This White Paper considers the use of as-a-service offerings, also referred to as cloud services or on-demand software services, and how to ensure that this use is consistent with compliance concerns including Australian privacy law and good business practice.
of risk associated with in-house deployments. However, many business customers today are concerned about using as-a-service across national borders. Concerns are sometimes significantly greater than is the case with traditional software supply and integration into a customer’s in-house systems. On its face, this is surprising. Software integration is often complex and expensive, requiring customisation, integration and interfacing of applications, platform and other systems. Project management of data migration and system switchover is complex and often time-critical. Establishment of disaster recovery capabilities and maintenance of back-ups requires duplication of effort and often expensive outsourcing arrangements that must also be monitored and managed. System security, including from hacking and other external intrusions, must be ensured and maintained in the face of unpredictable and increasingly sophisticated threats. The in-house deployment must be supported and updated, with the risk that a highly customised deployment may be ‘orphaned’ or otherwise require expensive upgrade and re-architecting of system platform or databases to maintain service levels or compatibility and integration into other systems. The business must project its future business requirements and predict the likely geographical needs of the business over the life of the software deployment. The business must also ensure that its software licences reflect those projections (or can be adjusted at known cost to accommodate them) and that it has a pathway to upgrade and expansion. As-a-service offerings address many of the risks and concerns associated with software supply and integration into a customer’s own systems. As noted in the Australian Government’s Information Security Management Guidelines, “Outsourcing ICT arrangements can offer a host of benefits, including scalability, elasticity, high performance, resilience and security together with cost efficiency. The range of technology options available through outsourcing of ICT is extensive. It is [however] important to recognise that any ICT arrangements delivered by the agency have a range of risks that an agency is responsible for identifying, assessing and managing. Outsourcing of agencies ICT arrangements can in some circumstances reduce the overall risk associated with delivering these services in house”.44 The Australian Department of Defence notes that the risk assessment of as-a-service deployments depends “on factors such as the sensitivity and criticality of data to be stored or processed, how the cloud service is implemented and managed, how the organisation intends to use the cloud service, and challenges associated with the organisation performing timely incident detection and response. Organisations need to compare these risks against an objective risk assessment of using in-house computer systems which might: be poorly secured; have inadequate availability; or, be unable to meet modern business requirements”.45 44 Australian Government, Information Security Management Guidelines, August 2014 as amended April 2015, page 5 paragraphs 25 and 26, available at http://www.protectivesecurity.gov.au/informationsecurity/Documents/AustralianGovernmentInformationSecurityManagementGuidelines.pdf. See also Attorney-General’s Department, Protective Security Policy Framework: Security risk management at https://www.protectivesecurity.gov.au/governance/security-risk-management/Pages/Security-risk-management.aspx. 45 Australian Signals Directorate of the Department of Defence, Cloud Computing Security for Tenants, April 2015, available at http://www.asd.gov.au/publications/protect/Cloud_Computing_Security_for_Tenants.pdf. See further materials at http://www.asd.gov.au/infosec/cloudsecurity.htm, including for cloud service providers Cloud Computing Security for Cloud Service Providers http://www.asd.gov.au/publications/protect/Cloud_Computing_Security_for_Cloud_Service_Providers.pdf. 37577360_1 25 Implementation Risk One clear advantage of as-a-service over traditional software supply and integration is significant mitigation of implementation risk. A customer should be able to complete a full evaluation to determine the materiality of these risks and, where determined to be material risks, confirm that an as-a-service offering under consideration fully addresses these material risks before the customer commits to contract with the service provider or commences implementation. Project management of as-a-service implementation is almost invariably less complex and usually not time critical: the service provider’s offering, its integration into the customer’s other systems and processes and the expected operation of disaster recovery and other resilience features, can all be fully tested before live processing of customer data. Integration interfaces are defined and stable. If the implementation appears to be compromised in any way, the customer can elect not to proceed to switch-over. Operating and ongoing risk As-a-service usually also has clear advantages in mitigating risks of operation during the service term and future-proofing the customer. Security and resilience is usually available at significantly higher levels of assurance than can be readily achieved and maintained in in-house deployments. If a service provider does not upgrade its offering over the service term to assure good practice security and reliability of service, the issue is likely to affect