G-Cloud: What are the legal risks of Whitehall's cost-cutting plan?

Cloud computing and shared services produce all sorts of complications

Cloud computing is all the rage - but what are the legal issues you should consider before jumping on the bandwagon? Lawyers Andrew Dyson and Mark O'Conor investigate.

You can't fail to have noticed the emergence of cloud computing as a tech buzzword. It's all over the press and market analysts can't stop talking about it.

With regard to shared services, a recent report from consultancy Deloitte went as far as to suggest that, at a local governmental level: "Given the threat to existing levels of public funding there is now a strong case for making the adoption of shared services for certain back-office functions mandatory."

It therefore doesn't come as a surprise to find cloud computing and shared services at the core of the government's new IT strategy. Recently announced by the Cabinet Office, this plan aims to save £3.2bn per year by 2014 and create a "smarter, cheaper and greener" public sector. It highlights the need for greater centralisation and a sharing of resources among different government departments.

While aiming to introduce operational improvements and cost-saving measures, this strategy also raises significant legal challenges, particularly around cloud computing and shared services, both at a senior and local level.

The overriding concern with cloud computing seems to surround data. Government departments will be concerned with ironing out where their data will be held, who else has access to it, what other data might be stored with it in some sort of virtualised or partitioned server; as well as establishing air-tight contracts for good service levels, support and disaster recovery.

This is especially true in the case of personal data and cross-border transfers. The EU Data Protection Directive requires that personal data is not transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects. It is therefore necessary to have a clear understanding of where data is physically located and ensure that approved mechanisms, such as the EU model contracts, are put in place.

Suppliers also readily admit they are still working out how to price virtualised and cloud offerings and this is reflected in the variety of contractual terms on offer. Vested interests are seeking to bring order to the chaos with, for example, the work of the Cabinet Office and other bodies to establish the G-Cloud, apps store and consolidated datacentres.

However from a contractual perspective there is no one-size-fits-all. A number of providers are emulating their previous ASP and SaaS terms but often these feature service provision on an 'as is' basis, leading to insufficient data security provisions and limited remedies for breach of obligation.

From a shared services perspective, the government IT strategy places a heavy focus on the need to embrace a new approach to service delivery. Commissioning managers will be expected to look beyond the immediate interests of the public body they support and form innovative partnerships within the wider government family when planning future requirements.

These partnerships, which may involve shared service delivery centres, joint purchasing arrangements or teams of pooled resource, will drive greater standardisation of services across organisational boundaries delivering long term efficiency savings and lower cost service.

There are a range of legal issues that need to be managed effectively when implementing shared service outcomes:

• Public bodies, such as local authorities, which are governed by statute, will need to ensure they have requisite legal powers to deliver services which may take them beyond traditional functional boundaries.
• If a number of public bodies are co-operating closely it may make sense to establish a separate legal entity to deliver the service. There are a range of 'joint venture' structures which can be deployed. For example, NHS Shared Business Services (NHS SBS), the joint venture between the Department of Health and Steria, is already providing finance and accounting services to 25 per cent of NHS trusts.
• Senior managers will need to bear in mind the EC procurement rules if private sector suppliers will support the shared service. Work must be awarded following an advertised competition. This will require careful planning to fully define and articulate the overall purchasing and supply model at the outset of the award process. Because of constraints under the procurement rules there will be limited opportunity to change commercial models during or after any contract award.
• In order to guarantee the long-term success of any strategy, it is key to define specific goals and responsibilities among all partners who will work together. Ideally, these should be documented in contractual 'service level' agreements. In contrast to the private sector, public bodies are unfamiliar with this approach and the need to be focused on signing up to hard responsibilities. Early consensus on intra-government commercial arrangements will be key to ensuring overall success and avoiding the risk of unexpected conflict or confusion.

Although challenging, these issues can most certainly be overcome. The different branches of government will need to welcome these new concepts of cloud computing and shared services in an effort to achieve economic savings.

Andrew Dyson and Mark O'Conor are partners in the intellectual property and technology group at law firm DLA Piper.