Skip to content
This repository was archived by the owner on May 24, 2024. It is now read-only.

Update Domain 3- Legal Issues, Contracts and Electronic Discovery.md #42

Open
daddydruid wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Domain 3- Legal Issues, Contracts and Electronic Discovery.md #42

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions Domain 3- Legal Issues, Contracts and Electronic Discovery.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ For example, in the Asia Pacific region, Japan, Australia, New Zealand, and many

In Japan, the Personal Information Protection Act requires the private sectors to protect personal information and data securely. There are also sectoral laws. For example inn the healthcare industry, profession-specific laws, such as the Medical Practitioners' Act, the Act on Public Health Nurses, Midwives and Nurses, and the Pharmacist Act, require registered health professionals to maintain the confidentiality of patient information.

]In Australia, two key laws provide protection to consumers when using cloud services; The Privacy Act 1988 (Privacy Act), and Australian Consumer Law (ACL). The Privacy Act addresses how personal information must be handled to ensure protection of information or opinion about an individual and that it cannot be linked from the data to the person. ACL protect consumers from false or misleading contracts and poor conduct from providers. The Privacy Act can apply for Australian customers, even if the cloud service provider is based overseas and other laws are stated in a contract.
In Australia, two key laws provide protection to consumers when using cloud services; The Privacy Act 1988 (Privacy Act), and Australian Consumer Law (ACL). The Privacy Act addresses how personal information must be handled to ensure protection of information or opinion about an individual and that it cannot be linked from the data to the person. ACL protect consumers from false or misleading contracts and poor conduct from providers. The Privacy Act can apply for Australian customers, even if the cloud service provider is based overseas and other laws are stated in a contract.

In the European Economic Area (EEA), historically, the data protection requirements have been set out in two major EU Directives (a type of EU law that member states are required to implement in their own laws): the 1995 European Union (EU) Data Protection Directive, and the 2002 ePrivacy Directive (as amended in 2009) - that each EU/EEA Member State was required to transpose into its own national laws. These directives include a security component, and the obligation to provide adequate security must be passed down to subcontractors. Other countries that have close ties with the EEA, such as Morocco and Tunisia in Africa, Israel and the United Arab Emirates in the Middle East have also adopted similar laws that follow the same principles.

Expand Down Expand Up @@ -82,7 +82,7 @@ In addition, the legal, regulatory, and technical landscape in which any company

#### External Due Diligence

Before entering into any contract, a critical part of due diligence must The conduct of due diligence always requires the examination of be to request and review all relevant aspects of the operations of the other party, in this case, that of the proposed cloud provider or vendor. A purchaser of cloud services needs to ensure that it understands the particular application or service it is contemplating to acquire. The extent of the due diligence and the time invested in it will depend upon the circumstances. The process may take a day, a week or a month depending on the specific needs of the customer, the nature of the data to be processed, the sensitivity and intensity of the processing, and other factors that would make a particular operation “routine” or “highly sensitive.
Before entering into any contract, due diligence must be conducted over the cloud service and provider. The conduct of due diligence always requires the request and review of all relevant aspects of the operations of the other party, in this case, that of the proposed cloud provider or vendor. A purchaser of cloud services needs to ensure that it understands the particular application or service it is contemplating to acquire. The extent of the due diligence and the time invested in it will depend upon the circumstances. The process may take a day, a week or a month depending on the specific needs of the customer, the nature of the data to be processed, the sensitivity and intensity of the processing, and other factors that would make a particular operation “routine” (low risk) or “highly sensitive" (high risk).

Thus, depending on the nature of the proposed project, the due diligence may involve evaluating the nature and completeness of the services provided, the reputation for quality or stability of the service, the availability of a certain level of support or maintenance, the responsiveness of customer service, the speed of the network, or the location of the data centers. Interviewing customers might provide valuable insight. Reviewing reports of litigation filed against the cloud providers might be eye-opening. Checking references and conducting online searches to evaluate the vendor’s reputation might be extremely valuable, as well.

Expand All @@ -106,7 +106,7 @@ Reviewing all terms and conditions of the cloud services agreement (including al

Cloud contracts are intended to accurately describe the understanding of the parties. Numerous precautions and measures can be taken by the parties to reduce their exposure to legal, commercial, and reputational risk in connection with the use of cloud services.

The proposed contact should always be reviewed carefully, even if one is told that it is not negotiable. First, it might actually be possible to negotiate changes. Even if it is not possible to do so, each purchaser of cloud services should understand the consequences and implications of the engagement it is making. A contract that cannot be negotiated is likely to lack some of the protections that the typical customer would need. In this case, the customer should balance the risks from foregoing these protections against the promised benefits.
The proposed contract should always be reviewed carefully, even if one is told that it is not negotiable. First, it might actually be possible to negotiate changes. Even if it is not possible to do so, each purchaser of cloud services should understand the consequences and implications of the engagement it is making. A contract that cannot be negotiated is likely to lack some of the protections that the typical customer would need. In this case, the customer should balance the risks from foregoing these protections against the promised benefits.

#### Reliance on Third-Party Audits and Attestations

Expand Down Expand Up @@ -217,4 +217,4 @@ For more reading on discovery and electronically stored information, there are a
* Cloud customers must understand the legal implications of where the cloud provider physically operates and stores information.
* In many cases, a cloud customer can choose where to host their data in order to comply with jurisdictional requirements.
* Cloud customers and providers should have a clear understanding of the legal and technical requirements to meet any electronic discovery requests.
* Cloud customers should understand that click-through legal agreements to use a cloud service do not obviate any requirements for performing appropriate due diligence.
* Cloud customers should understand that click-through legal agreements to use a cloud service do not obviate any requirements for performing appropriate due diligence.