FAQ regarding the Framework of Legal Standards for Cloud Services
Read the answers to frequently asked questions regarding the Framework of Legal Standards for Cloud Services
1. What is the Framework of Legal Standards for Cloud Services?
SURF's Framework of Legal Standards for Cloud Services provides an overview of best practice clauses for agreements with cloud service providers. These are guidelines concerning confidentiality, privacy, ownership and the availability of data. The more important and sensitive the data, the higher the risk and the more stringent the measures and contractual agreements with cloud suppliers must be.
2. Why was the Framework of Legal Standards for Cloud Services developed?
The issues of confidentiality, privacy, ownership and availability are crucial to any party purchasing cloud services. As an early adopter, the higher education sector was quick to recognise the advantages of the cloud. However, it also encountered various problems in areas such as privacy. There was a need for clear guidelines to apply when considering the use of specific cloud services and during negotiations with suppliers of such cloud services.
3. Who developed the Framework of Legal Standards for Cloud Services?
The Framework of Legal Standards for Cloud Services was developed by a team of lawyers at SURF in collaboration with external legal experts and legal experts at higher education and research institutions. The framework of standards builds on the knowledge that SURF has acquired in recent years, such as in the IViR report on the Patriot Act and cloud Services and research (PDF, in Dutch) issued at the request of SURF.
4. How can the Framework of Legal Standards for Cloud Services be used?
Higher education and research institutions can include these clauses in their own individual agreements with cloud suppliers. They themselves are responsible for conducting the necessary risk analysis. The framework of standards can be applied as a benchmark for the suppliers' data confidentiality procedures. SURFmarket also uses these clauses during negotiations with suppliers of cloud services to multiple education institutions.
5. What makes these guidelines so important?
Crucially, these guidelines represent a clear statement by the entire sector and contribute to the debate on privacy in relation to the use of cloud services. The Framework of Legal Standards for Cloud Services serves to eliminate any lack of clarity and uncertainty among both suppliers and customers. It also offers cloud suppliers an opportunity to collaborate with the higher education and research sector and to demonstrate their data protection procedures. The framework can serve to alleviate institutions' concerns about the use of cloud services and facilitate large-scale usage.
6. What consequences will the implementation of this framework of standards have for the higher education and research institutions affiliated with SURF?
Institutions can be assured that the cloud services comply with the guidelines concerning confidentiality, privacy, ownership and the availability of the data as stated in the Framework of Legal Standards for Cloud Services. Institutions should discuss the framework during their own negotiations with cloud suppliers. It is therefore important that institutional purchasing and IT departments are familiar with this framework. They should annually assess whether the service or services provided by the cloud suppliers still comply with the agreed conditions.
7. What is the added value of the Framework of Legal Standards for Cloud Services for end users, such as students, researchers and lecturers?
A significant added value for end users such as students, researchers and lecturers is that they can be assured that, within these services, their data will meet strict requirements in respect of privacy and security, and that compliance with these conditions is also periodically assessed by an independent auditing party.
8. What consequences does the Framework of Legal Standards for Cloud Services have for IT suppliers who provide or are looking to provide cloud services to SURF?
The Framework of Legal Standards for Cloud Services is a mandatory element of negotiations with suppliers of cloud services. Suppliers are expected to comply with these guidelines. In the event that a cloud supplier is unable to meet one or more of the conditions, the supplier will be required to explain the reason for this to SURF in writing. Such explanations will be taken into consideration when deciding whether or not to enter an agreement with the supplier in question.
9. Who is responsible for compliance with the standards laid down in the Framework of Legal Standards for Cloud Services, and how is compliance monitored?
Both contracting parties are responsible for compliance with the agreed conditions. If an agreement is initiated by SURF and non-public data are involved, SURF requests an audit of the security measures and the service organisation as standard in accordance with the requirements specified in the agreement. The audit findings are laid down in a Third-Party Declaration, which is an independent and unbiased assessment provided to SURF by the supplier and which provides institutions with the assurance that data protection and the service organisation meet the applicable standards. SURF evaluates these declarations and requests a new declaration from the supplier once the agreement period has lapsed. Education institutions that have concluded their own contracts with cloud suppliers are themselves responsible for ensuring such contracts are monitored for compliance with the agreed conditions on a regular basis.
