On 1 November 2013, the Cabinet Office, which is responsible for ensuring the effective running of the UK Government, published a suite of documentary guidance for public sector bodies buying cloud services on the Government’s CloudStore and for suppliers offering such services to CloudStore through the G-Cloud framework (“Guidance”).
Overview of G-Cloud
The G-Cloud was created to promote government-wide adoption of cloud computing and the delivery of computing services via the cloud in the UK by allowing UK public sector bodies to choose and purchase services covering infrastructure, platform, software and specialist cloud services. The initiative aims to create a more efficient and accessible means of delivering public services in the UK by capitalising on the cost savings and flexibility offered by the cloud.
Overview of the Guidance
The Guidance is structured in three parts:
- Buyer’s information: the Guidance contains comprehensive information about how cloud services are supplied to CloudStore and what public sector bodies should do to buy digital services quickly and simply. It includes a worked example and provides guidance on key issues such as how to work out the cost of the service and understanding the contractual relationship with the supplier. The Guidance emphasises that G-Cloud is a framework for buying commodity services that is significantly quicker and cheaper than traditional ICT procurement processes, in part because there is no negotiation between buyers and suppliers, but that there will almost never be an exact match between requirements and service offer.
Security and accreditation: the Guidance aims to provide customers and suppliers of G-Cloud services with clarity on the processes and guidance used for pan-Government security accreditation of services, including information about:
- what services need security accreditation;
- how suppliers can become accredited; and
- what suppliers and buyers need to know about Information Assurance (“IA”).
The Guidance includes a Data Protection Act (“DPA”) checklist for G-Cloud suppliers, based on the Privacy Impact Assessment (“PIA”) Handbook and Personal Information Online Code of Practice published by the Information Commissioner’s Office (“ICO”), which is responsible for enforcing the DPA and other information rights law in the UK.
The Guidance clarifies that suppliers of G-Cloud services will generally be treated as ‘data processors’ under the DPA and that the public sector customers using their services will generally be treated as ‘data controllers’. Whilst the DPA only imposes statutory obligations on the customers as data controllers (and not on the suppliers as data processors) suppliers can help customers by ensuring that their IA documentation for G-Cloud provides clear evidence of how their service will allow the customer organisation to complete its PIA and take measures to comply with the DPA.
Among the list of questions are those directed at clarifying the security measures implemented by the supplier and whether personal data for which the customer is responsible will be transferred by the supplier outside the European Economic Area. These are issues of increasing importance for cloud customers not only given the continued increase in cyber attacks but also in light of the recently uncovered covert mass surveillance of personal data relating to EU citizens stored in the US that was undertaken by the US authorities. Commercially, it will continue to be important for suppliers to be able to provide satisfactory responses to these questions as the ICO expressly states on the G-Cloud website that if they cannot then buyers should be concerned about entrusting the supplier with their information.
- Supplier’s information: this section of the Guidance provides clarity on how to draft service definitions that are clear, competitive and transparent to make it as easy as possible for buyers to understand what suppliers offer and what the costs are.
The detailed but pragmatic nature of the Guidance will naturally be welcomed by public sector bodies that are considering buying cloud services but are more accustomed to the traditional procurement process for ICT services. However, the Guidance is also likely to be welcomed by suppliers of cloud services – it clearly explains not only what is expected of suppliers from a technical and legal perspective but signposts the common concerns of prospective cloud customers thereby providing suppliers with greater insight into how to structure and present their services in the most effective way to address such concerns.
Link to the Guidance: https://www.gov.uk/government/collections/cloudstore-buyers-and-suppliers-information