Quantcast
Channel: Publications – Arthur Cox

Article 1

0
0

Authors: Seamus Given, John Casey and Niamh Fennelly. 

Click here to view the briefing in PDF format.

This autumn brought the coming into force of two new Sectoral Employment Orders (“SEOs”). To help you understand what this means for employers, we first recap the basics of SEOs generally and then summarise the key contents of the two recent SEOs.

What are the important points to remember about SEOs?

  • SEOs are Orders made by the Minister for Business, Enterprise and Innovation, on the recommendation of the Labour Court, and approved by both Houses of the Oireachtas, which set out the minimum rates of remuneration and the minimum pension and sick pay entitlements of workers of a particular class, type or group within a specified economic sector.
  • SEOs are unusual in Irish industrial relations because they apply to employees and employers who were not involved in their formulation at any stage. SEOs will apply to every worker of the class, type or group in the economic sector to which they are expressed to apply, and to their employers.
  • If the contract of employment of an SEO worker provides for a lower rate of remuneration or less beneficial sick pay or pension entitlements than those in the SEO, the more favourable SEO provisions will be substituted in place of the inferior provisions in the contract of employment.
  • If an employer fails to comply with an SEO’s terms, an employee may bring a complaint to the Workplace Relations Commission (with an appeal to the Labour Court) and be awarded up to 2 years’ remuneration, together with an order directing the employer to comply with its obligations.
  • Employers must not penalise an employee for relying on his/her SEO rights.
  • An employer to whom an SEO applies must keep employment records at the place of work to show compliance with the SEO for at least three years from the date of making those records. Failure to do so is a criminal offence.

The Sectoral Employment Order (Construction Sector) 2019 (the “Construction SEO”)

When did it enter force?1 October 2019
Does it replace a previous SEO?Yes, the 2017 Construction SEO.
Who does it apply to?
General construction sector employees, specifically craft persons, construction operatives and apprentices.
The definition of the construction sector is exceptionally broad and any employer who is unsure as to whether or not the SEO applies to them should consult the SEO for its full scope or seek tailored legal advice. The SEO’s scope includes the construction and demolition of buildings, clearing of sites, laying of foundations/sewers/drains, construction of boundary walls/paths/railings/fences, stone work and ground levelling.
What minimum rates of pay are set?What minimum rates of pay are set?Rate of pay per hour from 1 October 2019 to 30 September 2020Rate of pay per hour from 1 October 2020
Craft persons, including: brick or stone layers, carpenters, joiners, glaziers, plasterers, painters and others.€19.44€19.96
Category A workers, including: scaffolders with a scaffolding card and four years’ experience, banks operatives, steel fixers, crane drivers and heavy machine operators.€18.86€19.37
Category B workers: skilled general operatives who have worked in the sector for more than 2 years.
€17.50€17.97
Apprentices
One third of the craft rate in their first year, with specified increases year on year until qualification.One third of the craft rate in their first year, with specified increases year on year until qualification.
New entrant operative workers who are over 17 and entering the sector for the first time (continuing to apply for the first two years after entering the sector).€14.14€14.52
What normal working week is set?Category
Specification
Hours per week
39
Days per week
Monday to Friday
Hours per day
Four days for eight consecutive hours work between 7am and 5pm Monday to Thursday, and seven consecutive hours work from 7am to 4pm on Fridays.
Overtime
Time plus a half or double time must be paid outside of the normal weekly working hours set out above. The amount of that overtime payment depends on the day and the time of day those overtime hours are worked.
What are the pension and sick pay requirements?Detailed provisions are provided in relation to pensions. For example, pension schemes must have no less favourable terms than those set out in the Construction Workers Pension Scheme and must also provide entry access to anyone over 18.
Employers must pay a minimum pension contribution of €27.35 per week and a minimum death in service contribution of €1.14 per week. Provisions in relation to sick pay are also included. Employers must operate a sick pay scheme on no less favourable terms than those set out in the Construction Workers Sick Pay Scheme.
Does it cover dispute resolution?Provisions are included in relation to individual and collective dispute resolution.

The Sectoral Employment Order (Electrical Contracting Sector) 2019 (the “Electrical Contracting SEO”)

When did it enter force?1 September 2019.
Two critical aspects of the SEO have not yet entered force. These are its pension and sick pay provisions. These are stayed pending the outcome of a High Court case brought by National Electrical Contractors Ireland (“NECI”).
Does it replace a previous SEO?No, this is the first in the sector.
Who does it apply to?Qualified or registered apprentice electrician employees.
What minimum rates of pay are set?Employee typeRate of pay per hour from 1 September 2019
Newly qualified electrician.€23.49
Qualified electricians from their third year of employment.€23.96
Qualified electricians from their sixth year of employment.€24.34
Apprentice electricians.€7.05 per hour with specified increases year on year until qualification.
What normal working week is set?CategorySpecification
Hours per week39
Days per weekMonday to Friday
Hours per dayFour days for eight consecutive hours work between 7am and 5pm Monday to Thursday, and seven consecutive hours work from 7am to 4pm on Fridays.
OvertimeOvertime of time plus a half or double time must be paid outside of the normal weekly working hours set out above.
Unsociable hours worked
This is for specific projects where the hours will vary from normal daily working hours where rates of time plus one quarter and time plus one third will apply depending on what day and when in the day the hours are worked.
What are the pension requirements?As with the Construction SEO, detailed provisions are also included in relation to pension and sick pay schemes.
The pension and sick pay provisions are stayed pending the outcome of a High Court case in which NECI are looking for the SEO to be entirely struck out. If the NECI are unsuccessful, contributions will be backdated to 1 September 2019, coming into force date of the rest of the SEO. See below for further detail on the High Court challenge
Does it cover dispute resolution?Provisions are included in relation to individual and collective dispute resolution.

