Most agencies these days have a “cloud first” policy, resulting in the migration of mission critical applications and data to the cloud. Many of these applications manage sensitive information such as Personally Identifiable Information (PII) and Protected Health Information (PHI).
When an agency decides to procure a cloud-based solution, they are essentially taking their data and handing it over to a third party. With an application in the cloud, you could have your data being accessed by the Cloud Service Provider (CSP), in order to deliver support services, as well as the application vendor. After this happens, who owns that data? Who is allowed to use it? And for what purpose?
It is best to explicitly include data ownership and acceptable use clauses in your solicitation documents to leave no room for confusion or doubt.
Click for Procurement Examples.
Let’s start by defining some key terms:
Data Ownership – specifies the owner of the data including all intellectual property rights.
Acceptable Use – defines who can use the data and for what purposes. Often this includes permitted and not permitted uses.
Sample data ownership and acceptable use clauses from 5 CSPs
Below are the data ownership and acceptable use clauses from five CSPs. As you will see, each cloud vendor addresses the issue differently. Some language is balanced, protecting the interests of the CSP and the Organization. Others are skewed to primarily protect the interests of the CSP.
The table below summarizes which CSPs define data ownership and acceptable use in their standard agreement.
Microsoft Azure: Microsoft Online Subscription Agreement – US Government Cloud
Last updated: January 2019
1. Use of Online Services.
1.d. Customer Data. You are solely responsible for the content of all Customer Data. You will secure and maintain all rights in Customer Data necessary for us to provide the Online Services to you without violating the rights of any third party or otherwise obligating Microsoft to you or to any third party. Microsoft does not and will not assume any obligations with respect to Customer Data or to your use of the Product other than as expressly set forth in this agreement or as required by applicable law.
Amazon Web Services (AWS): AWS Customer Agreement
Last updated: April 30, 2019
3. Security and Data Privacy.
3.1 AWS Security. Without limiting Section 10 or your obligations under Section 4.2, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure.
3.3 Service Attributes. To provide billing and administration services, we may process Service Attributes in the AWS region(s) where you use the Service Offerings and the AWS regions in the United States. To provide you with support services initiated by you and investigate fraud, abuse or violations of this Agreement, we may process Service Attributes where we maintain our support and investigation personnel.
Google Cloud: Google Cloud Platform Terms of Service
Last modified: November 2, 2018
5. Intellectual Property Rights; Use of Customer Data; Feedback; Benchmarking.
5.1 Intellectual Property Rights. Except as expressly set forth in this Agreement, this Agreement does not grant either party any rights, implied or otherwise, to the other’s content or any of the other’s intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data and the Application or Project (if applicable), and Google owns all Intellectual Property Rights in the Services and Software.
5.2 Use of Customer Data. Google will not access or use Customer Data, except as necessary to provide the Services and Technical Support Service (TSS) to Customer.
IBM: Cloud Services Agreement
Last updated: October 2018
2. Content and Data Protection.
2.a. Content consists of all data, software, and information that Client or its authorized users provides, authorizes access to, or inputs to the Cloud Service. Use of the Cloud Service will not affect Client’s ownership or license rights in such Content. IBM, its affiliates, and contractors of either, may access and use the Content solely for the purpose of providing and managing the Cloud Service. IBM will treat all Content as confidential by not disclosing Content except to IBM employees and contractors and only to the extent necessary to deliver the Cloud Service.
Oracle: Oracle Cloud Services Agreement
Last updated: April 1, 2019
3. OWNERSHIP RIGHTS AND RESTRICTIONS.
3.1 You or Your licensors retain all ownership and intellectual property rights in and to Your Content (as defined below). We or our licensors retain all ownership and intellectual property rights in and to the Services, derivative works thereof, and anything developed or delivered by or on behalf of us under this Agreement.
3.2 You may have access to Third Party Content through use of the Services. Unless otherwise stated in Your order, all ownership and intellectual property rights in and to Third Party Content and the use of such content is governed by separate third party terms between You and the third party.
3.3 You grant us the right to host, use, process, display and transmit Your Content to provide the Services pursuant to and in accordance with this Agreement and Your order. You have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of Your Content, and for obtaining all rights related to Your Content required by Oracle to perform the Services.
19.6 “Your Content” means all software, data (including Personal Data), text, images, audio, video, photographs, non-Oracle or third party applications, and other content and material, in any format, provided by You or any of Your Users that is stored in, or run on or through, the Services. Services under this Agreement, Oracle Software, other Oracle products and services, and Oracle intellectual property, and all derivative worksthereof, do not fall within the meaning of the term “Your Content.” Your Content includes any Third Party Content that is brought by You into the Services by Your use of the Services or any Oracle-provided tools.
Here’s an example to consider for your procurement document:
Define “Organization Data”
“Organization Data” is all data entered in to the Awarded Vendor-supplied solution, either by clients, employers, local users, agency staff, or other business partners.
Organization retains all ownership and intellectual property rights in and to “Organization Data.”
Specify Acceptable Use
Awarded Vendor and its subcontractors will not access or use Organization Data, except as necessary to provide the Services and Technical Support Services to the Organization. Organization Data may not be released to other parties, including in aggregate form, without the express written permission of the Organization. Organization Data in Awarded Vendor’s custody will never be used, under any circumstances, for any purposes other than those agreed to in the contract.
Define Requirements Upon Termination
At the time of termination of this Contract for any purposes, all Organization Data must be provided to the Organization in an acceptable electronic form and none of the Organization Data may remain on the Awarded Vendor’s system, after such event.
The matter of data ownership and acceptable use is a complex issue that is further complicated in the cloud. Signing a contract with a CSP that doesn’t adequately address these issues increases organizational risk.
Therefore, don’t leave this critical matter undefined. Be sure to include data ownership and acceptable use clauses in your solicitation documents and involve your organization’s intellectual property attorneys to tailor your procurement clauses. After all, it’s your data.