and be known across that service provider’s customer base and put the service provider’s business reputation at risk. Good practice in relation to ongoing security, privacy and resilience management is essential for trust of customers in a service provider and its service offerings. Put simply, a service provider must ensure that services are available, reliable and consistent, including by protection against evolved and escalated forms and levels of intrusion and other security threats.46 Flexibility is another key aspect of future-proofing the customer. One feature of attractive as-aservice offerings should be ability for the customer to adjust its system requirements, while maintaining service levels and allowing full scalability and forward and backwards compatibility. As-a-service offerings are often priced on an on-demand or utilisation model: a customer does not need to reliably project its forward business requirements and can flex its requirements up or down without additional capital cost and with significant savings in the event of the customer electing to downsize or reduce scope. Many as-a-service offerings are available globally, thereby enabling business expansion or contraction to meet changes in a customer’s operations but with continuation of assured security, resilience and service quality across national borders. The service provider also carries risks of support and upgrade, including management of upgrades or changes to all third party software and platform components and third party vendor relationships. Of course, in the case of traditional software deployments all these other components must be managed by the customer: a significant hidden cost of many in-house implementations. 46 Many on-demand software service providers undergo stringent security procedures such as independent expert verification and certification of controls over information technology and related processes in accordance with the Service Organization Control (SOC) reporting framework (SOC 1, 2, 3) pursuant to the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, of the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), January 2010. See further the ‘SSAE 16 Overview’ at http://ssae16.com/SSAE16_overview.html. A global equivalent, International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, became effective as of 15 June 2011 and is available through http://isae3402.com/ISAE3402_overview.html. 37577360_1 26 In summary, the deployment of an on-demand software application should be as straightforward as acquisition and integration of many other utility services that are acquired by businesses and that already offer flexibility, reliability, scalability and adaptability: power, communications carriage services, water, banking and payroll services and so on. Given the re-distribution of many project, implementation and ongoing service risks away from the customer to the service provider, it may be difficult to see why some businesses and government agencies express concern as to the growing trend away from in-house software system implementations towards use of as-a-service. Some concerns relate to unfamiliarity with the business models, commercial terms and technical aspects of this still new way of doing business. Sometimes an issue arises from a perception of loss of control, or loss of transparency, over how a customer’s data is handled and secured by the service provider. This issue is particularly heightened with government agencies. Government agencies will reasonably require a high level of assurance that their stewardship of data about citizens will not be compromised through the agency losing control of, and visibility as to, any use or disclosure of that data. The stewardship concern is particularly heightened where as-a-service is provided from outside the jurisdiction of that government. Sometimes concern is expressed as to the relatively simple forms of contract offered by the various providers of as-a-service offerings and limited willingness to negotiate these terms - often the result of a desire to control transaction costs and ensure standardisation of offerings across the customer base. We now turn to consider further the particular concerns of government agencies. 9 Government agencies: cloud simple, cloud first The benefits of as-a-service as compared to traditional software supply are reflected in the Federal Government’s ‘cloud first’ policy, first implemented by the former Labor Government and then expanded by the current Coalition Government. The Australian Government Cloud 37577360_1 27 Computing Policy – Smarter ICT Investment states47: “non-corporate Commonwealth entities are required to use cloud services for new ICT services and when replacing any existing ICT services, whenever the cloud services are fit for purpose; offer the best value for money, as defined by the Commonwealth Procurement Rules48; and provide adequate management of risk to information and ICT assets as defined by the Protective Security Policy Framework”49. The Federal Government’s preference for cloud has led to a progressive lightening of review and approval requirements imposed by the Australian Federal Government upon Federal Government agencies before those agencies enter into arrangements for offshoring of provision of services and processing of personal information. New South Wales, Victoria and Queensland State governments have also implemented ‘cloud first’ policies as mandatory directives for their agencies.50 A series of ‘better practice guides’51 have been developed at both the Federal and State levels to assist Government agencies to evaluate vendors, service offerings and service agreements for as-a-service offerings. Government has