High Court Challenge to the Electrical Contracting SEO

An application by one of several electrical contractor employer bodies, National Electrical Contractors Ireland (NECI), for a stay on the Electrical Contracting SEO was partially accepted by the High Court, in relation to the pension and sick pay contributions aspects of the SEO.

NECI is seeking a declaration that the Labour Court breached its duties in making a recommendation to the Minister for Business, Enterprise and Innovation to register the SEO, including the duty to act with constitutional propriety and natural justice and the duty to provide clear reasons for its decisions. NECI also seeks a declaration that the examination of the sector by the Labour Court was ‘ultra vires’ and that the SEO breaches the personal rights of NECI members. The injunction application had sought a stay on the implementation of the entire SEO, until the full hearing of the case.

The High Court held that, while the balance of convenience lay in implementing the other terms of the SEO (including the 2.7% pay increase and other legally binding minimum conditions on working time and dispute procedures), the balance of convenience in relation to the pension, sick pay and death in service contribution was in granting the stay. The stay only applies pending the outcome of the substantive case, for which a hearing date has yet to be set.

Advice to employers

All employers captured by the two SEOs must comply or accept the risk of the civil and criminal actions that may follow.

If an employer believes that it could fall within one of the exemptions, which are subject to strict statutory controls, the employer should take steps to begin the necessary application to the Labour Court to secure the exemption.

Employers in the electrical contracting sector should carefully monitor the outcome of the NECI High Court case and reassess the position thereafter.

The post appeared first on Arthur Cox.


New Sectoral Employment Orders for the Construction and Electrical Contracting Sectors

0
0

Key Contacts: Seamus Given, John Casey and Niamh Fennelly

Click here to view the briefing in PDF format.

This autumn brought the coming into force of two new Sectoral Employment Orders (“SEOs”). To help you understand what this means for employers, we first recap the basics of SEOs generally and then summarise the key contents of the two recent SEOs.

What are the important points to remember about SEOs?

  • SEOs are Orders made by the Minister for Business, Enterprise and Innovation, on the recommendation of the Labour Court, and approved by both Houses of the Oireachtas, which set out the minimum rates of remuneration and the minimum pension and sick pay entitlements of workers of a particular class, type or group within a specified economic sector.
  • SEOs are unusual in Irish industrial relations because they apply to employees and employers who were not involved in their formulation at any stage. SEOs will apply to every worker of the class, type or group in the economic sector to which they are expressed to apply, and to their employers.
  • If the contract of employment of an SEO worker provides for a lower rate of remuneration or less beneficial sick pay or pension entitlements than those in the SEO, the more favourable SEO provisions will be substituted in place of the inferior provisions in the contract of employment.
  • If an employer fails to comply with an SEO’s terms, an employee may bring a complaint to the Workplace Relations Commission (with an appeal to the Labour Court) and be awarded up to 2 years’ remuneration, together with an order directing the employer to comply with its obligations.
  • Employers must not penalise an employee for relying on his/her SEO rights.
  • An employer to whom an SEO applies must keep employment records at the place of work to show compliance with the SEO for at least three years from the date of making those records. Failure to do so is a criminal offence.

The Sectoral Employment Order (Construction Sector) 2019 (the “Construction SEO”)

When did it enter force?1 October 2019
Does it replace a previous SEO?Yes, the 2017 Construction SEO.
Who does it apply to?
General construction sector employees, specifically craft persons, construction operatives and apprentices.
The definition of the construction sector is exceptionally broad and any employer who is unsure as to whether or not the SEO applies to them should consult the SEO for its full scope or seek tailored legal advice. The SEO’s scope includes the construction and demolition of buildings, clearing of sites, laying of foundations/sewers/drains, construction of boundary walls/paths/railings/fences, stone work and ground levelling.
What minimum rates of pay are set?What minimum rates of pay are set?Rate of pay per hour from 1 October 2019 to 30 September 2020Rate of pay per hour from 1 October 2020
Craft persons, including: brick or stone layers, carpenters, joiners, glaziers, plasterers, painters and others.€19.44€19.96
Category A workers, including: scaffolders with a scaffolding card and four years’ experience, banks operatives, steel fixers, crane drivers and heavy machine operators.€18.86€19.37
Category B workers: skilled general operatives who have worked in the sector for more than 2 years.
€17.50€17.97
Apprentices
One third of the craft rate in their first year, with specified increases year on year until qualification.One third of the craft rate in their first year, with specified increases year on year until qualification.
New entrant operative workers who are over 17 and entering the sector for the first time (continuing to apply for the first two years after entering the sector).€14.14€14.52
What normal working week is set?Category
Specification
Hours per week
39
Days per week
Monday to Friday
Hours per day
Four days for eight consecutive hours work between 7am and 5pm Monday to Thursday, and seven consecutive hours work from 7am to 4pm on Fridays.
Overtime
Time plus a half or double time must be paid outside of the normal weekly working hours set out above. The amount of that overtime payment depends on the day and the time of day those overtime hours are worked.
What are the pension and sick pay requirements?Detailed provisions are provided in relation to pensions. For example, pension schemes must have no less favourable terms than those set out in the Construction Workers Pension Scheme and must also provide entry access to anyone over 18.
Employers must pay a minimum pension contribution of €27.35 per week and a minimum death in service contribution of €1.14 per week. Provisions in relation to sick pay are also included. Employers must operate a sick pay scheme on no less favourable terms than those set out in the Construction Workers Sick Pay Scheme.
Does it cover dispute resolution?Provisions are included in relation to individual and collective dispute resolution.

