Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated...

18
Cloud Service Provider Contracts: A Checklist for Records Professionals Corinne Rogers University of Bri1sh Columbia Marie Demoulin, Jessica Bushey, Elissa How, Robert McClelland InterPARES Trust Interna1onal Symposium Marburg, Germany June 8, 2016

Transcript of Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated...

Page 1: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

CloudServiceProviderContracts:AChecklistforRecordsProfessionals

CorinneRogers

UniversityofBri1shColumbia

MarieDemoulin,JessicaBushey,ElissaHow,RobertMcClelland

InterPARESTrustInterna1onalSymposiumMarburg,Germany

June8,2016

Page 2: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Researchteam

•  Researcher&ProjectLead– Dr.MarieDemoulin,UniversitédeMontreal

•  GraduateResearchAssistants–  JessicaBushey,UBC– ElissaHow,UBC

•  IndependentResearcher– RobertMcLelland,DeltaMuseum&Archives

Page 3: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Access

Security

Infra-structure

Control

Legal

Policy

SocialIssues

Resources

Terminology

Educa>on

Page 4: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Purpose&Researchques1on

•  Toexplorethecontract–specificallythecontractbetweenaclientandacloudserviceprovider–asatoolforbuildingtrust

•  Howeffec1velydocloudservicecontractsmeettheneedsofrecordsmanagers,archivists,andinforma1ongovernanceprofessionals?

Page 5: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Firststep:ReviewtheLiterature•  Currentresearch(2011-2014)

Findings:–  Severallegaldocumentsexist

•  TermsofService•  ServiceLevelAgreements•  PrivacyPolicies•  AcceptableUsePolicies

–  Li^lestandardiza1onofterms–  “Obenincomprehensibletomajorityofusers”– Wide-rangingexclusionsofliabilityfavortheproviders–  Termsmaychange

Page 6: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Firststep:ReviewtheLiterature

•  CaseLawandRelatedAr1clesFindings:– Rela1velyfewcases,butseverallegaltenets– Complexityresultsfromjurisdic1onalandindustrydifferences•  Contractlaw•  Privacyandaccess•  Confiden1alityandsecurityofdata•  Datajurisdic1onandconflictoflaws

Page 7: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Firststep:ReviewtheLiterature

•  RecordkeepingStandards,CloudCompu1ngContractStandards,andrelatedar1cles–  ISO15489(2001)–  ISO14721(2012)– ARMAGARP(2013)– MoReq(2009)

Page 8: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Firststep:ReviewtheLiterature

•  RecordkeepingStandards,CloudCompu1ngContractStandards,andrelatedar1cles– CloudServiceLevelAgreementStandardiza1onGuidelines(2014)

– PublicRecordsOfficeofVictoria(2012)

Page 9: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Compara1veAnalysis

•  Regardlessofjurisdic1on,sector,orprofession,commonrisksexist:– Unauthorizedaccess– Privacybreach– Lossofaccess,control– Lackoftransparencyofservice– Lackofabilitytonego1ateservice– Loca1onambiguity– Contractambiguity

Page 10: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

SpecificConsidera1ons

•  Dataownership•  Availability,retrievalanduse•  Datastorageandpreserva1on•  Datareten1onanddisposi1on•  Security,confiden1ality,privacy•  Dataloca1onandcross-borderdataflow•  Endofservice;contracttermina1on

Page 11: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Selectedcontracts

•  Nomarke1ngmaterial•  Boilerplatecontracts&documents– TermsofService(ToS)– ServiceLevelAgreements(SLA)– Privacypolicies,AcceptableUsepolicies,Securityterms,

•  Jurisdic1on– Canada,UnitedStates,Europe

Page 12: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Contractsconsidered•  Amazon.com(USA)•  Bluelock(USA)•  Dropbox(USA)•  Egnyte(USA)•  GoGrid(USA)•  Google(USA)•  ProfitBricks(USA)•  Rackspace(USA)•  CityNetwork(Sweden)•  SAP(Belgium)•  PathwayCommunica1ons(Canada)

Page 13: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

TheChecklist

Page 14: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

TheChecklist-sec1ons

•  Agreement•  DataOwnershipandUse•  Availability,Retrieval,andUse•  DataStorageandPreserva1on•  DataReten1onandDisposi1on•  Security,Confiden1ality,andPrivacy•  DataLocaliza1onandCross-borderDataFlows•  EndofService;ContractTermina1on

Page 15: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Integra1on&Review

•  IntegratedwithNA03:StandardsofPrac1ce•  IntegratedwithNA06:Reten1on&Disposi1onchecklist

•  Releasedforfeedbackinfall2015•  TestedinInterna1onalFedera1onofRedCrossandRedCrescentSocie1es

•  PresentedatICAinRekjavik,Iceland–ve^edinaninterna1onalspace–posteronICAwebsite

Page 16: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Resources

•  CloudServiceContracts:AnIssueofTrust,CanadianJournalofLibraryandInforma2onScience(CJLIS):SpecialIssueonData,RecordsandArchivesintheCloud,June2015

•  h^ps://interparestrust.org/Dissemina1on– Annotatedbibliography– Checklist– FinalReport

Page 17: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Con1nuingac1vi1es

•  ChecklistbeingtranslatedintoSpanish•  Reportbeingfinalized

Page 18: Cloud Service Provider Contracts: A Checklist for Records … · 2016. 6. 8. · • Integrated with NA03: Standards of Prac1ce • Integrated with NA06: Reten1on & Disposi1on checklist

Thankyou!

www.interparestrust.org