Contractual requirements for IT outsourcing and cloud computing

1 Introduction

1.1 This method statement describes the process for drafting a contract between the University and a third party provider of an outsourced or cloud computing University IT Service. It also lists the terms and conditions that must be included in the contract. It forms part of the University Information Security Policy.

2 Procurement process

2.1 Draft contracts must be prepared and reviewed by a University team, which includes people with knowledge of:

  • Information and contract law
  • Data Protection
  • University procurement regulations
  • Information Security
  • University IT (technical specialist)

2.2 The University team must review and follow the most recent guidance and advice on outsourcing and cloud computing contracts from JISC Legal, specifically the Toolkit for Cloud Computing.

2.3 The University team must also review recent advice and guidance from other organisations in relation to outsourcing and cloud computing contracts to ensure current good practice is followed. Evidence of such appraisal should be recorded. Examples of organisations providing advice and model clauses include:

2.4 Legal advice must be taken if the contract involves data transfer outside the European Economic Area to ensure the contract is adequate for compliance with UK Data Protection Law.

2.5 Final contracts must be agreed by the senior manager responsible for the service. If the service is to be provided at a University level the contract should be agreed by the Director of Information or his nominated alternative.

3 List of contract terms and conditions

3.1 Data Protection

  • Definition of terms to make it clear that the University remains legally responsible for data protection and is the data controller and that the third party (service provider) is the data processor
  • Description of the data that will be processed under the terms of the contract and its status (degree of sensitivity)
  • Condition that the third party (data processor) will only process data in accordance with the University’s (data controller) instructions
  • Condition that the third party will take appropriate technical and organisational measures against unauthorised or unlawful processing of the University’s data and against accidental loss or destruction of or damage to the University’s data (seventh data protection principle)
  • Condition that the country in which University data is held is specified or that the legal framework which protects University data is in accordance with the eighth data protection principle
  • For US companies, condition of membership of the Safe Harbor scheme (or such alternative scheme as replaces it)
  • Condition for protection of data during transit e.g. using encryption
  • Process and timescale for destruction of University data by the third party at contract termination
  • Condition that the University retains the right to assure compliance with data protection terms and conditions, in addition to any published compliance audits e.g. SAS70
  • Condition that no advertising is served without the consent of the University.

3.2 Intellectual Property Rights

  • Condition that all data and content uploaded by University users will continue to be owned by the University. "Nothing in the contract should be construed as granting the third party any right, title, or interest in the University's intellectual property rights.”

3.3 Compliance

  • Condition that the University maintains control over its data to enable it to comply with legislation, including the Freedom of Information Act and Data Protection Act, and its own Investigations and Data Access Policy (which includes legal requests).

3.4 Licensing

  • For resources licensed by the University e.g. datasets, journals, a condition that best efforts will be made by the third party to prevent access by unlicensed users and to prevent any unauthorised usage of the licensed resources.

3.5 Confidentiality

  • Condition that University data is only accessed by those within the third party who need to access it for the provision of the service and those individuals should be under confidentiality obligations no less restrictive than those contained in the contract between the University and the third party
  • Process and timescale by which the third party will notify the University of unauthorised disclosure or information breaches and the third party’s plans to remedy the situation
  • Condition as to permitted use by the third party (if any) of University confidential information
  • Definition of monitoring undertaken by the third party of the University use of the service.

3.6 Governing law and jurisdiction

  • Condition that the contract should be governed by English law and the parties should submit to the exclusive/non exclusive jurisdiction of the English courts. Binding arbitration in the UK might be an alternative.

3.7 Sub-contracting

  • Description of any sub-contracting undertaken by the third party, if any
  • Condition that any sub-contractors operate the same level of data protection as the third party
  • Description of the contractual arrangements in place between the third party and its subcontractors

3.8 Service levels

  • Description of the Service Level Agreement (SLA) or equivalent, including uptime /availability requirements (which are likely to be specific to each contract)
  • Description of how performance will be linked to payment (if the service is fee paying)
  • Description of the processes to be activated by the third party or University on non-performance or breach of contract, including any penalties or compensation
  • Statement of expected duration of the contract
  • Process and timescales for either party wanting to terminate the contract
  • Process and description of information to be returned to the University or destroyed by the third party at the end of the contract
  • Condition for University to be able to access (via non-proprietary file format) University data to migrate it to another service if the contract is terminating
  • Process for how the service will be modified and updated by the third party and how the University will be informed
  • Description of the service administration that will be undertaken by both the third party and the University.
  • Description of back-up processes and disaster recovery timescales and plans

3.9 Acceptable use

  • Conditions on the University to operate and use the service in compliance with any acceptable use policy of the third party
  • Conditions on the University to demonstrate compliance and how it should notify the third party of non-compliance
  • Actions that the third party will take if it discovers non-compliant activity, including service suspension.

3.10 Warranties

  • Description of and conditions relating to warranties in respect of the service being provided.

3.11 Indemnities

  • Conditions that require the University to indemnify (compensate for loss) the third party against any claim arising from the University’s use of the service.
  • Conditions that require the third party to indemnify (compensate for loss) in relation to any claim from an individual (data subject) as a result of unlawful processing (including breach of security) by the third party.

3.12 Exclusions and Limitations of Liability

  • Conditions that define limitations of liability and the maximum amount of liability including direct damages (e.g. cost of dealing with a breach), indirect damages (e.g. loss of profit if service fails), force majeure (e.g. natural disaster affecting the third party or its subcontractor)
  • Condition that loss of data is not excluded from limitations of liability
  • Condition that liability rests with third party not with their sub contractors (if any)

4 Oversight

4.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this method statement and carry out regular reviews.

Document history and status

12 September 2012 Approved by Information Policy Executive
08 October 2012 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board

Status

Review cycle: Three yearly

Date of next review: January 2019