The Sectoral Employment Order (Electrical Contracting Sector) 2019 (the “Electrical Contracting SEO”)

When did it enter force?1 September 2019.
Two critical aspects of the SEO have not yet entered force. These are its pension and sick pay provisions. These are stayed pending the outcome of a High Court case brought by National Electrical Contractors Ireland (“NECI”).
Does it replace a previous SEO?No, this is the first in the sector.
Who does it apply to?Qualified or registered apprentice electrician employees.
What minimum rates of pay are set?Employee typeRate of pay per hour from 1 September 2019
Newly qualified electrician.€23.49
Qualified electricians from their third year of employment.€23.96
Qualified electricians from their sixth year of employment.€24.34
Apprentice electricians.€7.05 per hour with specified increases year on year until qualification.
What normal working week is set?CategorySpecification
Hours per week39
Days per weekMonday to Friday
Hours per dayFour days for eight consecutive hours work between 7am and 5pm Monday to Thursday, and seven consecutive hours work from 7am to 4pm on Fridays.
OvertimeOvertime of time plus a half or double time must be paid outside of the normal weekly working hours set out above.
Unsociable hours worked
This is for specific projects where the hours will vary from normal daily working hours where rates of time plus one quarter and time plus one third will apply depending on what day and when in the day the hours are worked.
What are the pension requirements?As with the Construction SEO, detailed provisions are also included in relation to pension and sick pay schemes.
The pension and sick pay provisions are stayed pending the outcome of a High Court case in which NECI are looking for the SEO to be entirely struck out. If the NECI are unsuccessful, contributions will be backdated to 1 September 2019, coming into force date of the rest of the SEO. See below for further detail on the High Court challenge
Does it cover dispute resolution?Provisions are included in relation to individual and collective dispute resolution.

High Court Challenge to the Electrical Contracting SEO

An application by one of several electrical contractor employer bodies, National Electrical Contractors Ireland (NECI), for a stay on the Electrical Contracting SEO was partially accepted by the High Court, in relation to the pension and sick pay contributions aspects of the SEO.

NECI is seeking a declaration that the Labour Court breached its duties in making a recommendation to the Minister for Business, Enterprise and Innovation to register the SEO, including the duty to act with constitutional propriety and natural justice and the duty to provide clear reasons for its decisions. NECI also seeks a declaration that the examination of the sector by the Labour Court was ‘ultra vires’ and that the SEO breaches the personal rights of NECI members. The injunction application had sought a stay on the implementation of the entire SEO, until the full hearing of the case.

The High Court held that, while the balance of convenience lay in implementing the other terms of the SEO (including the 2.7% pay increase and other legally binding minimum conditions on working time and dispute procedures), the balance of convenience in relation to the pension, sick pay and death in service contribution was in granting the stay. The stay only applies pending the outcome of the substantive case, for which a hearing date has yet to be set.

Advice to employers

All employers captured by the two SEOs must comply or accept the risk of the civil and criminal actions that may follow.

If an employer believes that it could fall within one of the exemptions, which are subject to strict statutory controls, the employer should take steps to begin the necessary application to the Labour Court to secure the exemption.

Employers in the electrical contracting sector should carefully monitor the outcome of the NECI High Court case and reassess the position thereafter.

The post New Sectoral Employment Orders for the Construction and Electrical Contracting Sectors appeared first on Arthur Cox.

Health & Safety Group Seminar Series, November 2019

0
0

The Arthur Cox Health & Safety Group recently held their annual seminar series, which took place on the 7th and 28th November 2019. You can access the key takeaways from those seminars by clicking on the links below.

Seminar One: Thursday, 7 November

Topic:

  • Whose workplace is it anyway? Safety of employees working on and off site. Please click here to view key takeaways.
  • Health and Safety Compliance: When things go wrong, could you be personally liable? Please click here to view key takeaways.

Seminar Two: Thursday, 28 November

Topic:

  • Health and Safety and your employees: Please click here to view key takeaways.
    • Managing requests to work beyond retirement age.
    • Exposure to stress at work.
  • Overview of recent developments in Health and Safety. Please click here to view key takeaways.

The post Health & Safety Group Seminar Series, November 2019 appeared first on Arthur Cox.

Investment Funds Legal and Regulatory Update December 2019

0
0

Welcome to the latest edition of our Asset Management and Investment Funds Legal and Regulatory Update.

This issue includes updates on managing fund liquidity, the Central Bank’s supervisory priorities for funds as well as its updated guidance on enforcement actions and some recent ESMA Q&A updates.

If you would like to discuss any of the topics covered, please feel free to contact a member of our team.

Read the update here.

The post Investment Funds Legal and Regulatory Update December 2019 appeared first on Arthur Cox.

GDPR and the Cloud – Helpful DPC Guidance for Organisations

0
0

Key Contacts: Pearse Ryan and Sam O’Connell. 

Click here to view this briefing in PDF format.

Are you a controller of personal data under the General Data Protection Regulation (“GDPR”) who uses a cloud services provider (“CSP”), or are you a CSP who acts as a processor to a controller customer who has engaged you to provide it with cloud computing services (“CCS”)?

