Government solicitor to release cloud advisory

The Australian Government Solicitor (AGS) is set to release a legal guide for government agencies considering the adoption of cloud computing.

Clouds

The AGS is a government business enterprise which has for over a century acted for Australian Government agencies and entities in which the Government has a commercial interest.

Its cloud computing report will be penned by senior executive lawyer Adrian Snooks and senior lawyer Andrew Schatz, and will warn agencies about several risks associated with the new business model.

Schatz previewed the report at the Government 2.0 conference in Canberra, where he predominantly spoke in his professional - as opposed to official - capacity.

Schatz praised cloud computing for its value, mobility, agility, performance reliability and even security, despite common criticisms of privacy and security risks in the cloud.

“Cloud gives agencies access to privacy and security enhancing resources that [they] would not otherwise be able to afford, or have the technical capacity to do,” he told the conference.

But agencies could not duck legal risks associated with the as-a-service model, he said, and needed to be aware of their nature and explore ways they can be resolved.

Schatz raised several concerns iTnews and Truman Hoyle solicitors addressed in an exclusive research report released in April 2011.

"Some of the things that make cloud computing good may be incompatible with certain things that Government does," he noted.

In particular, government agencies seeking to store personal data offshore would need to carefully consider their obligations under the Privacy Act 1988 (Cth) and the Information Privacy Principles.

Some forms of Government data may be suitable for migration into the cloud, he said, but foreign laws may require a cloud provider to submit information to that foreign government under some circumstances without informing the customer.

Issues of termination, dispute resolution and jurisdiction needed to be clear and understood, he said.

“An agency may agree to a clause which provides that disputes are to be resolved by some form of arbitration or in particular foreign courts without realising how expensive, or how difficult, it may be in a practical sense, to do that,” Schatz said.

Schatz also raised some new problems: large cloud computing companies may have some difficulty appreciating the restrictions agencies face in agreeing to standard indemnity clauses due to their obligations under the Financial Management and Accountability Act (FMA Act), he noted.

Schatz previewed a checklist of questions to consider when engaging a cloud provider:

• Are ‘contractual measures’ sufficient to ensure Information Privacy Principle compliance where relevant?
• Are national security or confidentiality issues properly addressed?
• Are any applicable FMA or other procurement obligations met?
• Have appropriate service level, response time, business continuity
  and disaster recovery clauses been included in the agreement?
• Are appropriate termination/disengagement clauses included?
• Has advice been sought on dispute resolution / jurisdictional issues?

Subscribers to iTnews can download the free Truman Hoyle 'Cloud Cover' report here.