Contracting in the cloud is not really different to any other technology agreement but in most circumstances, especially with a public cloud, organisations may be forced to just accept the provider's standard terms and so an audit of their potential providers becomes important so as to consider with which provider there is the least legal risk.
So says Tammy Bortz, director of Werksmans Attorneys, who, also notes that in SA there is no legislation that exists governing cloud computing. Nonetheless, she explains, internationally there are guidelines and codes of conduct for cloud providers and cloud services from which organisations can take guidance.
“The common thread both locally and internationally in cloud computing contracts is trust, transparency, security, data protection and availability,” she says.
Bortz is of the view that data protection and privacy are the most commonly presented risks when considering placing sensitive and personal data in the cloud.
“Cloud providers should have comprehensive privacy policy settings that indicate how they deal with personal information,” she says.
Many jurisdictions have legislations aimed at protecting personal information and imposing obligations on data processors, she says, adding that the most notable example of this is in the UK's Data Protection Act.
“Cloud providers in the UK must adhere to this legislation, which imposes obligations around the manner in which personal and sensitive data is used and how this data can be transmitted.”
ITWeb Governance, Risk and Compliance Conference 2012
The ITWeb Governance, Risk and Compliance Conference takes place on 21 February 2012. For more information and to reserve your seat, click here.
According to Bortz, SA has no legislation that currently regulates this. “However, the promulgation of the Protection of Personal Information (POPI) Bill is imminent,” she points out.
“Organisations need to undertake a due diligence when thinking about using cloud computing,” Bortz emphasises. “Business needs to understand the various risks associated with the cloud and be cognisant of the privacy and security policies of the service provider. With regard to security, organisations need to ask two very important questions - the first is whether the provider has had any security breaches and the second is if they have, what was the nature of the breach and what have they done to ensure the breach does not reoccur?”
She explains that the POPI Bill covers all forms of data, especially in the hands of third parties, including operators
Bortz is a speaker at the ITWeb Governance, Risk and Compliance Conference 2012. For more information, click here.