If you answered yes to either question, you are required to be aware of the data protection risks associated with the provision and receipt of CCS and to comply with GDPR obligations appropriate to your status as controller or processor of personal data. Helpfully, the Data Protection Commission (“DPC”) has issued a CCS guidance note dated October 2019: “Guidance for Organisations Engaging Cloud Service Providers” which is a useful addition to the range of advice issued by the DPC and provides useful clarification for both customers and suppliers of CCS.

CCS obligations under GDPR

Controllers have an obligation under GDPR to process personal data in a way that ensures appropriate security (as per the data protection principles of integrity, confidentiality and security). The DPC highlights that organisations must ask whether they have appropriate technical and organisational measures in place and ensure their processors do too. The DPC has separately issued guidance for controllers of personal data on data security, which is a reference guide to assessing whether appropriate security measures exist or are required to be implemented. As the DPC states in the CCS guidance “the use of any cloud services as part of [data controllers] business is an important area in which organisations need to ensure there is adequate security for the personal data they process”.

Cloud computing under GDPR

The DPC notes that “people often mean different things when they talk of processing data ‘in the cloud’”, which is undoubtedly true. The CCS guidance is not intended as a detailed guide to cloud computing or different types of CCS and thus generally describes cloud computing, for both controllers and processors, as “usually involves” an external CSP doing some or all of the processing or storage of personal data “on servers and/or in a data centre” under that CSP’s control. The DPC notes that CSPs’ will “in many cases” be acting as data processors and reminds CSPs to be aware of their obligations as processors, which are less onerous than those that apply to controllers. Whether a CSP is a data processor or controller is a question of fact, which can be a difficult analysis.

Types of cloud computing

The DPC identifies three CCS models, which may involve the provision of a physical infrastructure, operating system, and/or processing software:

  • Software as a Service (“SaaS”);
  • Infrastructure as a Service (“IaaS”); or
  • Platform as a Services (“PaaS”).

The DPC also discusses the distinction between a private, public and hybrid model CCS. It points out the possibility of a chain of CCS applying, where a CSP, acting as a sub-processor, provides CCS to another CSP, who has the ultimate contract relationship with the customer, generally the data controller. The DPC also points to the complicated scenario arising where CSPs “are also data controllers, or ‘joint controllers’”. Again, the question is always one of fact. Overall, the DPC references to CCS service models and architecture models accord to most common industry categorisations.

CCS associated risks

The recent CCS boom has offered businesses of all sizes a range of new and favourable storage options. The DPC states it is essential for businesses looking into CCS (or those already engaged with a CSP) to ensure adequate security of personal data being stored in the cloud. Issues may arise where controllers relinquish control of data to their CSP, where there is insufficient information around the service and its safeguards, or where the CSP is unable to adequately support the controller’s obligations and/or data subjects’ rights. The CCS guidance mainly focuses on CCS risks and recommended steps to remove and reduce such risks.

The meaning of “control”

The CCS guidance is clear that a data controller “must remain in control of the personal data it collects when it subcontracts the processing to a cloud provider”. This is a key obligation, which cannot be waived or contracted out of. If the data controller cannot demonstrate control, it may potentially be in breach of GDPR. The DPC states that control requires:

  • ensuring security of personal data;
  • ensuring transparency around processing of personal data;
  • certainty around the location of personal data; and
  • having a written contract in place with the CSP.

Secure cloud computing

Under GDPR, a controller may only engage a processor if the latter provides sufficient guarantees to implement appropriate technical and organisational measures. Controllers and processors are responsible for ensuring that such measures are commensurate to the risk. In practice, this is a key area of customer difficulty with the procurement of CCS, which in essence is output measured. Customers do not have, and generally the CSP will not or cannot allow its customers, visibility of what goes on under the hood, whether in real time or on ad-hoc basis (e.g. by way of inspection or audit). The DPC states that “a controller must therefore be satisfied that personal data will be secure if it is outsourced to a cloud provider”. The reference to outsourcing is interesting and it was long challenged by the cloud industry that this was a form of outsourcing, which is a well understood commercial sector in terms of risk management and commercial arrangements. The industry has largely succeeded in creating a commercial and contractual model, as well as a financial model, unique to itself.

The DPC states that with reference to security, controllers must be satisfied in two main areas. That the CSP:

  • will only process personal data in accordance with its instructions; and
  • has taken into account risks presented from loss, destruction, alteration, unauthorised disclosure of, or access to personal data stored, whether accidental, unlawful or otherwise.

CSP assurances

The DPC states that controllers must seek assurances from potential CSPs on key issues, including:

  • pseudonymisation and encryption;
  • isolation or separation of a personal data from the CSP’s other customer data;
  • ensure ongoing confidentiality, integrity, availability and resilience;
  • restoration of availability and access in the event of a physical or technical incident;
  • regular testing, assessing and evaluating the effectiveness of measures;
  • procedures in the event of a data breach; and
  • process to delete or return all personal data on contract termination.

Controllers must be satisfied with such assurances both in advance of entering the contract with the CSP and throughout the arrangement. This may be achieved by:

  • requesting a detailed technical analysis incorporating an information security audit questionnaire or an approved code of conduct/certification mechanism; and
  • where necessary, on-site inspections of the CSP, implementation of the security policy and/or audit of personal data processing operations/technology usage.

