The toolkit emphasises the need to assess the suitability of a cloud service provider (and the specific services provided) whether in relation to data protection, information security or service levels (all three of which overlap). How the assessment is undertaken will partly depend on for whom the service provider is being assessed and for what purpose. The toolkit aims to provide guidance that is usable in a range of scenarios including the procurement of cloud services on behalf of the University (e.g. via Purchasing); the procurement or selection of cloud services for a group within the University (e.g. a department or research group); the selection of cloud services by individual members of the University in connection with their employment or in some cases their role as a student or affiliate.
The formal procurement of cloud services will likely include a dialogue with the cloud service provider and assessment, as with other service procurements, will be undertaken within that process. The selection of a cloud service by an individual or a small group outside any formal procurement process may not involve any direct communication with the cloud service provider other than what is provided via the cloud service provider's own standard offering. In this case, the assessment should pay particular attention to the following types of document published by the cloud service provider (and sometimes consolidated into a single document):
- Terms of Service or Terms and Conditions or Customer Agreement
- The over-arching contractual (legal) document that defines the terms and conditions under which the service is offered to the customer or end-user. There may be variant forms of the Terms for business customers or for different geographic regions.
- The policy that defines how the service provider will make use of your data, particularly personal data.
- Service-level agreement (if distinct from the Terms of Service)
- A definition of the levels of service available (e.g. guaranteed availability; support channels; what happens when things go wrong; how changes to service are communicated).
- Acceptable Use Policy
- Permitted and forbidden activities in using the service. A breach of the acceptable use policy may result in termination of the service (with potentially the loss of data).
The sections on data protection and information security focus on particular (and sometimes overlapping) areas of service but generally, an assessment of a cloud service would, at a minimum, need to give attention to the following elements of the contractual terms of service:
- A contract for the use of a cloud service may range from an end-user license agreement (sometimes known as “click-through” agreements) that you agree to by simply ticking a box, through to a carefully negotiated contract between the University and a particular supplier. Each will have legal implications and the same or similar services may be offered both as consumer or enterprise services (e.g. Dropbox and Dropbox for Business; OneDrive and OneDrive for Business). If you “click-through” to a cloud service in your role as a member of University staff you may be binding the University, not just yourself, to the cloud supplier's standard terms and conditions (the supplier is unlikely to be aware that you have no ostensible authority to agree a contract on behalf of the University). The University only permits certain officers to sign contracts. It is important that you are fully aware of the circumstances in which you may agree to a cloud provider's terms and conditions. (See Statute XVI: Property, Contracts, and Trusts, Part C: Authority to Bind the University)
- Variation of terms
- The cloud service provider may vary the terms of contract with little or no notification. The changed terms may be unacceptable (assuming you are aware of such changes), resulting in unplanned withdrawal or changed use of the service.
- Data location (including data transfer)
- The data has to be stored somewhere in the world. Exactly where may have an impact on your ability to fulfil obligations under the Data Protection Act. A cloud service provider may state that your data is held in one region (e.g. European Economic Area, EEA) but may also hold a backup of the data in another region (e.g. USA) or transfer data, in response to a support query, to the region where their customer support is located. Where it is the cloud provider itself which is importing the personal data outside the EEA, the contract between the University and the cloud provider must incorporate the model clauses described in “Cloud services and data protection law”. The US “Safe Harbor” framework has been invalidated as a basis for effectuating compliant data transfers. See: Information Commissioner's Office (ICO), "Data transfers to the US and Safe Harbor – interim guidance" (10 Feb 2016), "The Court of Justice [of the European Union] declares that the Commission’s US Safe Harbour Decision is invalid” (6 Oct 2015).
- Data backup and restoration
- You or the cloud provider may be responsible for ensuring data backup (and testing data restoration). You need to know which, especially if the cloud service is being used for the processing of original or master data.
- Data retention and deletion
- You are responsible for controlling your data and you will want to ensure that data is actually deleted when you issue that instruction to the cloud service; or that data is deleted when you cease to use the service. However, you should check the service terms for other occasions when data may be deleted (e.g. after a period of non-use of the service) and, should you terminate use of the service, you may wish to ensure that you are able to migrate or retrieve data stored in the service prior to it being deleted.
- Data access and disclosure
- All cloud service providers are likely to reserve the right to disclose your data in response to a court order or equivalent (and the jurisdiction(s) within which the cloud service is located may be relevant). However, some cloud service providers may reserve the right to disclose data, or grant access, to other parties or in particular circumstances that may not relate to legal obligations.
- Data security
- This is addressed in further detail under Information Security section.
- Data licensing
- The terms of service may require you to grant a license to the cloud service provider to use your data. The usage may simply be in order to provide you with the service requested (e.g. the right to publish the data but possibly also to modify the data), or it may form part of the service provider's business model (e.g. data processing in order to display targeted advertising). You should ensure any license to use the data terminates with the termination of the service.
- Service availability
- The terms of the contract may specify aspirational targets for service uptime. However, compensation for downtime may not exist or may be restricted to service 'credits' (where the service is paid-for). Exceptions may restrict the circumstances in which any compensation can be claimed.
- Warranty, disclaimer and liabilities
- It is common for consumer-oriented (or 'free') cloud services to include a detailed disclaimer within the terms that ensures no warranty is given as to the fitness for purpose, availability, reliability, security etc except to the extent provided by law or service level agreement. In other words, the service is offered 'as is'. The disclaimer of any warranty of service is usually matched by limited (or no) liability for damages (e.g. resulting directly or indirectly from data loss, security breaches, service failure, actions of third parties). The limit of any liability is likely to be restricted to the fee paid for the service.
- Whilst limiting its own liability for damages, the standard terms of a cloud service may include warranties and liabilities that fall on the customer. In particular, it is not uncommon for the service provider to expect you to indemnify the service provider from claims against them arising from your use of the service (including 'free' services). In other cases, the indemnification may be mutual (“Each party agrees to indemnify and hold harmless the other party”). Note that exposing the University to unlimited indemnity must be approved by the Registrar.
The following examples, based on real clauses, illustrate how the University has negotiated what was an unacceptable clause (in the standard terms of service) to an acceptable clause (e.g. to ensure adequate data protection): Items changed are underlined.
|Standard (unacceptable) clause||Negotiated (acceptable) clause|
|Data location & transfer. The Customer’s data will be stored in [xyz] region. The Company will not move the Customer’s data without notification to the Customer, unless required by legal obligation or a requirement of any governmental entity. [ie can be moved to another region without consent, customer only needs to be informed; and customer data can be accessed by a governmental entity]||
Data location & transfer. The Customer’s data will be stored in [xyz] region. We will not move the Customer’s data without the Customer’s prior written consent, unless required to by legal obligation. [ie no movement of data without express consent, no provision of data to governmental entities unless a legal obligation requires this]
Disclaimer of liability: THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICE OFFERINGS, INCLUDING ANY WARRANTY THAT THE SERVICE OFFERINGS WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING YOUR CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. [ie disclaims liability for obligations accepted elsewhere in the agreement and which are necessary in order to comply with data protection law]
Disclaimer of liability: THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, UNLESS EXPRESSLY STATED IN THIS AGREEMENT REGARDING THE SERVICE OFFERINGS, INCLUDING ANY WARRANTY THAT THE SERVICE OFFERINGS WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS. [removes the offending disclaimers]
The development of this toolkit aims to help minimise the level of effort required by individuals and groups within the University in the assessment of cloud service providers (using their published legal documentation).
- Data Processing Clause (currently Schedule 2 of “Cloud services and data protection law”).