also emphasised that as-a-service brings new risks that need to be considered and assessed. As stated by the Australian Signals Directorate of the Department of Defence in its Cloud Computing Security for Tenants: “Organisations need to perform a risk assessment and implement associated mitigations before using cloud services. Risks vary depending on factors such as the sensitivity and criticality of data to be stored or processed, how the cloud service is implemented and managed, how the organisation intends to use the cloud service, and challenges associated with the organisation performing timely incident detection and response. Organisations need to compare these risks against an objective risk assessment of using in-house computer systems which might: be poorly secured; have inadequate availability; or, be unable to meet modern business requirements.”52 The Australian Government’s Information Security Management Guidelines summarises new risks of outsourced services as follows: “… contracting an outsourced provider for the storage and handling of Australian Government information introduces new risks that must be considered and assessed before 47 As to Australian Government cloud policy and guidelines, see https://www.finance.gov.au/cloud/, See Australian Government Cloud Computing Policy – Smarter ICT Investment Version 3.0, October 2014 as available at http://www.finance.gov.au/sites/default/files/australiangovernment-cloud-computing-policy-3.pdf 48 As available at http://www.finance.gov.au/procurement/procurement-policy-and-guidance/commonwealth-procurement-rules/. 49 As available at https://www.protectivesecurity.gov.au/Pages/default.aspx. 50 See for example NSW Government Cloud Policy 2015 https://www.finance.nsw.gov.au/ict/resources/nsw-government-cloud-policy, For Queensland, see the Cloud Computing Strategy available at https://www.qgcio.qld.gov.au/initiatives/cloud-computing. For Victoria, see Information Technology Strategy, Victorian Government 2016–2020, available at http://www.enterprisesolutions.vic.gov.au/wpcontent/uploads/2016/05/Information-Technology-Strategy-for-the-Victorian-Government-2016-to-2020.pdf. The Victorian Commissioner for Privacy and Data Protection has also released a detailed discussion paper Cloud Computing in the Victorian Public Sector, May 2015, available at https://www.cpdp.vic.gov.au/images/content/pdf/Cloud_Computing_in_the_Victorian_Public_sector.pdf; also Victorian Government Solicitor’s Office, Cloud Computing in a Government Context, at http://vgso.vic.gov.au/sites/default/files/Cloud%20Computing%20in%20a%20Government%20Context%20-%20Speakers%20Notes.pdf. 51 See Australian Government materials at https://www.finance.gov.au/cloud/. 52 Australian Signals Directorate of the Department of Defence, Cloud Computing Security for Tenants, April 2015, available at http://www.asd.gov.au/publications/protect/Cloud_Computing_Security_for_Tenants.pdf. 37577360_1 28 a decision is made to engage a provider. The physical location of stored information also represents a series of new risks and vulnerabilities. Entering into an ICT arrangement in which information is held offshore, either by the contractor or subcontractor, can have additional risks. For example, while the term ‘Cloud’ implies that the information is ‘not fixed’; all information stored in a Cloud service is physically located somewhere in a data centre or multiple data centres. Below is a list of factors that should be considered prior to entering into an offshore ICT arrangement. the nature of the legal powers to access or restrict access to data complications arising from data being simultaneously subject to multiple legal jurisdictions the lack of transparency (and reduced ability to directly monitor operations), and the difference in the business and legal cultures in other nations.” Like Australia, most foreign jurisdictions have legislative powers that allow access to communications and stored information for the purposes of law enforcement and national security. In some cases these laws allow international law enforcement and national security agencies to access information held overseas or in Australia.”53 Government agency customers may also have specific statutory obligations that must be met.54 For example (and together with the Privacy Act 1988 (Cth)), a number of Federal laws affect how Australian Government agencies create and manage records and information. Some of these laws, including the Privacy Act 1988 itself, the Archives Act 1983, the Australia Information Commissioner Act 2010 and the Freedom of Information Act 1982, apply to most Australian Government agencies. Other laws are agency specific or information specific. Agency-specific legislation can cover diverse requirements. For example, a statute may require certain information to be created, specify the format in which it is to be kept, how or where it is to be captured, and how and to whom it may be disclosed. State and Territory laws affect how Government agencies of the particular State and Territory create and manage records and information and in some (relatively rare) cases create geographical or territorial limits as to where data may be processed or stored. For example, the My Health Records Act 2012 (Cth)55 limits key participants in the MyHealth Record system that record information for the purposes of that system, or that have access to information relating to such records, from processing or handling information relating to the records outside Australia or causing or permitting another person to process or handle information relating to the records outside Australia. However, the MyHealth Record system operator (but not other participants) is specifically authorised, for the purposes of the operation or administration of 53 Australian Government, Information Security Management Guidelines, August 2014 amended April 2015, page 5 paragraphs 27 and 28. 