As mentioned above, customer inspection or audit is a difficult topic in the CCS sphere. In practice, more sophisticated CSPs will commission third party audit-style reports which can be made available to customers. Overall, it is difficult for the customer of a CSP to obtain much if any change to the established supplier financial, technical and contractual model. This is especially true with reference to the large service providers. In certain market sectors, CSPs are more willing to engage in some degree of dialogue, or have pre-prepared responses to the type of requirements listed above, the financial services sector being a prime example. That is arguably as much due to sector specific regulatory requirements as the market leverage of the customer base. For customers lacking leverage, or regulatory requirements to reference, contracting with market leading CSP’s is challenging. This includes the public sector, where individual agencies in Ireland are in most cases of modest enough size and thus represent modest enough spend. These specific guidance statements are perhaps the most difficult part of the CCS guidance for data processors to comply with. The more important, but broad, statements in relation to data controllers remaining in control are perhaps not so difficult, if only because CSP contracts deliberately do not express or imply CSP control, which is a condition CSPs strongly argue against as a matter of fact.

Transparency requirements

Under GDPR, the CSP as a processor may avail of approved codes of conduct or certification mechanisms to help demonstrate compliance of elements of their processing. This allows a controller to assess if the arrangement is appropriate to the processing operations being contracted. A high level of transparency is required between a controller and data subjects when that controller is processing those data subjects’ personal data through a CSP. The CSP must be able to account for its processing operations. The DPC states that a controller must be satisfied as to the CSP’s:

  • security arrangements;
  • record keeping; and
  • sub-processing arrangements.

Location, location, location

Personal data held in the EEA benefits from a common standard of EU protection. Such protection may extend to data transferred outside of the EEA by relying on one of the following mechanisms under GDPR:

  • Art. 45 – transfers based on an adequacy decision;
  • Art. 46 – transfers subject to appropriate safeguards e.g. model contractual clauses;
  • Art. 47 – transfers subject to binding corporate rules.

Contract particulars

The DPC states that a number of key points must be covered in the contract between a controller and its CSP, including details of how the CSP will:

  • only process personal data as instructed by the controller;
  • provide an appropriate level of security measures;
  • provide a list of sub-processors it has engaged and keep the controller informed of changes;
  • allow and contribute to the controller’s audits or inspections;
  • guarantee the security of personal data processed outside of the EEA;
  • apportion liability between the controller and CSP in the event of a GDPR infringement and how this is notified to the controller; and
  • meet its obligations to support data subject rights.

The contract must also outlined the subject-matter, scope, nature, context, purpose and duration of the processing, and how types and categories of personal data are dealt with at commencement, transfer, routine processing and ‘end-of-life’ (including return or deletion).

Conclusion

Overall, the DPC’s guidance offers welcomed clarity to those seeking to engage or renew their commitments to a CSP in the age of GDPR. In doing so, organisations should keep the DPC’s main message in mind and ask whether they (or their CSP) have the appropriate technical and organisational measures in place. We recently published an article on public sector procurement of CCS, which can be read in conjunction with this GDPR related article here.

The authors wish to thank Sam O’Connell for his contribution to this article.

The post GDPR and the Cloud – Helpful DPC Guidance for Organisations appeared first on Arthur Cox.

Department of Public Expenditure and Reform Publishes Advice on Cloud Computing

0
0

Key contacts: Pearse Ryan and Colin Grant.

Click here to view the briefing in PDF format.

1. Background

On 17 October 2019, the Department of Public Expenditure and Reform (“DPER”) published an advice note on cloud computing (the “Advice Note”)(1).The Advice Note was developed by the Office of the Government Chief Information Officer in conjunction with the ICT Advisory Board and the wider public service ICT community. In December 2015, DPER issued a policy document called Considering Cloud Services which provided advice to assist public service organisations in making informed, risk-based decisions in relation to the adoption of cloud computing services (“CCSs”). While the 2015 policy document is still valid, the Advice Note recognises that cloud computing, along with the policy and legislative environments of which it forms a part, have continued to develop subsequent to the publication of the 2015 policy document. Consequently, DPER has published the Advice Note, which outlines its proactive and progressive approach to procurement of cloud computing in Ireland.

2. Scope of Advice Note

The Advice Note aims to provide high-level guidance to assist organisations in making decisions in relation to the adoption of cloud computing. Accordingly, the Advice Note does not detail the technical and functional features of the infrastructure provided to supply a particular cloud computing solution. It does not recommend particular providers, products or services, nor does it set out model procurement contributions whether on an individual supplier or supplier panel framework type basis. The scope of the Advice Note is limited, but as a high level-statement of policy it is useful.

3. Responsibility, not accountability, can be outsourced

While organisations may outsource their responsibility for the delivery of a CCS to a cloud service provider (“CSP”), DPER stresses in its Advice Note that organisations cannot outsource their accountability for that service to a CSP. Moreover, organisations remain responsible for their regulatory obligations, including their obligations under data protection law. Consequently, DPER states that organisations will need to put in place or update their own local cloud strategy, plans and policies. Organisations should seek legal advice prior to or during the implementation or updating of local cloud strategy, plans and policies.

This is similar to established norms in the outsourcing area, where public bodies can outsource service delivery, but not responsibility, for the service. However, in the procurement of CCS the perception is frequently that public sector customers have less leverage than they enjoy in other domains, including procurement of more traditional software licence and implementation, together with various forms of output-measured service outsourcing. Certainly, procuring CCS does require public sector customers utilising public procurement to adopt an at least somewhat different approach to more established ICT goods/services and outsourcing domains. The Advice Note does not go into detail in these areas, nor does it provide public sector bodies with an at least part procurement solution in the form of individual supplier sector contracts or supplier panel framework type agreement. It is essentially a policy document.

