Cloud Computing

3 December, 2014

Cloud computing offers great benefits, such as greater flexibility and scalability, self-service provisioning, mobile working, and increased reliability and resilience in terms of business continuity and disaster recovery. But there are also risks around security, accessibility and confidentiality. So let’s have a look at some of the considerations for firms looking to outsource their IT provision in this way.

General considerations

Choosing a provider
You need to consider client protection and information safeguard provisions; disaster recovery and how quickly data could be accessed in that event; back-up facilities; reputation; control and ownership arrangements (and notifications regarding changes to this); experience in, and knowledge of, delivery of the product in the legal services market; commitment to remaining in the market; Service Level Agreements written in Plain English with Terms and Conditions which are clear; service reliability and stability; support desk provisions; service response times; remedies for poor performance; independent certification of service quality; risk of supplier lock-in (lock-in clauses or migration costs); scaling up or down options as your business grows or contracts and paying only for what you need options (and the cost implications should your firm’s needs grow or shrink).

Agreeing terms
Contractual arrangements with your chosen provider should take account of guarantees of availability, confidentiality and integrity as well as notification and remedial provisions related to when these arrangements fail (should they do so), or change. The contract should provide a clear exit strategy (some fixed term contracts may renew automatically when terminated).

Monitoring and review
Once your service is in place, a continual cycle of monitoring and review is advisable to ensure the service is meeting agreed expectations. This is just the same as any other service you are buying in on a continuous basis. Policies and procedures will need to be audited and staff made aware of their responsibilities under them to help ensure ongoing compliance.

Security and confidentiality
A cloud provider offering a dual access, high-end firewalled data centre with a continuous back up to a secondary site and 24 hour security has the potential to provide a very secure site for your data. That said, there remain data protection issues to consider.

Data protection

A third party security audit may be beneficial to ensure data protection controls will adequately address the risks of data transfer, storage, confidentiality and security.

The extent to which any personal data is captured, used and deleted should be stipulated and agreed. A privacy impact assessment would help you assess and identify any privacy concerns, particularly if the data centres are outside England and Wales.

Accessibility

Access provisions 
From a confidentiality perspective it is likely to be beneficial to tailor access provisions to the individual and arrange for these to be updated, suspended and deleted as appropriate, as well as making provision for notification should an unauthorised access, deletion or modification occur.

Business continuity 
You should consider the ability to recover practice and client information in the event of an emergency, making sure you are satisfied with the back-up, virus protection, and business continuity plans of the provider. There have been instances where firms have been asked to make additional payments to recover their IT data. To minimise the impact of a major fault, it may be beneficial for you to store a copy of your data in an alternative location.

Further resources
The Information Commissioner’s Office Cloud Computing Guidance includes a checklist (page 22) which could be used as a starting point to help ensure all confidentiality, integrity, availability and legal considerations regarding personal data are taken into account and help promote understanding of the roles and responsibilities of both the data controller and processor.

Though the provisions of Direct Gov’s Implementing the Cloud Principles Guidance are aimed primarily at public bodies, the principles it applies and the controls it recommends are generally useful.