54 For a useful and quite comprehensive review of the regulatory environment affecting implementation of cloud services by Australia businesses and government agencies, see Australian Government Department of Communications, Cloud Computing Regulatory Stocktake Report Version 1, June 2014, available at https://www.communications.gov.au/publications/cloud-computing-regulatory-stock-take-report. 55 Section 77, available at https://www.legislation.gov.au/Series/C2012A00063.. 37577360_1 29 that system, to process and handle such information outside Australia, provided that the information is not personal information in relation to a consumer or a participant in the MyHealth Record system or otherwise identifying information of an individual or entity. By comparison, private sector entities are generally less regulated. With the exception of relatively few sector specific rules, the operation of the Privacy Act 1988 and any contractual restrictions that an entity has accepted, Australian corporations and other private sector entities that conduct business in Australia may exercise their respective business discretion as to where, how and by whom their business information, including any personal information about individuals that is collected and held either by them or on their behalf, is processed and stored. In summary, although the application of the Privacy Act requirements is broadly the same, the requirements applying to use of as-a-service offerings government agencies are generally more prescriptive and more extensive than the requirements applying to businesses. There are also a range of agency specific restrictions that need to be addressed. However, relevant requirements and restrictions have now been extensively analysed in whole of government and sector-specific guidelines and support materials from the Federal government and from individual State and Territory governments.56 Provision of banking, insurance and other financial services is probably the most highly regulated business sector in Australia (outside environmentally sensitive projects). Given the particular, higher level of restrictions that apply to the financial services sector, we now turn to consider those requirements. 10 APRA regulated institutions: compliance with requirements for ‘material business activities’ In section 8 of this White Paper we noted that although some of the risks associated with outsourcing and offshoring components of cloud services are relatively new, there is extensive literature on how to apply already well accepted risk frameworks to as-a-service. However, 56 See the materials as available at www.finance.gov.au/cloud and those referred to in footnote 50 above. 37577360_1 30 looking beyond strict compliance with law to rate the materiality of non-legal risk, often there will be legitimate disagreement and debate as to how to set a materiality threshold. Sometimes materiality of as-a-service applications is assessed having regard to whether a business process facilitated by a particular as-a-service application is a ‘core business process’. The Australian Prudential Regulation Authority (APRA) applies its Prudential Standard CPS 231 Outsourcing (last revised January 2015) to any material business activity’ of a regulated institution, being: “….[a business activity] that has the potential, if disrupted, to have a significant impact on the APRA-regulated institution’s or group’s business operations or its ability to manage risks effectively, having regard to such factors as: (a) the financial, operational and reputational impact of a failure of the service provider to perform over a given period of time; (b) the cost of the outsourcing arrangement as a share of total costs; (c) the degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house; (d) the ability of the regulated institution or member of the group to meet regulatory requirements if there are problems with the service provider; (e) potential losses to the regulated institution’s customers and other affected parties in the event of a service provider failure; and (f) affiliation or other relationship between the institution or group and the service provider.”57 Many activities of institutions regulated by APRA will therefore not be ‘material business activities’. But how do you identify which activities are or are not material? Sometimes it will be obvious that a particular activity is core to the activities of a regulated institution: clearing and settlement of payments by or on behalf of banks is one example. But one customer’s proposed use of an as-a-service application in a particular business process may be a ‘material business activity’ for that customer but not for another customer. Text editing, formatting and content publishing capabilities are clearly a ‘material business activity’ for a publishing house, but probably are not for a bank. Customer relationship management (CRM) capabilities will be 57 Australian Prudential Regulation Authority Prudential Standard CPS 231 Outsourcing January 2015, paragraph 14, available at http://www.apra.gov.au/CrossIndustry/Documents/141120-CPS-231.pdf. See also APRA Prudential Practice Guide CPG 235 Managing Data Risk September 2013 (http://www.apra.gov.au/CrossIndustry/Documents/Prudential-Practice-Guide-CPG-235-Managing-Data-Risk.pdf); Prudential Practice Guide PPG 234 Management of security risk in information and information technology (http://www.apra.gov.au/crossindustry/documents/ppg_ppg234_msrit_012010_v7.pdf) and CPS 220 Risk Management and Prudential Practice Guide http://www.apra.gov.au/CrossIndustry/Documents/Prudential-Standard-CPS-220-Risk-Management-January-2015.pdf; SPG 231 Outsourcing, July 2013. Although Prudential Standard CPS 231 Outsourcing is now the primary regulatory instrument, Prudential Practice Guide 235 remains a current APRA published instrument and provides guidance and examples of what APRA considered to be material for the purpose of (then) APS 231 and further details on many other aspects of then APS 231, now CPS 231. As to financial services institution (FSI) regulations impacting FSI take-up of cloud services in other Asia Pacific jurisdictions, see Asian Cloud Computing Association, Asia’s Financial Services: Ready for the Cloud, March 2015, available at http://www.asiacloudcomputing.org/research/fsi2015. 