10. Does the Framework of Legal Standards for Cloud Services comply with the most current Dutch and European regulations?
Certainly, but the Framework of Legal Standards for Cloud Services also has to be kept updated. That is why SURF has set up a legal committee to follow national and international developments and make amendments to the current framework of standards where necessary. New European legislation on privacy that is soon to come into force will lead to adjustments, for example. This legal committee consists of a SURF lawyer, a lawyer representing both a research university and a university of applied sciences, and SURF staff specialised in data security and vendor management.
11. How is the Framework of Legal Standards for Cloud Services kept up to date?
A legal committee has been set up to amend clauses in line with any changes to Dutch or European legislation and regulations. This legal committee consists of a SURF lawyer, a lawyer representing both a research university and a university of applied sciences, and SURF staff specialised in data security and vendor management. They follow national and international privacy and technological developments in relation to cloud services.
12. What happens if a supplier fails to comply with the agreements?
If a cloud supplier fails to comply with the agreements, the supplier will be approached in a appropriate manner, by legal means if necessary. This could result in termination of the agreement and/or effectuation of the penalty clause of the Framework of Legal Standards for Cloud Services.
13. What if no cloud suppliers within a particular product group can comply with the Framework of Legal Standards for Cloud Services?
The IT market is developing rapidly and it is possible that the terms of the Framework of Legal Standards for Cloud Services are not applicable to certain product groups. Should technological developments in cloud services necessitate this, the framework of standards will be adjusted. If for a certain product group not a single cloud supplier can be found that can comply with the framework of standards then the supplier agreement should state this explicitly. It is then up to each individual institution to decide whether or not to participate in the agreement.
14. How does the Framework of Legal Standards for Cloud Services work, in practical terms? Is it a compass, a yardstick or a check mechanism?
The Framework of Legal Standards for Cloud Services is a yardstick, used to measure a supplier's cloud services. It is up to SURF or the education institution to determine whether the 'length' measured meets the requirements. If the cloud service does not stretch far enough, then the shortcomings are established in writing in the intermediary agreement and the cloud supplier's written statement is published on My SURFmarket. It is then up to the individual institution to decide whether or not to participate in the agreement.
15. How can the Framework of Legal Standards for Cloud Services be enforced on suppliers?
The basis for this is the commitment on the part of SURF and the education institutions to use their collective purchasing power to enforce the Framework of Legal Standards for Cloud Services in the contracts with cloud suppliers. The commitment to the ‘comply-or-explain’ principle has since been expressed in the Information Security Steering Committee, the CIO Consultation, the CvDUR and COMIT and consequently by the IT management of the institutions. SURF has yet to submit the framework of standards to the umbrella organisations – the Association of Universities in the Netherlands, the Netherlands Association of Universities of Applied Sciences, and the Netherlands Federation of University Medical Centres – to obtain broad administrative commitment in the higher education sector. Indeed, it is this collectivity that gives the sector the power to stand strong in negotiations with suppliers.
16. How can institutions best deal with students and staff who work with information that is important to the institution using cloud services that are not covered by the institution's contracts?
SURF advises higher education and research institutions to ensure their staff and student codes of conduct include clauses obliging them to respect the confidentiality, privacy and ownership of such information. SCIPR, the national consultative body for information security professionals in the higher education sector has tips and suggestions.
17. Do the cloud services SURF itself provides comply with the standards set?
The Framework of Legal Standards for Cloud Services was developed for the purchase of cloud supplier services. Naturally, SURF will also apply this framework of standards to its own cloud services. The SURFdrive personal cloud storage service is currently the only cloud service provided by SURF. While the SURFdrive storage service does comply with the privacy and security requirements, this has not yet been assessed by independent audit. This assessment will be performed as soon as possible. SURF also seeks to ensure its other (non-cloud) services, in which privacy and confidentiality are key, comply with the framework of standards. It is possible that not all aspects of the framework of standards on cloud services will be relevant. In such cases, we will disregard any aspects solely relevant to clouds. Ensuring all SURF services comply with the framework of standards will take time because the guidelines could lead to changes to the format of the services and to the agreements SURF has made with the third parties involved in service provision.
More information ore questions?
- Read all about the Framework of Legal Standards for Cloud Services
- If you are a legal officer of an education institution, please contact Chinny Bomers, via email@example.com.