Government and non-government clients, including water authorities, are increasingly contemplating the benefits and pitfalls of cloud computing. Once considered novel and unique, cloud computing, or the practice of using a network of remote servers which are accessed via the Internet to store, manage and process data, has become increasingly common place. Cloud computing boasts a number of benefits, including the ability to store and make available large amounts of data in a cost effective manner, with the ability to scale up or scale down on demand.

The possible downsides to cloud computing include privacy concerns, lack of control and access to data and manipulation of data, to name a few. For many organisations, particularly those charged with handling personal or sensitive information, or commercial-in-confidence data, these factors are viewed as a major deterrent. Careful consideration and analysis should be undertaken before a decision is made to introduce a cloud based solution to your organisation, particularly in circumstances where alternatives such as a bespoke or commercial-off-the-shelf software solution would suffice.

This article provides a basic overview of cloud computing and its characteristics and, importantly, outline some key issues you should consider before moving to a cloud based solution.

Cloud computing

At a basic level, cloud computing is information technology infrastructure that hosts applications, software, computing platforms and/or data at offsite data centres. Data stored in this infrastructure is accessed via the internet, rather than being hosted on and accessed through a local computer’s hard drive or local dedicated server. The servers used in a cloud computing solution may be located in Australia or overseas, depending on the service provider.  Examples of cloud computing solutions in daily life include Hotmail and Gmail.

Why cloud?

Your organisation may be under increasing pressure to consider cloud based computing solutions for the storage of either customer or client records or data collected as an inherent part of your business operations.

Cloud computing technologies are being advertised by service providers as being capable of unlocking performance improvements, generating greater efficiencies and assisting you to provide better service to your clients (by increasing transparency and flexibility of access to information and enabling easy transactions). Perhaps the most attractive benefits lie in the promise of removing reliance on expensive infrastructure and the risk of delays and high cost associated with traditional ICT or ICT enable projects and the move away from bespoke software solutions which are costly and require a huge investment by the customer.

Other examples of benefits for your organisation may flow through the ability to store large amounts of data for forecasting or prediction – with the cloud offering access via mobile devices such as iPads or smart phones. For a mobile workforce (for example, field officers or inspectors), access to data while on the move may provide greater efficiencies for your organisation and contribute to a better culture and improved user experience for both your staff and stakeholders.

Challenges and considerations

Some of the legal challenges and risks you may face when evaluating the suitability of a cloud computing solution for your operations include:

  • accessibility and reliable availability of data
    • what service levels will apply and what expectations does your organisation have regarding data availability? Is the system required 24 hours a day, 7 days a week, or 9am to 5pm on business days?
    • how will system downtime be dealt with? How much warning will your organisation have if the system is undergoing maintenance? How reliable is the system? What happens if there is a security breach and the system is taken off-line – what contingency plan will you have in place to ensure access to the data is still possible?
    • how will any downtime impact your users and customers? This is particularly relevant if the system is designed to be customer facing.
  • security and integrity of data
    • what mechanisms are in place to protect data from loss, misuse, unauthorised access, modification or disclosure to third parties? Examples include passwords and identity management and the ability for the service provider to identify system breach.
    • what security functionality does the system feature? Will data be encrypted in transit?
    • what reputational, financial or legal risks could flow from a breach of data security for your organisation?
    • will the data be housed on a public cloud or a community cloud? If your data will be co-mingled with other third parties’ data, does this reduce your ability to rely upon the integrity of the data?
  • privacy and protection/storage of confidential data in accordance with applicable legislation
    • assuming your organisation is bound by the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic), how will your organisation ensure compliance with the relevant Information Privacy Principles (for example, IPPs 2, 4 and 9)?
    • how will your organisation deal with obligations to retain records for the purposes of responding to FOI requests under the Freedom of Information Act 1982 (Vic) or for the purposes of complying with the Public Records Act 1973 (Vic) or under your enabling legislation?
  • scalability and flexibility
    • will the system be able to cope with large amounts of data and maintain functionality?
    • will the system be capable of catering to peak demand (for example, if your organisation has periods of heavy user traffic eg. at the end of the financial year)?
  • effectiveness of the contract between your organisation and the service provider
    • will you be able to negotiate terms that are favourable to your organisation or does the service provider have a standard form of contract drafted heavily in favour of the supplier?
    • will a breach of contract action adequately address your organisation’s concerns in the event that there is a data or security breach? Will the reputational loss suffered by your organisation be capable of being remedied via the contract?
    • will the service provider agree to submitting to the laws and courts of the Victorian jurisdiction?

Conclusion

Organisations should conduct a thorough risk assessment taking into account the specific source and nature of the data to be stored in the cloud, prior to taking the leap into cloud procurement. If your organisation is considering procuring a cloud based solution, as part of developing any requirements (whether functional or non-functional) for your tender process, a risk assessment should include seeking input from:

  • any IT and security advisors who will be able to advise on appropriate security standards and policies
  • procurement advisors who will be able to research and outline the service offerings available in the market and advise on the appropriate methodology for structuring a procurement
  • legal advisors, who will be able to advise on the appropriate privacy considerations and legal framework relevant to the specific data being considered for storage in the cloud. Legal advisors will also be able to advise on the key clauses that will be required to protect your organisation in any contractual arrangement with the service provider.

Working in a digital environment requires an enormous amount of collaboration within your organisation to ensure a deep understanding of the nature of cloud solutions. With careful consideration and planning, coupled with an awareness and mitigation of risks, it is possible to use the cloud to your advantage… the sky is the limit!