Essential terms and conditions for a secure use of Cloud services Checklist

Size: px

Start display at page:

Download "Essential terms and conditions for a secure use of Cloud services Checklist"

Ashlyn Marshall
8 years ago
Views:

1 Essential terms and conditions for a secure use of Cloud services Checklist Publication of the CIO Interest Group Cloud CIO Platform Nederland, March

2 From the authors All CIO Interest Groups (CIGs) of the CIO Platform Nederland aim at sharing knowledge on those issues in which the members have expressed an interest. This document contains a concise description of essential terms and conditions that are necessary for a secure use of Cloud services. This makes it a checklist of sorts that may be useful for legal and regulatory work and that may form the basis for widely accepted and used norms. Aspects that have a more specific nature, for instance because they are relevant for certain organizations, or in a specific context are not included in this checklist. This document is meant to be the foundation to a written agreement between a provider and a customer, in which the basic issues are further specified and formally agreed. The entire CIG Cloud has reviewed this document. The authors, Evelijn Jeunink (SURFnet) Jacq de Rijck (Coöperatie VGZ) Andres Steijaert (SURFnet) Edwin Strijland (SVB) Annemarie Vervoordeldonk (SHV) page 2 of 13

This makes it a checklist of sorts that may be useful for legal and regulatory work and that may form the basis for widely accepted and used norms.

3 Contents From the authors... 2 Contents... 3 Use of the Checklist Individual use Collective use... 4 Introduction to the Checklist... 5 A. (Intellectual) Property, ownership and control... 6 B. Laws and regulations... 7 C. Security and data integrity... 8 D. Quality and continuity... 9 E. Confidentiality F. Supervision and notification Organizations involved in the CIO Interest Group on Cloud page 3 of 13

Laws and regulations... 7 C. Security and data integrity... 8 D. Quality and continuity... 9 E.

4 Use of the Checklist 1.1 Individual use Members of the CIO Platform Nederland, as well as members of the European CIO Association and of its National Bodies, may use the checklist: As a starting point or reference in contact with providers; When procuring Cloud services, by using the checklist as a guide in setting satisfactory terms of use. 1.2 Collective use When all members of the demands side community, formed by the CIO Platform Nederland, as well as members of the European CIO Association and of its National Bodies, use these fundamental terms and conditions that will create: A broad base; and A common language; Towards an increased use of Cloud services, against fair terms and conditions. page 4 of 13

or reference in contact with providers; When procuring Cloud services, by using the checklist as a guide in setting satisfactory terms of use. 1.

5 Introduction to the Checklist The central focus of this description of essential terms and conditions for a secure use of Cloud services are business interests and risk assessment. These are used to address six issues: A. (Intellectual) Property, ownership and control B. Laws and regulations C. Security and data integrity D. Quality and continuity E. Confidentiality F. Supervision and notification For all issues mentioned above it is necessary that they: Are written down in a document expressing the agreement between provider and customer; Are binding for the provider, as well as for sub-contractors (third parties) that the provider may involve in executing the agreement. The provider is responsible for the sub-contractors that he involves. page 5 of 13

Supervision and notification For all issues mentioned above it is necessary that they: Are written down in a document expressing the agreement between provider and customer; Are binding for

6 A. (Intellectual) Property, ownership and control 1) All (intellectual) property rights regarding (the file or files containing) data remain with the customer at all times. 2) The provider has no independent entitlement to control regarding the data that he processes. Control of the data remains with the customer. page 6 of 13

7 B. Laws and regulations 1) Typically, the customer is responsible ( controller ) and the provider has the role of processor. 2) Before data export (exchange of personal data)/international exchange of data takes place, it is guaranteed that data is only exchanged with countries and companies that have an adequate level of protection. Provider and customer ascertain the level of protection in the home country of the customer, and will come to additional provisions on monitoring and compliance if necessary to ensure the required level of protection. a. In Member States of the European Union and countries that are white listed in the EU the privacy is guaranteed in laws and regulations, therefore no additional provisions between provider and customer are necessary. b. In case of providers from the United States it is necessary for the provider to be on the Safe Harbour list (these providers adhere to the U.S.-EU Safe Harbour Framework and offer an adequate level of protection) and for the customer to come to an agreement with the provider that the customer will be able to monitor compliance of the provider with the Safe Harbour principles. c. If the country is not a member of the EU and is not on the EU s white list or if the provider is a U.S. company but not on the Safe Harbour list, then an adequate level of protection is not available. In that case it is necessary to come to an agreement based on a European Model Contract, Model Clauses, Licence (catch all provision) or Binding Corporate Rules 1 that have been accepted by the relevant Data Protection Authorities and that describe how a company will process personal data. 3) Other legislation and regulations may be in force, for example pertaining to archiving, fiscal legislation, export restrictions and ediscovery. 1 The scope of Binding Corporate Rules (BCR) is the internal operation of a group or legal entity, and therefore are not transferable to external Cloud service providers. Since 2013 there is a possibility to create BCR for the processor of personal data. As of this moment there have been few instances where this form of BCR have been applied. page 7 of 13

