ezine

19 Dec 2011

Internet and the Law: Cloud Code of Practice – Work in Progress

Work is underway in New Zealand on the development of a code of practice for cloud computing providers. This article looks at the development of the code. The code of practice may come to define good industry practice in New Zealand and may therefore be important for every provider of cloud computing services in New Zealand, regardless of whether or not they intend to actively comply with the code of practice.

The Initiative

Following a number of industry group discussions, including at the Nethui organised by InternetNZ in June/July this year, work is in progress on a New Zealand Cloud Computing Code of Practice (Cloud Code). A group of industry participants have taken steps to develop a voluntary industry code to provide standards and guidelines for providers of cloud computing services in New Zealand. The New Zealand Computer Society is taking a leading role as an independent facilitator in the development of the Cloud Code. The development of the Cloud Code is backed by, and being funded by, a number of industry participants, including Xero, Equinox, Gen-i, Salesforce.com and InternetNZ.

Development of the Cloud Code follows in the footsteps of the industry in the UK where the Cloud Industry Forum has developed a Code of Practice for Cloud Service Providers (UK Code). The UK Code's main aim is to ensure a reasonable and consistent level of transparency about businesses and their operational practices throughout the Cloud industry. Organisations complying with the Code are required to conduct themselves in an open and transparent manner which facilitates rational decision-making and management by purchasers of their services. Some examples of what is required of cloud providers under the UK Code is:

1. disclosing information on where data is held, and where processing of data takes place;
2. providing information on security and data protection measures;
3. providing information on the ability of customers to retrieve data in the event the service provider, or its suppliers, change the provision of services or crease business; and
4. providing a complaints procedure with escalation processes.

The UK Code also covers capability and accountability. The UK Code can be found at here.

Terms of Reference

The development of the Cloud Code in New Zealand is still in its initial stages, but Terms of Reference have been developed to outline the objectives of the Cloud Code. The main objective is to establish an agreed set of clear minimum and recommended practice guidelines for those operating in the cloud. The Cloud Code is intended to help protect the reputation of those providing professional services to acceptable standards as well as help define what good practice should look like in New Zealand.

The Terms of Reference provide for the establishment of a Steering Group to oversee the development of the Cloud Code and to ensure all stakeholders have an opportunity to provide input. The office of the Privacy Commissioner and Government Technology Services will also be invited to have representatives attend Steering Group meetings in a non-voting observer role. The industry will be connected through a stakeholder Reference Group. We understand all relevant stakeholders will be invited to join this Reference Group.

That the Cloud Code may define good industry practice in New Zealand may have consequences for providers of Cloud services even if they do not voluntarily decide to actively comply with the Cloud Code. Many contracts provide for service providers to carry out services in accordance with good industry practice so if compliance with the Cloud Code became standard practice, cloud service providers could well be required to comply. It may also eventually become standard practice to include compliance with the Cloud Code as an express contract provision. All providers of Cloud services should therefore consider whether it is appropriate to be involved in the development of the Cloud Code.

The current timetable envisages a draft skeleton model Cloud Code being released before the end of 2011 and the first version of the Cloud Code released at the end of March 2012. For further information, or to get involved in the development of the Cloud Code here. We will be watching development of the Cloud Code with interest.

Key Contacts

Karen Ngan
Mark Colley

Other articles this month

The Law Commission's Report on the Privacy Act - a new Act?

IT Projects - Risk Assessment and Mitigation

Storm Brewing Over Cloud TV

Author

Karen Ngan

Partner - Corporate & Commercial

DDI: +64 9 977 5080

Mobile: +64 21 648 977

Email:

View Profile