Skip to content

  • Home
  • COVID-19 Guide
  • COVID-19 AV library
  • Client results
  • Expertise
  • News & Insights
  • People
  • Our DNA
  • Inclusion and Diversity
  • Join us
  • Contact Us
Home / NEWS & INSIGHTS / Insight / NSW Government’s new cloud contracting framework
Insight 17 September 2019

NSW Government’s new cloud contracting framework

Cloud-based services refer to the on-demand delivery of information and communications technology (ICT) services over a network from a shared pool of computing resources. These types of services are attractive to NSW Government agencies as they involve acquiring services on a “pay as you go” basis instead of buying internal IT resources which can be costly.

Given the shift to cloud-based services, the Department of Customer Service (formerly known as the Department of Finance, Services and Innovation) has released a draft short form agreement for the procurement of cloud-based services (Cloud Agreement).

The Cloud Agreement is designed to work in conjunction with buy.nsw – a government marketplace that connects NSW Government agencies (Buyers) with external providers for services (Sellers). It aims to provide a clear, streamlined and user-friendly approach to contracting that meets the needs of Buyers procuring services in a fast-paced and ever-changing digital environment.

The Cloud Agreement is currently available for use by Buyers on a pilot basis for low-risk ICT procurements with a value of less than $500,000 (ex GST).[1] Buyers may choose between the Procure IT Framework or the Cloud Agreement depending on their own procurement needs and risks.

Frequently Asked Questions
Questions Answers
Can I use this Cloud Agreement?  Yes – the Cloud Agreement can be used for low-risk ICT procurements with a value of less than $500,000 (ex GST). However, the Buyers ought to carry out its own risk assessment of the particular procurement when deciding whether to use the Cloud Agreement, including having regard to the associated issues identified below.
Can I procure cloud services using the Cloud Agreement? Yes.
Can I procure professional and consulting services using the Cloud Agreement? No – Buyers will need to procure these services under the Procure IT Framework (e.g. Procure IT 3.2 or Core& Agreement as amended from time to time).
Can I vary the terms of the Cloud Agreement? Yes – it is intended that changes may be made to the Cloud Agreement via a process to be set out in the relevant Procurement Board Direction.
Can the Seller attach its own ‘Seller Terms’ to the Cloud Agreement? Yes – a Seller can attach additional terms to the Cloud Agreement provided that those terms do not change the legal outcomes under the Cloud Agreement, or change the agreed requirements. On a practical level, Buyers ought to carefully review ‘Seller Terms’ and any third party software pass-through terms before attaching them to the Cloud Agreement.
Some key issues for Buyers to be aware of when using the Cloud Agreement
  • Managing the “Selected Region”
    Under the Cloud Agreement, the default region for the storage and management of the Buyer’s data is Australia. However, there is scope for parties to agree to a foreign region. This may have the potential to materially increase the risk profile of the cloud service being procured.

    ‘Data sovereignty’ and the issues associated with transferring data outside of Australia must be carefully considered by Buyers as they may find themselves inadvertently governed by the laws of a foreign country e.g. under US law, the US Government has avenues to request access to data held in the US.
  • Security requirements to manage data
    Sellers are required to implement and maintain security controls in accordance with industry standards to store and manage the Buyer’s data.

    The Cloud Agreement does not, however, address data breach remediation and notification requirements; for example, when it comes to controlling and deciding whether the Privacy Commissioner and/or affected individuals need to be notified of a data breach. Buyers ought to consider if additional security requirements are needed to address data breach issues.
  • Indemnities
    Under the Cloud Agreement, the Buyer indemnifies the Seller against any loss or damage from a breach of a third party’s intellectual property rights in connection with the Buyer’s use of the cloud service. This position is markedly different from the current position under the Procure IT Framework – that being that Buyers are not allowed to give indemnities to a Seller.