8 C. Security and data integrity 1) Provider will take appropriate measures to ensure both the physical and logical security of the Cloud service against loss or corruption and any form of unauthorized access, change or dissemination or other forms of unauthorized processing of the data. 2) In case of sensitive data: ISO27001, ISO27015 page 8 of 13

and any form of unauthorized access, change or dissemination or other forms of

9 D. Quality and continuity 1) Provider is responsible for quality aspects of the Cloud service and the service level of the Cloud service, in accordance with the agreement: a. Provider has an escalation- and communication plan b. Provider provides a support clause, containing a prioritization scheme in case of emergency c. Provider and customer reach an agreement on the availability of the Cloud service 2) Provider and customer come to an agreement on an exit strategy (in case of end of service or bankruptcy of the Provider), containing at least the following aspects: a. Roles, tasks and responsibilities b. Conditions that trigger the exit strategy c. Data portability I. The possible ways of extracting data II. The possible ways of migrating data to another provider d. The ways in which data is / can be destroyed 3) Provider takes care of adequate means of disaster recovery to ensure the availability of the Cloud service and the data 4) Provider offers insight into and influence on the change (what is going to change) and release (when is it going to change) calendar of the Cloud service 5) Provider and customer record the exchange standards used in the Cloud service, including the period in which these exchange standards will be supported. page 9 of 13

Provider and customer reach an agreement on the availability of the Cloud service 2) Provider and customer come to an agreement on an exit strategy (in case of end of service or bankruptcy of the

10 E. Confidentiality 1) Provider keeps confidential data secret. This means that at least: a. All data are kept confidential (meaning: are not to be made public), unless otherwise indicated b. Provider will contractually oblige all personnel working for it (including its own employees) that are involved in processing of confidential data to keep the confidential data secret c. Provider and customer record the consequences of a violation of the confidentiality. page 10 of 13

Provider will contractually oblige all personnel working for it (including its own employees) that are involved in

11 F. Supervision and notification 1) Provider will cooperate upon first notice of customer to exercise the right to supervision by or in the name of customer on the retention and the use of data by the provider 2) Provider will provide all data that it has in its power as a consequence of the execution of the agreement, including copies of the data, to the customer upon first notice 3) Provider will inform customer immediately upon gaining information on possible or certain: I. Degradation of quality (including availability) II. Violation of confidentiality III. Loss, theft or abuse of confidential and/or personal data; or IV. Violation of security measures or the anticipation that one of these issues will arise. This is necessary for the customer to be able to adhere to legal obligations to notify authorities of breaches of data security. 4) Customer is able to periodically perform an audit (or to have an audit performed) in order to check if the provider is operating according to agreements and applicable laws and regulations. 5) Customer is entitled to check the quality and the service level of the Cloud service from a user perspective and will not be restricted in this by the provider. 6) Provider will make every effort to look after the interests of the customer when confronted with requests and injunctions for access by authorities by: a. Verifying if there is a legal obligation to comply with the request or injunction b. Challenging the request/injunction when and where possible c. Not providing more data than necessary to comply (just the minimal dataset) d. Notifying the customer as soon as possible. page 11 of 13

will inform customer immediately upon gaining information on possible or certain: I. Degradation of quality (including availability) II. Violation of confidentiality III.

12 Organizations involved in the CIO Interest Group on Cloud Ahold / Albert Heijn AkzoNobel N.V. CBS Coöperatie VGZ UA CZ ECT Enexis B.V. Gemeente Rotterdam GVB Amsterdam Koninklijke Vopak LUMC Marel Food Systems Nutreco Rabobank Nederland Randstad SHV Sociale Verzekeringsbank Stichting SURF TBI Unirobe Meeùs Groep B.V UWV page 12 of 13

13 De vereniging van ICT eindverantwoordelijken in grote organisaties van de vraagzijde page 13 of 13

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last