The QITC Framework
In August 2017, the Queensland State Government introduced the new Queensland Information Technology Contracting (QITC) framework for procurement of information and communications technology (ICT) products and services by Queensland Government.
In this QWIK QITC Series, we are providing general information in respect of how the framework operates.
In the previous edition of QWIK QITC Series, we considered the relevant provisions in the QITC contracts relevant to the procurement of Licensed Software, Developed Software, Third Party Software, and related Services.
In this edition of the QWIK QITC Series, we will consider the equivalent provisions when a Government Customer is procuring Products and Services for an As-A-Service.
What Products or Services are included in the As-A-Service provisions?
The As-A-Service provisions in the General Contract (clause 5.6) and the Comprehensive Contract (Module 3 – As-A-Service) contemplate three kinds of As-A-Service:
- Software as a Service or SaaS is any software or application delivered through an online service by the Supplier – for example, Salesforce or Xero.
- Platform as a Service or PaaS is where the Supplier provides a hosted environment on which the Government Customer can configure, deploy and run applications, the PaaS is supported by the Supplier, and it allows the Government Customer to control any deployed applications – for example, Google App Engine.
- Infrastructure as a Service or IaaS is a service provided by the Supplier which provisions processing storage, networks and other physical or virtual machines, hardware or other data centre components, allowing the Customer to control the operating systems, Customer Data and applications stored on the IaaS – for example, Amazon Web Services or Microsoft Azure.
Key As-A-Service provisions
Government Customers and Suppliers should consider the following key issues, among others, when procuring As-A-Service under the QITC Contracts:
- Automatic Renewal: The Subscription Period of the As-A-Service automatically renews unless the Government Customer or the Supplier notifies the other prior to expiry of the current Subscription Period.
- Reseller: Similar to providing Third Party Software, under clause 3.4 of Module 3 (As-A-Service), the Supplier can provide the As-A-Service for a reseller for a Third Party Provider (see last week’s QWIK QITC). Where the Supplier is a Reseller, regular provisions regarding the Supplier’s warranties and defect resolution fall away, and instead the Supplier must procure that the Government Customer is assigned and has the benefit of the Third Party Provider’s warranties. It is then the Supplier’s responsibility as Reseller to coordinate the warranties and support services of the Third Party Provider with the Government Customer.
- Hosting Location: The Government Customer can specify in the Contract Details or Module Order Form (as applicable) where the As-A-Service must be hosted, including that the As-A-Service only be hosted in Australia.
- Customer Data: Customer Data refers to data provided by the Government Customer to the Supplier for use, processing, storage or hosting, and includes data created from that Customer Data through the As-A-Service, and any metadata. While the Government Customer retains responsibility for the content of the Customer Data, the Supplier has obligations regarding storage and backup of the Customer Data that the parties can agree in the Contract Details/Module Order Form. The Supplier can limit their liability for loss of Customer Data to a capped amount, though there are carve outs for breach of confidentiality obligations and privacy law compliance. The Supplier must also return or destroy the Customer Data (as specified by the Government Customer) when the Contract ends.
- Security: The Supplier must take reasonable steps to prevent unauthorised access to the Customer Data. There are also specific standards the Supplier must meet in respect of security, including environmental, safety and facility procedures, data security procedures and other safeguards to protect the Customer Data from destruction, loss and unauthorised access or alteration which are industry standard. The Supplier also has to provide a SOC 2 Type 2 report once per year, which reports on the security behind financial transactions.
- Electronic Incidents: Where the Supplier experiences an Electronic Incident (a denial-of-service attack, or other unauthorised intrusion or attack), the Government Customer can require the Supplier to take steps to protect Customer Data, including terminating connectivity of the As-A-Service.
- Harmful Code: Where Harmful Code is introduced into the As-A-Service, the Supplier must use best efforts to eliminate the Harmful Code, and minimise loss to the Customer Data. Where the introduction of the Harmful Code is caused by the Customer, the Supplier can charge additional fees for eliminating the Harmful Code.
- Service Levels: The Supplier must comply with any Service Levels included in the Contract Details/Module Order Form. Similar to Software Support Services (see last week’s QWIK QITC), the Supplier is not responsible for complying with the Service Levels in certain circumstances, such as where the As-A-Service is unavailable during agreed Scheduled Downtime.
- Audit: The Government Customer has audit rights with respect to the As-A-Service if specified in the Contract Details/Module Order Form. This can be through tools or mechanisms that allow for audit on a self-service basis, or other means agreed by the parties. The Government Customer can also ask for the Supplier to provide a report in respect of an external audit regarding the Supplier’s compliance with privacy, security and Customer Data requirements in the QITC Contract.
For Government organisations
- Where you are procuring the As-A-Service for any critical services, such as emergency services, you should ensure that the Service Levels in the QITC contract reflect the importance of keeping such services accessible and available to the Government and the public, as applicable.
- Take advantage of your audit rights in the QITC Contract to monitor the Supplier’s compliance with key requirements for the As-A-Service under the QITC Contract. You should discuss with the Supplier up front about the tools and mechanisms you will require to monitor their performance.
- You should require that the Supplier is clear where any Customer Data is hosted on the As-A-Service, and how you can access, update and extract the Customer Data from the As-A-Service. Carefully consider where the Customer Data is stored, particularly if it is outside Australia. Also note guidance in relevant Government policies regarding security and cloud services, including the “ICT-as-a-service offshore data storage and processing policy”, the “ICT-as-a-service security assurance guideline” and the “ICT-as-a-service risk assessment guideline”, and your legislative obligations under the Public Records Act 2002 (Qld).
- You should ensure that you specify a liability cap in the Contract Details/Module Order Form to limit your liability, including for loss of Customer Data as contemplated by the Module. Depending on the value of the Customer Data, any loss may result in significant liability risk.
- Ensure that your Service Levels are achievable, particularly if you are providing a SaaS or PaaS solution that utilises a third party’s IaaS product. Be clear with the Government Customer where your As-A-Service depends on the availability a third party’s solution, and ensure that any third party provisions regarding suspension or downtime are reflected in the QITC Contract.
- Review your security measures and procedures for your As-A-Service to ensure you meet the requirements under the QITC contracts. Be prepared for more stringent requirements where any Customer Data is highly confidential, or critical to Government functions.