    The move away from the standard Procurement Board Direction recognises that, under a cloud service, Buyers are operating in the Seller’s environment and any third party indemnity will relate to risks that the Seller will generally have no control over. Nonetheless, this position needs careful consideration in the context of the particular cloud service being procured.
  • General liability cap
    The general liability cap under the Cloud Agreement is set at the fees paid or payable in the 12 months preceding the cause of action giving rise to the liability, provided that the cap for the first year is at least $1,000,000.

    This means that the cap for the first year will be significantly greater than the cap for subsequent years, given that the Cloud Agreement can only currently be used for low-risk ICT procurements with a value of less than $500,000 (ex GST). Buyers should assess on a case by case basis whether, on balance, the cap is acceptable to the relevant procurement.
  • Security breach cap
    The liability cap for a security breach is set at two times the fees paid or payable in the 12 months preceding the cause of action giving rise to the liability, provided that the cap for the first year is at least $2,000,000.

    Again, Buyers should assess on a case by case basis whether, on balance, the cap is acceptable or whether, depending on the sensitivity of the data involved, a ‘security breach’ ought to be treated as more akin to confidentiality or privacy breaches. The latter breaches are uncapped under the Cloud Agreement. 
  • Capturing detailed requirements for cloud services
    While most of the detailed requirements can be set out, on or linked to, the nsw.buy site under the new operating model, Buyers will need to ensure that any specific requirements are documented and attached to the Cloud Agreement.
What you need to know

In line with the NSW Data Centre Reform Strategy circular, the demand for cloud-based services will only increase as NSW Government agencies move from ‘on-premise and leased’ infrastructure to cloud-based services. While the Cloud Agreement provides Buyers with a simpler, streamlined and user-friendly approach to engage Sellers, Buyers will still need to undertake a careful risk assessment of the particular cloud procurement and exercise caution when using the Cloud Agreement in place of the Procure IT Framework.

For further information on any of the issues raised in this alert, please contact our team below.


References: [1] https://www.digital.nsw.gov.au/policy/buying-ict/cloud-guidance-and-policy. The contract value refers to the total price of the whole-of-life requirement and cannot be split into lower-price components.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

About the authors

  • Matthew McMillan

    Partner

Donna Lin
Lawyer

In other news

FIRB Reforms Article Series – Part 2: Family Arrangements

30 July 2020Insight

Are loan books next on the block for Australia?

29 July 2020Insight

Unlicensed parties beware – Head contractor exemption to be removed from QBCC Act

28 July 2020Insight

FIRB Reforms Article Series – Part 1: National Security Businesses

23 July 2020Insight

VIEW ALL NEWS & INSIGHTS

BRISBANE

Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
Tel +61 7 3233 8888
Fax +61 7 3229 9949

 

GET IN TOUCH

    Contact form

    We handle your personal information in accordance with our privacy policy.

    sydney

    Level 32, MLC Centre
    19 Martin Place
    Sydney NSW 2000
    GPO Box 462
    Sydney NSW 2001

    Tel +61 2 8241 5600
    Fax +61 2 8241 5699

     

    GET IN TOUCH

      Contact form


      We handle your personal information in accordance with our privacy policy.

      melbourne

      Level 27, 101 Collins Street
      Melbourne VIC 3000
      GPO Box 2924
      Melbourne VIC 3001

      Tel +61 3 9067 3100
      Fax +61 3 9067 3199

       

      GET IN TOUCH

        Contact form

        We handle your personal information in accordance with our privacy policy.

        follow us

        CLIENT LOGIN

        newcastle

        Level 2, 16 Telford Street
        Newcastle NSW 2300
        PO Box 394
        Newcastle NSW 2300

        Tel +61 2 4914 6900
        Fax +61 2 4914 6999

         

        GET IN TOUCH

          Contact form


          We handle your personal information in accordance with our privacy policy.

          canberra

          Level 9, 2 Phillip Law Street
          Canberra ACT 2601

          Tel +61 2 6243 3699
          Fax +61 2 8241 5699

           

          GET IN TOUCH

            Contact form


            We handle your personal information in accordance with our privacy policy.

            © 2017 McCullough Robertson. Site map Disclaimer Privacy Policy Credit Reporting Policy

            X