Data Residency: Challenges and the Need for Standards
Cloud Computing and the Public Sector
1. The Irish Public Sector: The Cloud Effect
6 A p r i l 2 0 11
Regulating the Cloud: Legal Considerations for Cloud
Computing in the Public Sector
Philip Nolan
Partner and Head of Commercial Law
2. Just as the Internet has led to the creation of new business
models unfathomable 20 years ago, cloud computing will
disrupt and reshape entire industries in unforeseen ways.
To paraphrase Sir Arthur Eddington – the physicist who
confirmed Einstein’s Theory of General Relativity - cloud
computing will not just be more innovative than we imagine;
it will be more innovative that we can imagine.
3. Overview
• How are other governments adopting the cloud?
•What themes/patterns are emerging?
•What are the risks to be overcome?
•Data security
•Export of data
•Long term retention
5. United States
• Exemplar and global leader for public sector cloud
adoption
• Policy has been driven directly by White House
• Extremely sophisticated implementation
6. “Cloud First”
• Federal Cloud Computing Strategy, 8 February 2011
• All Agencies/Departments to “evaluate safe, secure
cloud computing options before making any new
investments”
• Cloud options must be rejected before procuring
traditional IT
7. “Cloud First”
• Requires a “transparent security environment”
between the Government and cloud providers
• “The environment will move us to a level where the
Federal Government’s understanding and ability
assess its security posture will be superior to what is
provided within agencies today.”
8. How does it work?
• Very controlled process directed by General Services
Administration (GSA)
• Vendors must seek centralised pre-approval from
GSA
• Minimum standards:
• Full ownership of data hosted in the cloud
• Full copies of data downloadable at any time
• Hosted within the continental US
• 99.95% uptime
• Compliance with all applicable laws
9. How does it work?
• Security assured under the Federal Risk and
Authorization Management Program (FedRAMP)
• Detailed and specified security obligations are set
down
• All vendors are continually assessed and monitored
10. How does it work?
• Solutions meeting these standards are pre-approved
to be offered to US Federal Agencies
• Solutions are sold on “apps.gov”, a centralised store
• Purchasing officers/CIOs for each agency can
purchase services from this site
11. Free cloud/ web 2.0 services
• E.g. Twitter, Facebook, blogs etc…
• Special terms of service have been centrally
negotiated
• Removal of terms that are objectionable, e.g.
indemnities, extreme limitations on liabilities
• Agency wanting to use web 2.0 services can adopt
these terms
12. Best of All Worlds
• procurement pre-screening centralised
→ legal compliance and security centrally
assured
• single price must be provided
→ market power of entire government leveraged
• final purchasing decision is made by individual agency
→ services purchased are suitable for end user
13. United Kingdom
• “G-Cloud”
• Project driven by Cabinet Office
• Phase 2 reports just published
14. UK vs US
• Suggests a broadly similar approach to US
• G-Cloud authority setting basic standards
• Applications store for Government
• Pre-approval required
• Data is to remain with UK
• Data is to remain under control of public body
• Data to be returned on demand
• Differences
• All applications must be provided on at least
two infrastructure providers to avoid lock in
• Government to run its own data centres
15. UK: Hybrid Cloud Approach
• A hybrid cloud model: services will be run on both
the UK Government’s own dedicated infrastructure
and that of private entities, e.g. Microsoft
• Infrastructure used will depend on degree of security
required. Differing security standards (matching
existing government security levels) will be provided
16. Emerging themes
• A global move to the cloud by public sectors
• Some differences in approach, but patterns clearly
emerging:
• Centralised pre-approval, not a free-for-all!
• Variable security standards: public info v tax
returns
• Public sector “champion” drives the initiative
• Purchasing authority remains decentralised
• Insistence that sensitive data remain within
jurisdiction
17. Programme for Government: The Challenge
• “We will make Ireland a leader in the emerging I.T.
market of cloud computing by promoting greater use
of cloud computing in the public sector.”
• What are the legal impediments to achieving this
objective?
• Can we overcome them?
18. Legal Issues
• Stem from a myriad of sources, but can be stated
simply
• Three key issues
• Data security
• Data export
• Data availability
• Problems with solutions
19. Data Security: Problem
• Data Protection Acts 1988-2003
• Obligation on a “data controller” to ensure
appropriate safeguards are in place
• Failure = breach of statutory duty and liability in
damages
• Duty does not disappear when data is handed over
to a “data processor” or put into cloud
20. Data Security: Solution
• Ensure cloud provider has adequate technical
safeguards in place (NB: public sector pre-
approvals)
• Insist that provider agrees, in contract, to comply
with Irish law
• Require cloud provider to accept liability for data
breaches (e.g. LA-Google Contract)
• Seek audit rights
21. Data Export: Problem
• Export of personal data outside of EEA is heavily
regulated
• Generally need consent of data subject or special
agreement to export data outside of EEA
• Public bodies have specific security concerns – can
the data be accessed by foreign states?
• USA PATRIOT Act
• UK Regulation of Investigatory Powers Act 2000
• High profile but similar powers in most states
• Discovery in civil litigation
22. Data Export: Solution
• Geographic location of cloud is key, potential “deal
killer”
• Insist that cloud is based in EEA to address DPA
issues
• Where security issues: Irish cloud!
• Ireland = European data centre capital!
• High level concerns may call for dedicated
government cloud infrastructure (e.g. UK)
• Issue does not arise for non-personal, non-sensitive
information, e.g. publicly available document
hosting
23. Data Retention: Problem
• Public sector under far reaching obligations to
ensure that data is stored safely and is accessible
over longer term: National Archives Act, Freedom of
Information Act
• Data subjects have a right to access and modify
their data under Data Protection Acts
• Similar private sector obligations: tax, employment,
health and safety law
• Does the cloud offer long term storage and access?
24. Data Retention: Solution
• Ability to download any information when needed.
• Data back-up and that provider has disaster
recovery systems
• Ensure access to data in event of insolvency under
contract
25. Conclusion
• Cloud is being enthusiastically embraced by
neighbouring governments – Ireland is falling
behind the curve
• However, we can catch up!
• Legal issues are surmountable with care and proper
contracting
• Best practices exist which can be followed
26. The Irish Public Sector: The Cloud Effect
6 A p r i l 2 0 11
Regulating the Cloud: Legal Considerations for Cloud
Computing in the Public Sector
Philip Nolan
Partner and Head of Commercial Law