37577360_1 31 material for some applications of CRM in some businesses, such as customer response contractors and direct marketing houses, but may not be material for a bank. The scale of the deployment and the degree of dependency will each be relevant. A pilot or limited implementation may not have sufficient scale to be material. Further, one use of an as-a-service offering by a customer may be a ‘material business activity’ while another is not. For example, a CRM application may be used for vendor management or customer response or both: one use might be a material business activity and other not. It is appropriate to pause here to reflect on what this additional level of prudential regulation is endeavouring to achieve. In section 7 of this White Paper we concluded all customers should carefully evaluate each service provider and ensure that certain contractual provisions are in place and that there are the appropriate transparency, accountability and governance mechanisms to ensure that privacy risk management is verifiably and reliably implemented. We noted that privacy risk management is but one aspect of prudent information management for outsourcing and offshoring aspects of as-a-service. In section 8 we noted that many organisations consider that any risk of illegality is a material risk, regardless of business impact or remoteness, and rightly strive to achieve 100 percent risk mitigation as to compliance with all relevant laws, including privacy law. So the question now under consideration is when the additional layer of prudential regulation of material business activities of regulated institutions should apply, not whether all businesses should achieve compliance with all laws, including privacy regulation. The inherently business-process-specific nature of any assessment of whether an activity is a ‘material business activity’ is also illustrated by ASX Clear Operating Rules Guidance Note 9 – Offshoring and Outsourcing. 58 This guidance note applies to impose particular requirements as to outsourcing and offshoring by ASX market participants such as trading houses and clearing houses operating in the ASX electronic securities exchange. The ASX states its “higher expectations around the documentation and supervision of material offshoring and outsourcings arrangements, relative to those that are not material” and that offshoring and outsourcings of a “material business activity” are material.59 The ASX states that a “material business activity” of a trading house or clearing house is one that has the potential, if disrupted, to have a material impact on the ability of that participant to comply with its obligations under the relevant ASX Operating Rules. The ASX continues: Examples of arrangements that ASX would regard as material offshoring or outsourcing arrangements (as the case may be) include: the offshoring or outsourcing of the operation of core IT systems used in a participant’s clearing activities; the offshoring or outsourcing of core clearing functions and processes; and the offshoring or outsourcing of a participant’s business continuity and disaster recovery arrangements. 58 ASX Clear Operating Rules June 2015, Guidance Note 9 Offshoring and Outsourcing, February 2015. http://www.asx.com.au/documents/rules/asx_clear_guidance_note_09.pdf. 59 Ibid., at section 6, page 5. 37577360_1 32 Examples of offshoring or outsourcing arrangements that ASX generally would not regard as material include: the engagement of an external identity verification service or credit service to verify the identity or creditworthiness of new clients on an ongoing basis; the provision of accounting, legal or compliance services on an ongoing basis by staff located offshore and employed by an overseas related body corporate; the engagement of a professional adviser (such as an accountant, lawyer or management consultant) to provide professional advice on an ongoing basis; and the engagement of a specialist compliance consulting firm to provide compliance services on an ongoing basis.60 So what is the higher level of regulation that is applied by the prudential regulator to those cases where there is an outsourcing of a material business? Some of the requirements are those that we have already identified as applying to any prudent customer: in particular, proper assessment of data risk and implementation of good information management. Some requirements are additional and specific to outsourcing and offshoring respectively of a material business activity by an APRA-regulated institution. An APRA regulated institution must consult with APRA prior to entering into any offshoring agreement involving a material business activity so that APRA may satisfy itself that the impact of the offshoring arrangement has been adequately addressed as part of the regulated institution’s risk management framework.61 The institution must notify APRA of any outsourcing agreement relating to material business activities “as soon as possible after entering into an outsourcing agreement, and in any event no later than 20 business days after execution of the outsourcing agreement”. 