NSW Government’s new cloud contracting framework

Cloud-based services refer to the on-demand delivery of information and communications technology (ICT) services over a network from a shared pool of computing resources. These types of services are attractive to NSW Government agencies as they involve acquiring services on a “pay as you go” basis instead of buying internal IT resources which can be costly.

Given the shift to cloud-based services, the Department of Customer Service (formerly known as the Department of Finance, Services and Innovation) has released a draft short form agreement for the procurement of cloud-based services (Cloud Agreement).

The Cloud Agreement is designed to work in conjunction with buy.nsw – a government marketplace that connects NSW Government agencies (Buyers) with external providers for services (Sellers). It aims to provide a clear, streamlined and user-friendly approach to contracting that meets the needs of Buyers procuring services in a fast-paced and ever-changing digital environment.

The Cloud Agreement is currently available for use by Buyers on a pilot basis for low-risk ICT procurements with a value of less than $500,000 (ex GST).[1] Buyers may choose between the Procure IT Framework or the Cloud Agreement depending on their own procurement needs and risks.

Frequently Asked Questions

Some key issues for Buyers to be aware of when using the Cloud Agreement

• Managing the “Selected Region”
  Under the Cloud Agreement, the default region for the storage and management of the Buyer’s data is Australia. However, there is scope for parties to agree to a foreign region. This may have the potential to materially increase the risk profile of the cloud service being procured.
  
  ‘Data sovereignty’ and the issues associated with transferring data outside of Australia must be carefully considered by Buyers as they may find themselves inadvertently governed by the laws of a foreign country e.g. under US law, the US Government has avenues to request access to data held in the US.

• Security requirements to manage data
  Sellers are required to implement and maintain security controls in accordance with industry standards to store and manage the Buyer’s data.
  
  The Cloud Agreement does not, however, address data breach remediation and notification requirements; for example, when it comes to controlling and deciding whether the Privacy Commissioner and/or affected individuals need to be notified of a data breach. Buyers ought to consider if additional security requirements are needed to address data breach issues.

• Indemnities
  Under the Cloud Agreement, the Buyer indemnifies the Seller against any loss or damage from a breach of a third party’s intellectual property rights in connection with the Buyer’s use of the cloud service. This position is markedly different from the current position under the Procure IT Framework – that being that Buyers are not allowed to give indemnities to a Seller.
  
  The move away from the standard Procurement Board Direction recognises that, under a cloud service, Buyers are operating in the Seller’s environment and any third party indemnity will relate to risks that the Seller will generally have no control over. Nonetheless, this position needs careful consideration in the context of the particular cloud service being procured.

• General liability cap
  The general liability cap under the Cloud Agreement is set at the fees paid or payable in the 12 months preceding the cause of action giving rise to the liability, provided that the cap for the first year is at least $1,000,000.
  
  This means that the cap for the first year will be significantly greater than the cap for subsequent years, given that the Cloud Agreement can only currently be used for low-risk ICT procurements with a value of less than $500,000 (ex GST). Buyers should assess on a case by case basis whether, on balance, the cap is acceptable to the relevant procurement.

• Security breach cap
  The liability cap for a security breach is set at two times the fees paid or payable in the 12 months preceding the cause of action giving rise to the liability, provided that the cap for the first year is at least $2,000,000.
  
  Again, Buyers should assess on a case by case basis whether, on balance, the cap is acceptable or whether, depending on the sensitivity of the data involved, a ‘security breach’ ought to be treated as more akin to confidentiality or privacy breaches. The latter breaches are uncapped under the Cloud Agreement. 

• Capturing detailed requirements for cloud services
  While most of the detailed requirements can be set out, on or linked to, the nsw.buy site under the new operating model, Buyers will need to ensure that any specific requirements are documented and attached to the Cloud Agreement.

What you need to know

In line with the NSW Data Centre Reform Strategy circular, the demand for cloud-based services will only increase as NSW Government agencies move from ‘on-premise and leased’ infrastructure to cloud-based services. While the Cloud Agreement provides Buyers with a simpler, streamlined and user-friendly approach to engage Sellers, Buyers will still need to undertake a careful risk assessment of the particular cloud procurement and exercise caution when using the Cloud Agreement in place of the Procure IT Framework.

For further information on any of the issues raised in this alert, please contact our team below.

References: [1] https://www.digital.nsw.gov.au/policy/buying-ict/cloud-guidance-and-policy. The contract value refers to the total price of the whole-of-life requirement and cannot be split into lower-price components.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.