Pie in the sky?
Is cloud computing a ray of light or a gathering storm? Alison Deighton, data protection expert at law firm TLT, takes up the case
For many years businesses in the social housing sector have relied on ‘local’ delivery of IT infrastructure. Typically, they have managed their needs with on-site hardware and software managed by dedicated IT teams. Recently, a gradual shift has started. Instead of local, physical delivery, users have started to move to ‘remote’ web-based IT provision.
This is often delivered by large, well-known companies such as Amazon, Google, Microsoft and Apple. The remote delivery of IT functionality is commonly referred to as ‘cloud computing’.
Here we look at the pros and cons that those in the social housing sector should consider before moving IT functions to the cloud as well as the key legal issues users need to think about when reviewing cloud offerings.
The benefits of cloud computing can seem compelling. Marketing of cloud services tends to focus on two key advantages: low cost and flexibility. Users can avoid capital expenditure but still get the benefit of complex infrastructure that is constantly updated as new features become available. And it allows users to pay only for what they use and to quickly scale up or down the service they receive in line with demand.
Cloud services also promise mobility, allowing users to access services from anywhere. Cloud services will often look like the cheapest and most flexible option available to users. One FTSE 250 company reported cost reductions of 70 per cent on moving its email services into the cloud.
Does all of this sound too good to be true? Well, it possibly is. Although the marketing for cloud computing offers great things, unsurprisingly marketing materials tend to neglect associated risks.
Firstly, contracts offered by cloud providers are usually one-sided, with very limited user protections and no room for negotiation. Warranties around service standards are often either non-existent or drafted so that they are practically meaningless in legal terms. In addition, major providers are often located in the US with contracts subject to US law and the jurisdiction of the US courts.
All of this means that if a cloud service fails, a user’s right to bring a contractual claim is limited, and even if a user can bring a contractual claim it will need the appetite to bring a claim in the US.
Cloud solutions also pose regulatory compliance issues. If personal data is held in the cloud, the user will need to ensure that data protection requirements are met. In practice this requires the contract with the cloud provider to include strict data security obligations and to ensure that personal data is protected adequately if it is transferred outside the European economic area. On close inspection most cloud providers do not offer sufficient contractual protection to ensure user compliance with data protection requirements.
There are also practical issues which those in the social housing sector should consider and questions to ask:
- Do exit procedures allow quick and effective retrieval of data from the cloud? Some cloud providers only release data in their own proprietary format, which makes it difficult to migrate to another supplier.
- What disaster recovery procedures are in place? If data is lost, what obligation does the cloud provider have to retrieve and reconstitute data?
- How much notice must users give to flex the services they receive to achieve cost savings?
- Another issue for users to consider is the reliability of their own internet connections. If a connection is unavailable, is there a back-up? If not, when would a lack of access to the data/systems accessed through the cloud start to cause problems?
All of these issues need to be weighed up against the advantages of cost and flexibility offered by the cloud. For some the cost-effectiveness and speed of setting up cloud services (especially for non-mission critical parts of their work) will far outweigh the risks outlined above. For others, inadequate services standards and the loss of control over data and systems will not be acceptable, or the regulatory risks will be too high.
Clearly there are tangible benefits for social housing organisations considering going into the cloud. However, before doing so it would be wise to weigh up all the practicalities and assess potential obstacles. This includes assessing which IT requirements are suitable for the cloud, the nature of the data that will be held in the cloud and, with this in mind, whether the selected cloud provider’s contractual obligations offer sufficient comfort.
For more information please contact Alison Deighton on 0117 917 8016 alison.deighton@TLTsolicitors.com Alison Deighton is an associate and head of data protection and privacy at national law firm TLT. www.TLTsolicitors.com