As a result, agencies should consider including the following rights in any agreement: restricting the locations/countries in which agency data may be held rights to audit the provider’s compliance with the agreement including rights of access to the provider’s premises where relevant records and agency data is being held audit rights for the agency (or its nominee), the Auditor-General and the Information Commissioner a right for the agency to appoint a commercial auditor as its nominee (as this allows the agency to appoint an auditor in the same location as the provider’s data centre to save costs and ensure compliance with relevant jurisdictional laws) where technically available, the right for the agency to remotely monitor access to its data. Compensation for data loss/misuse It is possible that data could be permanently lost by a cloud computing services provider in a number of circumstances such as technical or operator error as well as fire or other disasters. Similarly, where the agency allows the provider to hold data, there is always the risk of misuse by rogue employees of the provider or compromise by external parties. While the probability of such problems can be minimised by the provider ensuring offsite data back- up, proper technical and security training and hardware maintenance, it is important for an agency to consider how to address data loss or misuse in its agreement with the provider. This is particularly the case where the data is provided by third parties (such as members of the public) and the agency risks legal liability in the event data is unrecoverable or used inappropriately. An agency should therefore consider whether the agreement with the cloud service provider should have: no exclusion for indirect and consequential losses (which will typically be the type of losses that flow from data loss and misuse) an indemnity from the provider in respect to data loss or misuse as a result of the negligent, illegal or wilfully wrong act or omission of the provider or its personnel a separate liability cap for data loss or misuse that is sufficiently high to cover potential liability arising from such loss or misuse. For more detail on the above terms, refer to the Liability section of this guide. Subcontractors A critical component of ensuring that an agency has proper protection for its information is to ensure, in the agreement with the provider, that any subcontractors of the provider are also obliged to meet the same requirements as the provider. If this is not done, an agency may find that any 7 Negotiating the cloud – legal issues in cloud computing agreements
protections it has negotiated into the agreement with the provider do not end up giving it the desired protection. It will also be important to know who a provider’s subcontractors are so that an agency understands what companies may have access to the agency’s systems and data.
You've reached the end of your free preview.
Want to read all 18 pages?
- Spring '16
- Mr Gebre