4.Viable service for most public service information or system

DPER believes that CCSs should be considered “potentially suitable” for any category of public service information or system (except where such data would be classified as ‘top secret’ in accordance with the Department of Finance’s Circular 39/07: Classification of material as ‘top secret’)(2) and recommends that, where possible, all new government systems should be developed to exploit the opportunities presented by cloud deployment. All existing systems will be reviewed for cloud capability and where practicable, suitable systems should move to public cloud or government private cloud environments. However, DPER stresses that “in all cases, a move to cloud will be a business decision on the basis of specific considerations made by individual pubic service organisations.” This business decision is, more particularly, what inputs into decision-making and what criteria to apply to decision-making, is, we believe, the key practical difficulty for public sector bodies considering procurement of CCS.

5. Definition of ‘cloud computing’

DPER notes that there is “no overarching agreed definition” of ‘cloud computing’ because “cloud computing refers to a concept comprising a set of combined technologies and not to a specific technology.”

NIST definition of ‘cloud computing’
The United States National Institute of Standards and Technology (“NIST”) defines ‘cloud computing’ as:

a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”(3)

The NIST’s definition of ‘cloud computing’ is internationally accepted and is summarised below:

Five essential characteristics
Four deployment modelsThree service models
On-demand self-service
Private cloud
Software as a service (SaaS)
Broad network access

Community cloudPlatform as a Service (PaaS)
Resource pooling
Public CloudInfrastructure as a Service (IaaS)
Rapid elasticity
Hybrid Cloud
Measured service

DPER’s definition of ‘cloud computing’
For the purposes of the Advice Note, DPER defines ‘cloud computing’ as:

a set of technologies and service models that focus on network-based on-demand use and delivery of IT applications, processing capability, storage and memory space

that can be provided by an external service provider, delivered in-house, or a combination of both, and can be provided on a private or shared basis.

6.Change required to Government’s adoption of infrastructure to support cloud computing

DPER comment that the pace of, and demand for, digitalisation is accelerating and the way in which the Government adopts the infrastructure required to support new technologies such as cloud computing needs to change. In DPER’s view, “traditional server room or data centre models will not be sufficient in the longer term” because “an increasing number of services will be available only through the cloud” and “vendor support for on premise solutions is likely to diminish.

This is a reality in the ICT sector and there is likely as much a market-based push underlying the Advice Note as a public sector pull. The Advice Note is a welcome policy statement, but to a certain extent the public sector has no choice but to transition to CCS, given the relatively established market transition to cloud-only solution supply. A logical next step is for DPER to turn to assisting public service bodies in procuring CCSs. Taking technology innovation one step further, DPER state that the “Government must be in a position to adopt technologies such as blockchain, Artificial Intelligence and the Internet of Things to help re-invent how government services are delivered over the next few years and to support leading-edge ways of managing and analysing (large volumes of) data.” This, we read, is a statement of the next set of technology-based solution innovations DPER and public bodies will be required (we believe quite quickly) to deal with.

7. National and international initiatives demonstrate need for cloud computing

DPER note that a number of initiatives undertaken at a national and international level demonstrate the need for cloud computing.

The Department of Communications, Climate Action and Environment’s Climate Action Plan 2019(4), published on 17 June 2019, predicts a rapid growth in electricity demand driven by technology. The Public Service reform plan, Our Public Service 2020(5), published in December 2017, stated that the development of digital services, eGovernment and making better use of using and sharing data are key to driving Ireland towards a more integrated, shared and digital environment. The Public Service Data Strategy 2019 – 2023(6), published by DPER on 21 December 2018, seeks to create a coherent ecosystem where public service organisations can confidently exchange data to support improved service delivery and policy creation in a legal, transparent and effective manner.

The Data Sharing and Governance Act 2019 (“DSGA 2019”)(7) supports the Public Service Data Strategy 2019 – 2023 and seeks to provide a legal basis to enable public service organisations, where they already have a legal basis to collect data from a citizen or business directly in accordance with the General Data Protection Regulation (“GDPR”)(8) and the Data Protection Act 2018 (“DPA 2018”)(9), to collect that data from another Irish public service organisation. The majority of the provisions of the DSGA 2019 came into effect on 18 April 2019.

The GDPR, which took effect from 25 May 2018, has general application to the processing of personal data and special categories of personal data in the EU, and details the extensive obligations placed on data controllers and processors, and provides strengthened protections for data subjects.

DPER states that cloud computing, through its efficient use of hardware and sharing of resources, provides opportunities to support these national and international initiatives.

8. Security and cost-efficiency is paramount

DPER states that the Government will ensure that the delivery and back-office systems underpinning knowledge management, policy development and the services provided to Irish citizens and businesses are run in the most secure and cost-efficient manner. DPER advises public service organisations to adopt a ‘cloud-first’ approach for all new systems and that Government systems should move to a hybrid-cloud environment.

9. To move or not to move? That is not the question

DPER advises that the question to ask in 2019 is no longer whether to move to cloud, but rather what, how and when to move to cloud and which particular systems are suitable. Interestingly, in an effort to promote cloud computing, DPER advises that “if a system is deemed not suitable for public cloud, a hybrid or private government cloud model should be considered.” In other words, all deployment models should be considered. Moreover, in an effort to promote meaningful consideration of cloud computing as a viable service and to promote accountability of decision making, DPER states that the decisions reached to use or not to use cloud for particular systems should be documented, retained and supported with reasons.

