Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Computing and the Public Sector


Published on

Presented by Philip Nolan, partner, Mason Hayes+Curran on 6 April 2011.

  • Be the first to comment

  • Be the first to like this

Cloud Computing and the Public Sector

  1. 1. The Irish Public Sector: The Cloud Effect6 A p r i l 2 0 11Regulating the Cloud: Legal Considerations for CloudComputing in the Public SectorPhilip NolanPartner and Head of Commercial Law
  2. 2. Just as the Internet has led to the creation of new businessmodels unfathomable 20 years ago, cloud computing willdisrupt and reshape entire industries in unforeseen ways.To paraphrase Sir Arthur Eddington – the physicist whoconfirmed Einstein’s Theory of General Relativity - cloudcomputing will not just be more innovative than we imagine;it will be more innovative that we can imagine.
  3. 3. Overview• How are other governments adopting the cloud?•What themes/patterns are emerging?•What are the risks to be overcome? •Data security •Export of data •Long term retention
  4. 4. Survey of leading countries• United States• United Kingdom
  5. 5. United States• Exemplar and global leader for public sector cloud adoption• Policy has been driven directly by White House• Extremely sophisticated implementation
  6. 6. “Cloud First”• Federal Cloud Computing Strategy, 8 February 2011• All Agencies/Departments to “evaluate safe, secure cloud computing options before making any new investments”• Cloud options must be rejected before procuring traditional IT
  7. 7. “Cloud First”• Requires a “transparent security environment” between the Government and cloud providers• “The environment will move us to a level where the Federal Government’s understanding and ability assess its security posture will be superior to what is provided within agencies today.”
  8. 8. How does it work?• Very controlled process directed by General Services Administration (GSA)• Vendors must seek centralised pre-approval from GSA• Minimum standards: • Full ownership of data hosted in the cloud • Full copies of data downloadable at any time • Hosted within the continental US • 99.95% uptime • Compliance with all applicable laws
  9. 9. How does it work?• Security assured under the Federal Risk and Authorization Management Program (FedRAMP)• Detailed and specified security obligations are set down• All vendors are continually assessed and monitored
  10. 10. How does it work?• Solutions meeting these standards are pre-approved to be offered to US Federal Agencies• Solutions are sold on “”, a centralised store• Purchasing officers/CIOs for each agency can purchase services from this site
  11. 11. Free cloud/ web 2.0 services• E.g. Twitter, Facebook, blogs etc…• Special terms of service have been centrally negotiated• Removal of terms that are objectionable, e.g. indemnities, extreme limitations on liabilities• Agency wanting to use web 2.0 services can adopt these terms
  12. 12. Best of All Worlds• procurement pre-screening centralised → legal compliance and security centrally assured• single price must be provided → market power of entire government leveraged• final purchasing decision is made by individual agency → services purchased are suitable for end user
  13. 13. United Kingdom• “G-Cloud”• Project driven by Cabinet Office• Phase 2 reports just published
  14. 14. UK vs US• Suggests a broadly similar approach to US • G-Cloud authority setting basic standards • Applications store for Government • Pre-approval required • Data is to remain with UK • Data is to remain under control of public body • Data to be returned on demand• Differences • All applications must be provided on at least two infrastructure providers to avoid lock in • Government to run its own data centres
  15. 15. UK: Hybrid Cloud Approach• A hybrid cloud model: services will be run on both the UK Government’s own dedicated infrastructure and that of private entities, e.g. Microsoft• Infrastructure used will depend on degree of security required. Differing security standards (matching existing government security levels) will be provided
  16. 16. Emerging themes • A global move to the cloud by public sectors • Some differences in approach, but patterns clearly emerging: • Centralised pre-approval, not a free-for-all! • Variable security standards: public info v tax returns • Public sector “champion” drives the initiative • Purchasing authority remains decentralised • Insistence that sensitive data remain within jurisdiction
  17. 17. Programme for Government: The Challenge • “We will make Ireland a leader in the emerging I.T. market of cloud computing by promoting greater use of cloud computing in the public sector.” • What are the legal impediments to achieving this objective? • Can we overcome them?
  18. 18. Legal Issues • Stem from a myriad of sources, but can be stated simply • Three key issues • Data security • Data export • Data availability • Problems with solutions
  19. 19. Data Security: Problem • Data Protection Acts 1988-2003 • Obligation on a “data controller” to ensure appropriate safeguards are in place • Failure = breach of statutory duty and liability in damages • Duty does not disappear when data is handed over to a “data processor” or put into cloud
  20. 20. Data Security: Solution • Ensure cloud provider has adequate technical safeguards in place (NB: public sector pre- approvals) • Insist that provider agrees, in contract, to comply with Irish law • Require cloud provider to accept liability for data breaches (e.g. LA-Google Contract) • Seek audit rights
  21. 21. Data Export: Problem • Export of personal data outside of EEA is heavily regulated • Generally need consent of data subject or special agreement to export data outside of EEA • Public bodies have specific security concerns – can the data be accessed by foreign states? • USA PATRIOT Act • UK Regulation of Investigatory Powers Act 2000 • High profile but similar powers in most states • Discovery in civil litigation
  22. 22. Data Export: Solution • Geographic location of cloud is key, potential “deal killer” • Insist that cloud is based in EEA to address DPA issues • Where security issues: Irish cloud! • Ireland = European data centre capital! • High level concerns may call for dedicated government cloud infrastructure (e.g. UK) • Issue does not arise for non-personal, non-sensitive information, e.g. publicly available document hosting
  23. 23. Data Retention: Problem • Public sector under far reaching obligations to ensure that data is stored safely and is accessible over longer term: National Archives Act, Freedom of Information Act • Data subjects have a right to access and modify their data under Data Protection Acts • Similar private sector obligations: tax, employment, health and safety law • Does the cloud offer long term storage and access?
  24. 24. Data Retention: Solution • Ability to download any information when needed. • Data back-up and that provider has disaster recovery systems • Ensure access to data in event of insolvency under contract
  25. 25. Conclusion • Cloud is being enthusiastically embraced by neighbouring governments – Ireland is falling behind the curve • However, we can catch up! • Legal issues are surmountable with care and proper contracting • Best practices exist which can be followed
  26. 26. The Irish Public Sector: The Cloud Effect6 A p r i l 2 0 11Regulating the Cloud: Legal Considerations for CloudComputing in the Public SectorPhilip NolanPartner and Head of Commercial Law