Cloud Computing Committee notes

Benefits of using cloud computing for management of public records. (Limited to positives – simple bullet points) (Angie)

  1. cost savings
  2. Potentially quicker deployment time (depending upon the service you are seeking)
  3. Ability of agency staff to focus on other mission critical tasks
  4. Remote access from anywhere, anytime
  5. Potential increase in productivity
  6. Access to lower cost applications/services with improved functionality that might not have been accessible, particularly for smaller agencies. (take advantage of economies of scales.)

DRAFT Down side of using cloud computing for management of public records. (Limited to negatives – simple bullet points) (Dan N.)

Cloud computing is not equivalent to being free and openly available on the Internet. Cloud computing is just an “exotic” way of saying networked computing. While typically cloud computing solutions are part of the freely accessible Internet, they may also be private clouds that are closed to the rest of the world. There are records management implications either way for public sector agencies.

  • “Click Through”: The Terms of Service–ToS or colloquially referred to as “click through”–is in reality a contract between the cloud service provider and the user, one in which the majority of the time the use has no means to negotiate the terms of the agreement. Nor do they have a record copy of the agreement. Three additional administrative concerns regarding ToS are:
    • Since the ToS is contractual in nature, an agency has to determine who has the authority within the agency to enter into contracts.
    • Many ToS have an “Indemnification/Hold Harmless clause.” Agencies that are an instrumentality of the State of Ohio can not indemnify or “hold harmless” the other party in a contract.
    • Many ToS specify a “Choice of Law/Governing Law/Jurisdiction/Venue” that is beneficial to the provider and is likely specified as teh location in which the provider resides. Any provision that calls for an Ohio public sector agency to submit to any jurisdiction other than the Ohio Court of Claims must be deleted. All contracts should be governed by Ohio law.
  • Access to Public Records: http://codes.ohio.gov/orc/149.43 requires “Upon request…all public records responsive to the request shall be promptly prepared and made available for inspection to any person at all reasonable times during regular business hours.” Ohio public agencies need to consider the following potential implications of utilizing cloud computing if the cloud computing platform is the only repository for a an agencies records or a particular group of records:
    • What if the provider has a catastrophic disaster from which it cannot recover your records?
    • What happens if the provider has a “beef” with the agency and shuts off access?
    • What if the providers servers or back-up severs are “off shore”?
  • Disposition: What provisions does your cloud service platform provide to dispose of records whose lifecycles have expired? And similarly does the provider have a mechanism to affect a legal hold on records if necessary?
  1. May be more difficult to inventory data, apps, and services in the cloud if data are not centralized (and housed in multiple providers.)
  2. Internal staff overseeing data/files may take ownership of apps, data, files, services and thus take better care of these resources than an external vendor who is less motivated.
  3. May be decreased tech support response time when relying on an external vendor. The converse could be true in an agency where IT resources are limited and/or overtaxed.
  4. May have to conform to standards, and do less customization to realize cost savings.

Stakeholders

  1. Information technology staff/management
  2. Legal/Records Management

Questions to consider when making the decision to use cloud computing to manage public records(Angie)

  • Will the documents, applications or databases contain sensitive information?
  • Are there policy requirements that the data reside inside the United States? Inside Ohio?
  • Are there security requirements for maintaining/protecting the information? Are these something your organization can do? Or would it be more cost-effective to contract this out? What guarantees are there in the cloud provider’s agreement that s/he can comply with these requirements? What protections does your organization have if they do not?
  • How long does your record retention schedule require the data/documents to be retained? Can the cloud provider meet these requirements?
  • Situations where cloud computing might work for managing public records)
  • Situations where cloud computing might not work for managing public records)

Considerations for implementation (if you decide to do it): (Angie)

Considerations for elected officials, administrators, and front line staff.

Setting things up

1. How to break down functional requirements. (To consider when purchasing services)

  • What is being hosted? (e-mail, google docs)
  • Long-term access
  • What kinds of data/documents will be out there?
  • How will they be stored?

2. select a vendor that meets functional requirements.

  • Where will records be stored? (e.g. China?)
  • Where are all the backups? (e-discovery)
  • What if it is hacked?
  • What if a server fails?
  • What are service response times in service level agreements?
  • What is the scale, scope and capability of the vendor? Are they on financially sound footing to be around for a long time?
  • What is the provider’s disaster recovery plan?

3. Contractual relationships with cloud computing – refer to considerations in social media. Social networking is a subset of cloud computing. (Questions to ask when setting up a contract?)

  • Jurisdictional issues? If legal questions – affects how legal department would proceed.
  • Privacy regulations can differ between jurisdictions. (e.g. between U.S and EU countries, privacy/encryption requirements may differ.)
  • Laws can differ from state to state, e.g. behavioral health data, and/or country to country. Subject to most stringent law. E.g. Ohio law is more stringent than HIPAA.

4. How to limit liability for cloud computing. (Larger than just contractual relationship.) (Spell out what we mean by this and outline the issues we need to think through regarding liability.)

5. Does your organization have sufficient bandwidth to take advantage of the cloud?

  • Ongoing maintenance
  • Centralized tracking of public records when there are multiple vendors.
  • Disposition