10.The three principles underlying the Advice Note

DPER states that all organisations must comply with the following principles:

All new systems will be designed to maximise the benefits of cloud

New systemsOrganisations are required to identify if a cloud-based solution exists.
Off-the-shelf systemsOrganisations should review product roadmaps and engage with suppliers to identify if a
cloud-based solution exists.
Bespoke systemsOrganisations should look at designing and building the system to maximise the benefits of cloud.

All existing systems will be reviewed regularly for cloud capability

Assessing migration suitabilityOrganisations should regularly review all existing systems to, amongst other things, assess which systems may be suitable for migration to cloud.
Input required from key decision makersBusiness owners are key contributors to the review process.
Post-review retention and retireUpon review, an organisation may decide that an existing system is unsuitable for migration and instead, retain and gradually retire the system.
Myriad of options exist when migrating existing application(s)These range from re-hosting (i.e. small modifications to move the application(s) but taking no advantage of cloud capabilities) to re-designing (i.e. minor to major changes required to take some/greater advantage of cloud capabilities) to full replacement (i.e. designed for cloud capabilities).

A move to cloud will be a business decision on the basis of specific considerations

The development of local multi-year cloud strategies should be linked to an organisation’s overall strategy To help focus a move to cloud, local multi-year cloud strategies should be developed which are linked to the organisation’s overall strategy and which identify business outcomes to be achieved.
A ‘cloud first’ approach does not mean a ‘cloud only’ approachFinancial, compliance and technological issues, along with the risk profile of the data, must be considered and may determine that, in some circumstances, cloud computing is unsuitable.

11. How will cloud computing be delivered?

Going forward, DPER advises organisations to consider the following potential delivery models:

Cloud modelUseOwnership/managementLocationAccessibility
Public Government cloudDesigned and configured for exclusive useOwned, managed and operated by, or on behalf of, GovernmentOn or off premisesVia Government networks only
Public cloudDesigned and configured for open use by the general publicManaged by cloud provider who offers standard, repeatable services at scale and on-demandOff premisesVia public internet
Public cloud over private networkDesigned and configured for open use by the general public Owned, managed and operated by, or on behalf of, GovernmentOff premisesVia private network / dedicated communication link / Government networks
HybridUsing services both from public cloud providers and on Government-managed cloudManaged from both public cloud provider and Government-managed private cloudOn or off premisesVia Government networks

12. How does an organisation choose the right delivery model?

Organisations should familiarise themselves with the various offerings by initially running a number of test or pilot projects. The tests or pilot projects should be implemented with more than one CSP to understand and compare the offerings available and to ensure that they support the range and depth of technologies required by the organisation.

13. Things organisations should consider when deciding whether or not to move to cloud

A large proportion of data processed by organisations, including personal data and special categories of personal data as defined under the GDPR, are suitable for location in, or migration to, CCSs, subject to appropriate technical and organisational measures being put in place. In deciding what data can be put in the cloud and under which model (i.e. public Government, public, public over private, or hybrid), organisations must identify the sensitivity of their data, including the impact of a possible data breach under the GDPR and the DPA 2018 and categorise their data accordingly. While some organisations or departments have data classification systems in place, for example the Department of Foreign Affairs and Trade, most organisations do not and there are no central classification rules in place except for information defined as ‘top secret’ in accordance with the Department of Finance’s Circular 39/07: Classification of material as ‘top secret’. Organisations should seek legal advice when contemplating and conducting such a procedure.

Other things organisations should consider include the possibility of data encryption, the availability of access rights, logging all access to data, and managing data retention requirements.

14. Issues organisations should consider when choosing or using products built for, or operating in, the cloud

Review product roadmaps and engage with suppliers
Organisations that are moving to a ‘cloud only’ model need to understand the off-the-shelf features, functionalities (both core and configurable), update release cycles and the implications for bespoke customisations. Understanding these issues will help an organisation determine the appropriate cloud deployment model for their particular product.

Think long term
Organisations need to recognise the potentially transformative potential for their business processes if they decide to adopt SaaS solutions and the long-term benefits customisations could have on their businesses’ long-term sustainability.

Identify peaks and troughs in utilisation
Organisations should review current system workloads to identify predictable or seasonal peaks and troughs in utilisation. This will be relevant in identifying if the current system can support auto-scaling in cloud computing (i.e. a method whereby the amount of computational resources in a server farm, typically measured in terms of the number of active servers, scales automatically based on the load on the farm). This may have cost implications.

Balancing approach
Organisations need to balance the long-term inefficiencies (in particular, costs) of migrating applications ‘as is’ into cloud environments against the costs of modernising applications in advance or replacing such applications.

Public or private?
A balance needs to be struck between confidentiality, integration and availability requirements. Information in the public domain has no confidentiality requirements but may have high availability requirements and therefore be appropriate for deployment via a public cloud model.

Data-sharing and re-use
The majority of the provisions of the DSGA 2019 came into effect on 18 April 2019. The DSGA 2019 provides a legal basis to enable government organisations, where they already have a legal basis to collect data from citizens or businesses directly, to collect that data from another government organisation. Organisations should consider the DSGA 2019 when choosing or using products built for, or operating in, the cloud and when considering using cloud-based services to ensure their chosen services support and facilitate data-sharing and re-use.

Governance
Governance issues an organisation should consider when choosing or using products built for, or operating in, the cloud include:

  • Will there be a clear division of responsibilities between the organisation and CSP? How will this be achieved?
  • How does an organisation ensure that its employees possess the necessary level of cloud technological skills? How will this be achieved?
  • How can good risk management of externally-hosted systems be demonstrated and assessed?
  • How can organisations using CCSs from multiple CSPs ensure that they implement an organisation-wide approach to management and governance, which may include standardising cloud policies and clarifying processes and ownership?