62 A regulated institution must ensure it has sufficient and appropriate resources to manage and monitor an outsourcing involving a material business activity, including “at a minimum” maintaining appropriate levels of regular contact with the service provider (ranging from daily operational contact to senior management involvement) and a process for regular monitoring of performance under the agreement, including meeting criteria concerning service levels.63 The outsourcing agreement in relation to a material business activity of a regulated institution must address: (a) the scope of the arrangement and services to be supplied; (b) commencement and end dates; (c) review provisions; (d) pricing and fee structure; 60 Ibid, section 6, page 5. 61 APRA Prudential Standard CPS 231 Outsourcing, January 2015, paragraph 36. 62 APRA Prudential Standard CPS 231 Outsourcing, January 2015, paragraphs 34 and 35. 63 APRA Prudential Standard CPS 231 Outsourcing, January 2015, paragraph 38. 37577360_1 33 (e) service levels and performance requirements; (f) audit and monitoring procedures; (g) business continuity management; (h) confidentiality, privacy and security of information; (i) default arrangements and termination provisions; (j) dispute resolution arrangements; (k) liability and indemnity; (l) sub-contracting; (m) insurance; and (n) where applicable, offshoring arrangements (including through sub-contracting) 64. A sometimes difficult to implement requirement in relation to as-a-service arrangements is that to ensure transparency to APRA, an outsourcing agreement involving a material business activity must include a clause that allows APRA access to documentation and information related to the outsourcing arrangement, including the right for APRA to conduct on-site visits to the service provider if APRA considers this necessary in its role as prudential supervisor. The standard also states that APRA expects service providers to cooperate with APRA’s requests for information and assistance.65 All but the last of the above requirements apply to any outsourcing of a material business activity by a regulated institution, whether or not there is any offshoring element. In the case of offshoring, a regulated institution must also consult with APRA prior to entering into any offshoring agreement involving a material business activity “so that APRA may satisfy itself that the impact of the offshoring arrangement has been adequately addressed as part of the regulated institution’s risk management framework”.66 For regulated entities, that risk management framework should be developed in accordance with APRA prudential guidance for data management and in particular Prudential Practice Guide PPG 234 - Management of security risk in information and information technology67 and Prudential Practice Guide CPG 235 – Managing Data Risk. 68 Most of the risks that APRA identifies for regulated entities to manage through control processes are common to both in-house implementations and outsourcing in relation to a material business activity and therefore not unique to either outsourcing generally or outsourcing with an off shore element. However, APRA also identifies certain additional possible risks of outsourcing or 64 APRA Prudential Standard CPS 231 Outsourcing, January 2015, paragraph 26. 65 APRA Prudential Standard CPS 231 Outsourcing, January 2015, paragraphs 31 to 33. 66 APRA Prudential Standard CPS 231 Outsourcing January 2015, paragraph 36. 67 See footnote 57 above. 68 See footnote 57 above. 37577360_1 34 offshoring that are associated with any diminution of data life-cycle controls. APRA therefore states that a regulated entity should “apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to”, in particular focussing upon any change in the effectiveness of data lifecycle controls.69 In the case of both outsourcing and offshoring, these controls may be diminished through “control framework variations, lack of proximity, reduced corporate allegiance, geopolitical risks and jurisdictional-specific requirements”.70 APRA suggests various ways in which regulated entities may ensure that these controls are maintained, including APRA’s expectations that to ensure appropriate lifecycle controls are in place in an outsourced or offshored environment, a regulated entity should be able to demonstrate: (a) ability to continue operations and meet core obligations following a loss of services; (b) maintenance of the quality of critical or sensitive data; (c) compliance with legislative and prudential requirements; and (d) a lack of impediments (from jurisdictional hurdles or technical complications) to APRA being able to fulfil its duties as prudential regulator (including timely access to data in a usable form). In the normal course, APRA will seek to obtain whatever information it requires from the regulated institution; however, the outsourcing agreement must include the right for APRA to conduct on-site visits to the service provider if APRA considers this necessary in its role as prudential supervisor. APRA expects service providers to cooperate with APRA’s requests for information and assistance. If APRA intends to undertake an on-site visit to a service provider, APRA will normally inform the regulated entity of its intention to do so. 71 69 Prudential Practice Guide PPG 234 - Management of security risk in information and information technology, at paragraph 48, page 13. 70 Prudential Practice Guide CPG 235 – Managing Data Risk at paragraph 47. 71 Prudential Standard CPS 231 Outsourcing January 2015, at paragraph 31. 