Cloud-based services refer to the on-demand delivery of information and communications technology (ICT) services over a network from a shared pool of computing resources. These types of services are attractive to NSW Government agencies as they involve acquiring services on a "pay as you go" basis instead of buying internal IT resources which can be costly.
Given the shift to cloud-based services, the Department of Customer Service (formerly known as the Department of Finance, Services and Innovation) has released a draft short form agreement for the procurement of cloud-based services (Cloud Agreement).
The Cloud Agreement is designed to work in conjunction with buy.nsw – a government marketplace that connects NSW Government agencies (Buyers) with external providers for services (Sellers). It aims to provide a clear, streamlined and user-friendly approach to contracting that meets the needs of Buyers procuring services in a fast-paced and ever-changing digital environment.
The Cloud Agreement is currently available for use by Buyers on a pilot basis for low-risk ICT procurements with a value of less than $500,000 (ex GST).1 Buyers may choose between the Procure IT Framework or the Cloud Agreement depending on their own procurement needs and risks.
Frequently Asked Questions
|Can I use this Cloud Agreement?||
Yes – the Cloud Agreement can be used for low-risk ICT procurements with a value of less than $500,000 (ex GST). However, the Buyers ought to carry out its own risk assessment of the particular procurement when deciding whether to use the Cloud Agreement, including having regard to the associated issues identified below.
|Can I procure cloud services using the Cloud Agreement?||Yes.|
|Can I procure professional and consulting services using the Cloud Agreement?||
No – Buyers will need to procure these services under the Procure IT Framework (e.g. Procure IT 3.2 or Core& Agreement as amended from time to time).
|Can I vary the terms of the Cloud Agreement?||
Yes – it is intended that changes may be made to the Cloud Agreement via a process to be set out in the relevant Procurement Board Direction.
|Can the Seller attach its own 'Seller Terms' to the Cloud Agreement?||
Yes – a Seller can attach additional terms to the Cloud Agreement provided that those terms do not change the legal outcomes under the Cloud Agreement, or change the agreed requirements. On a practical level, Buyers ought to carefully review 'Seller Terms' and any third party software pass-through terms before attaching them to the Cloud Agreement.
Some key issues for Buyers to be aware of when using the Cloud Agreement
- Managing the "Selected Region"
Under the Cloud Agreement, the default region for the storage and management of the Buyer's data is Australia. However, there is scope for parties to agree to a foreign region. This may have the potential to materially increase the risk profile of the cloud service being procured.
'Data sovereignty' and the issues associated with transferring data outside of Australia must be carefully considered by Buyers as they may find themselves inadvertently governed by the laws of a foreign country e.g. under US law, the US Government has avenues to request access to data held in the US.
- Security requirements to manage data
Sellers are required to implement and maintain security controls in accordance with industry standards to store and manage the Buyer's data.
The Cloud Agreement does not, however, address data breach remediation and notification requirements; for example, when it comes to controlling and deciding whether the Privacy Commissioner and/or affected individuals need to be notified of a data breach. Buyers ought to consider if additional security requirements are needed to address data breach issues.
Under the Cloud Agreement, the Buyer indemnifies the Seller against any loss or damage from a breach of a third party's intellectual property rights in connection with the Buyer's use of the cloud service. This position is markedly different from the current position under the Procure IT Framework – that being that Buyers are not allowed to give indemnities to a Seller.
The move away from the standard Procurement Board Direction recognises that, under a cloud service, Buyers are operating in the Seller's environment and any third party indemnity will relate to risks that the Seller will generally have no control over. Nonetheless, this position needs careful consideration in the context of the particular cloud service being procured.
- General liability cap
The general liability cap under the Cloud Agreement is set at the fees paid or payable in the 12 months preceding the cause of action giving rise to the liability, provided that the cap for the first year is at least $1,000,000.
This means that the cap for the first year will be significantly greater than the cap for subsequent years, given that the Cloud Agreement can only currently be used for low-risk ICT procurements with a value of less than $500,000 (ex GST). Buyers should assess on a case by case basis whether, on balance, the cap is acceptable to the relevant procurement.
- Security breach cap
The liability cap for a security breach is set at two times the fees paid or payable in the 12 months preceding the cause of action giving rise to the liability, provided that the cap for the first year is at least $2,000,000.
Again, Buyers should assess on a case by case basis whether, on balance, the cap is acceptable or whether, depending on the sensitivity of the data involved, a 'security breach' ought to be treated as more akin to confidentiality or privacy breaches. The latter breaches are uncapped under the Cloud Agreement.
- Capturing detailed requirements for cloud services
While most of the detailed requirements can be set out, on or linked to, the nsw.buy site under the new operating model, Buyers will need to ensure that any specific requirements are documented and attached to the Cloud Agreement.
What you need to know
In line with the NSW Data Centre Reform Strategy circular, the demand for cloud-based services will only increase as NSW Government agencies move from 'on-premise and leased' infrastructure to cloud-based services. While the Cloud Agreement provides Buyers with a simpler, streamlined and user-friendly approach to engage Sellers, Buyers will still need to undertake a careful risk assessment of the particular cloud procurement and exercise caution when using the Cloud Agreement in place of the Procure IT Framework.
1 https://www.digital.nsw.gov.au/policy/buying-ict/cloud-guidance-and-policy. The contract value refers to the total price of the whole-of-life requirement and cannot be split into lower-price components.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.