Contractual cover
When selecting a CSP, organisations need to exercise strong due diligence. The terms of the agreement and the subsequent management of the service must be fully considered. Service contracts should cover legal and regulatory obligations, location of data, security clearance of CSP personnel, business security requirements, dispute resolution mechanisms, technical support, escalation procedures, back-up policies, transitional services, and how upgrades of CCSs will occur.

Of particular importance for organisations to consider when choosing or using products built for, or operating in, the cloud is the consideration and development of a cloud exit strategy to manage issues such as poor CSP experience, poor provision of CCSs by the CSP, circumstances where the CSP no longer offers the CCSs, the possible substitution of CCSs to another CSP, and the transitional services provided by the incumbent CSP to the organisation during the transition period. Organisations also need to consider how data will be extracted in a durable medium from the incumbent CSP and what happens to copies of data held by them.

For any and all of these issues, legal advice should be sought and, where appropriate, guidance from the Office of Government Procurement.

15. Data protection

DPER in its Advice Note affirms the advice communicated by the Data Protection Commission (the “DPC”) in its Five Steps to Secure Cloud-based Environments in June 2019(10). The DPC advises organisations to determine and implement a documented policy and apply the appropriate technical security and organisational measures to secure any utilised cloud-based environments.

Although not referred to in the Advice Note, the DPC published guidance for organisations engaging cloud service providers in October 2019(11). We discuss the DPC’s guidance note in a separate article. A risk to the security of personal data can arise where a data controller relinquishes control over the data to a CSP, where there is insufficient information available regarding the cloud processing services and their safeguards, or where the CSP cannot adequately support the data controller’s obligations or data subjects’ rights. A data controller must remain in control of the personal data it collects when it subcontracts the processing to a CSP. Moreover, the controller must be satisfied that the processor (i.e. CSP) will only process the data in accordance with the controller’s instructions. This is directly related to the need for a contract between controller and CSP. The controller must be also satisfied that the CSP has taken into account the risks presented from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The DPC states that controllers, before considering entrusting personal data to a CSP, must be satisfied that the CSP’s security standards are sufficient and appropriate for the processing of personal data they will undertake on the controller’s behalf. According to the DPC, the CSP should be in a position to give assurances on key issues such as:

  • pseudonymisation and encryption of personal data if required;
  • isolation or separation of personal data provided by the controller from the CSP’s other customers’ data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • means to delete or return all personal data to the controller when a contract expires or terminates.

The DPC states that controllers must seek to assure themselves on the above matters, both in advance of retaining a particular CSP and throughout any contractual arrangements.

16. Proof of compliance with cloud certification scheme(s)

When seeking CCSs, DPER recommends that organisations should, prior to contracting with a CSP, seek evidence of the CSP’s compliance with one or more cloud certification schemes. Proof of compliance may provide some degree of assurance to an organisation in relation to the CSP and the CCSs offered. There is no single relevant certification scheme for cloud computing. ISO 27001 is currently the most adopted certification scheme.

17. Conclusion

DPER’s Advice Note is timely, useful and provides high-level guidance to assist public service organisations in making decisions in relation to the adoption of CCSs. It must be noted, however, that the Advice Note is not intended to be exhaustive. While DPER recognises that a ‘cloud-first’ approach does not mean a ‘cloud only’ approach, it is clear from the Advice Note that a move to CCSs, of whatever type, is inevitable for many applications or solutions, whether by choice of the organisation or enforced by market providers. Accordingly, DPER’s Advice Note calls on organisations to start developing their own cloud strategy and specific cloud management policies, including the identification and prioritisation of existing applications that are suitable for cloud deployment or migration in the future.

In our experience, the difficulty for an organisation is largely around not the why of procurement, but the how. Procuring CCS has important differences from procuring traditional on-premises software solutions plus (typically) remote-based services, together with managed service-based solutions, whether on or off-premise. The cloud business model differs from that of traditional software licensors and support providers. This, allied to the size of the leading suppliers when compared to many public sector organisations and the particular requirements of the public procurement regime, has, we believe, created at least a feeling among public sector organisations that CCSs are difficult to procure, contract for and manage (including exit management). While procuring CCSs has its challenges, they can, we believe, be overcome and a number of potentially useful models do exist.

The author wishes to thank Colin Grant for his contribution to this article.

For more information on cloud computing, please see our separate article discussing the GDPR and cloud computing here.

(1) https://assets.gov.ie/37039/4468be59812f40dda7003116cf05f196.pdf
(2) https://assets.gov.ie/16354/836258897a554bb4ab9676aab0e31b17.pdf
(3) https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
(4) https://www.gov.ie/en/publication/ccb2e0-the-climate-action-plan-2019/
(5) https://ops2020.gov.ie/
(6) https://www.gov.ie/en/publication/1d6bc7-public-service-data-strategy-2019-2023/
(7) http://www.irishstatutebook.ie/eli/2019/act/5/enacted/en/html
(8) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
(9) http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/html
(10) https://www.dataprotection.ie/sites/default/files/uploads/2019 06/190606%20Five%20Steps%20to%20Secure%20Cloud-based%20Environments.pdf
(11) https://www.dataprotection.ie/sites/default/files/uploads/2019-10/Guidance%20for%20Engaging%20Cloud%20Service%20Providers_Oct19.pdf

The post Department of Public Expenditure and Reform Publishes Advice on Cloud Computing appeared first on Arthur Cox.





Latest Images