Department Of Public Expenditure And Reform Publishes Advice On Cloud Computing

  1. Background

    On 17 October 2019, the Department of Public Expenditure and Reform ("DPER") published an advice note on cloud computing (the "Advice Note")1.The Advice Note was developed by the Office of the Government Chief Information Officer in conjunction with the ICT Advisory Board and the wider public service ICT community. In December 2015, DPER issued a policy document called Considering Cloud Services which provided advice to assist public service organisations in making informed, risk-based decisions in relation to the adoption of cloud computing services ("CCSs"). While the 2015 policy document is still valid, the Advice Note recognises that cloud computing, along with the policy and legislative environments of which it forms a part, have continued to develop subsequent to the publication of the 2015 policy document. Consequently, DPER has published the Advice Note, which outlines its proactive and progressive approach to procurement of cloud computing in Ireland.

  2. Scope of Advice Note

    The Advice Note aims to provide high-level guidance to assist organisations in making decisions in relation to the adoption of cloud computing. Accordingly, the Advice Note does not detail the technical and functional features of the infrastructure provided to supply a particular cloud computing solution. It does not recommend particular providers, products or services, nor does it set out model procurement contributions whether on an individual supplier or supplier panel framework type basis. The scope of the Advice Note is limited, but as a high level-statement of policy it is useful.

  3. Responsibility, not accountability, can be outsourced

    While organisations may outsource their responsibility for the delivery of a CCS to a cloud service provider ("CSP"), DPER stresses in its Advice Note that organisations cannot outsource their accountability for that service to a CSP. Moreover, organisations remain responsible for their regulatory obligations, including their obligations under data protection law. Consequently, DPER states that organisations will need to put in place or update their own local cloud strategy, plans and policies. Organisations should seek legal advice prior to or during the implementation or updating of local cloud strategy, plans and policies.

    This is similar to established norms in the outsourcing area, where public bodies can outsource service delivery, but not responsibility, for the service. However, in the procurement of CCS the perception is frequently that public sector customers have less leverage than they enjoy in other domains, including procurement of more traditional software licence and implementation, together with various forms of output-measured service outsourcing. Certainly, procuring CCS does require public sector customers utilising public procurement to adopt an at least somewhat different approach to more established ICT goods/services and outsourcing domains. The Advice Note does not go into detail in these areas, nor does it provide public sector bodies with an at least part procurement solution in the form of individual supplier sector contracts or supplier panel framework type agreement. It is essentially a policy document.

  4. Viable service for most public service information or system

    DPER believes that CCSs should be considered "potentially suitable" for any category of public service information or system (except where such data would be classified as 'top secret' in accordance with the Department of Finance's Circular 39/07: Classification of material as 'top secret')2 and recommends that, where possible, all new government systems should be developed to exploit the opportunities presented by cloud deployment. All existing systems will be reviewed for cloud capability and where practicable, suitable systems should move to public cloud or government private cloud environments. However, DPER stresses that "in all cases, a move to cloud will be a business decision on the basis of specific considerations made by individual pubic service organisations." This business decision is, more particularly, what inputs into decision-making and what criteria to apply to decision-making, is, we believe, the key practical difficulty for public sector bodies considering procurement of CCS.

  5. Definition of 'cloud computing'

    DPER notes that there is "no overarching agreed definition" of 'cloud computing' because "cloud computing refers to a concept comprising a set of combined technologies and not to a specific technology."

    NIST definition of 'cloud computing'

    The United States National Institute of Standards and Technology ("NIST") defines 'cloud computing' as:

    "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models."3

    The NIST's definition of 'cloud computing' is internationally accepted and is summarised below:

    Five essential characteristics

    Four deployment models

    Three service models

    On-demand self-service

    Private cloud

    Software as a service (SaaS)

    Broad network access

    Community cloud

    Platform as a Service (PaaS)

    Resource pooling

    Public Cloud

    Infrastructure as a Service (IaaS)

    Rapid elasticity

    Hybrid Cloud

    Measured service

    DPER's definition of 'cloud computing'

    For the purposes of the Advice Note, DPER defines 'cloud computing' as:

    "a set of technologies and service models that focus on network-based on-demand use and delivery of IT applications, processing capability, storage and memory space"

    that can be provided by an external service...

To continue reading