37577360_1 35 11 Conclusions This White Paper has examined why, properly implemented, use of as-a-service by a customer should reduce, rather than enhance, risk as compared to traditional software in-house deployment. However, there are legitimate questions that arise from any possibility of personal information moving out of the effective control of the customer who remains responsible for the stewardship of personal information that it collected. There are also legitimate questions that arise from the possibility that personal information collected by a customer might move out of jurisdictions that have effective privacy regulation and enforcement. Although these questions can be addressed through appropriate contractual restrictions and accompanying transparency, accountability and governance mechanisms, some service providers appear to be unwilling to make these commitments, to provide appropriate transparency as to their activities, including as to reporting of any relevant incidents and as to their remediation, or to implement accountability and governance frameworks consistent with the level and materiality of privacy risk. All customers should carefully evaluate each service provider and ensure that certain contractual provisions are put in place and that there are the appropriate transparency, accountability and governance mechanisms to ensure that privacy risk management is verifiably and reliably implemented, and to ensure that those customers are able to continue to comply with their obligations under the Privacy Act notwithstanding the use of a contracted service provider. Privacy risk management is but one aspect of prudent information management for outsourcing and offshoring aspects of as-a-service. Many organisations consider that any risk of illegality is a material risk, regardless of business impact or remoteness, and rightly strive to achieve 100 percent risk mitigation as to compliance with all relevant laws, including privacy law. With appropriate diligence, compliance with relevant Australian laws can be achieved, except for those unusual customers where offshoring of their activities is expressly prohibited. Government agencies, and regulated institutions outsourcing material business activities, are subject to additional requirements (discussed in sections 9 and 10 respectively of this White Paper). These additional requirements can also be addressed by many well designed as-aservice offerings and service providers that are willing to provide the required transparency, accountability and governance commitments. Our conclusions are also summarised in the Key Points section at the front of this White Paper. Peter Leonard Gilbert + Tobin Lawyers 1 September 2016 37577360_1 36 ANNEXURE: AS-A-SERVICE CONTRACTS: PRIVACY RELATED PROVISIONS FOR CONSIDERATION 1 Privacy commitments Service provider (SP) commits to meet specific privacy obligations as expressly stated in the contract or by reference to the APPs. SP commits to access personal information (PI) only for the permitted purpose (as clearly stated on the contract – e.g. at the specific request of a customer representative view only access of specific information for the purpose of provision of customer support requested by the customer). SP agrees to not separately copy, use or disclose the same in any unencrypted form, such use to be only during the term and for the benefit of the customer. 2 Security SP to permit access to PI only be authorised support personnel and to secure PI against external intrusions and access by unauthorised personnel of service provider. Encryption requirements understood and assurance that decryption tools appropriately managed. Monitoring of access to PI to be in accordance with good service provider practice. Access controls to be updated during the term in accordance with good service provider standards. 3 Transparency Any relevant unauthorised access to PI or disclosure of PI is to be reported promptly when reasonably suspected or discovered. Countries where data is to be stored (including back-ups and resilience sites) are specified and always known. 37577360_1 37 4 Governance, accountability and verification If any unauthorised access or disclosure of PI is reasonably suspected or discovered, root cause analysis is to be performed and remediation pathway to be agreed after consultation with customer. Contractual controls as to PI are supported by reporting and certifications as required. Check match of reporting and certifications and other governance and accountability measures to the customer’s internal information management processes, as appropriate to ensure prudent end-to-end information management 5 Business continuing management Resilience measures and back-up procedures are known and defined, so PI is secured in all forms in which it is held. 6 Sub-contracting Any sub-contracts that might involve sub-contractor access to PI are known and appropriately controlled, so that the customer’s risk assessment is end-to-end and not compromised through a service provider’s use of subcontractors that might use or disclose PI. 7 Confidentiality of other commercial-inconfidence customer information and privacy of PI Does the coverage of the contract provisions dealing with confidential information (including non PI) give the protection the customer needs for commercial-in-confidence customer information, in addition to the specific privacy protective provisions addressing handling of PI? 8 Tailoring Are there sector-specific, data-specific or customer-specific restrictions that should be included as contract terms? If so, tailor terms to suit. 37577360_1 38 Sydney Level 35, Tower 2 International Towers Sydney