant risks,
and determine whether the benefits presented by
cloud computing outweigh the risks. The nature
of cloud computing means that there will be a
level of residual risk which cannot be mitigated.
It may be that these residual risks are too great
for a government organisation to proceed.
April
2007
Seminar
DomenicIf an organisation decides to go ahead,
Cristianocomprehensive due diligence should be
Senior conducted on prospective service providers. The
Solicitor deployment model adopted (i.e. a private,
Administrati
community, public or hybrid cloud) will need to
ve Law reflect the risk assessment, and in particular,
factors such as the nature and sensitivity of the
information being stored in the cloud. After the
service contract has been carefully negotiated
and drafted to minimise the underlying level of
risk in the service, the organisation should
regularly monitor and review the service being
provided to ensure that the risks are being
appropriately managed.
Page 4
For further information
For further information or legal advice on any
issues raised in this client newsletter contact:
Stephen Lee, Assistant Victorian Government
Solicitor
stephen.lee@vgso.vic.gov.au
(03) 8684 0410
Shaun Le Grand, Assistant Victorian Government
Solicitor
shaun.legrand@vgso.vic.gov.au
(03) 9247 3053