News and Insights

Print this page

Search News & Insights

Code of Practice Launched for Cloud Computing Services

PRACTICE AREA GROUP: Technology and Innovation
DATE: 31.01.2011

On November 22, 2010, the UK Cloud Industry Forum (‘‘CIF’’) launched its Code of Practice in respect of cloud services following an extensive period of public consultation. CIF is an organisation which was established in 2009 with the aim of advocating the adoption and use of cloud-based services by business and individuals.

CIF believes the market needs a credible and certifiable Code of Practice that ‘‘provides transparency of cloud services such that consumers can have clarity and confidence in their choice of provider’’.

In its consultation paper for the Code of Practice, CIF defines cloud computing using the definition in the ISO/IEC JTC 1 N9687 Report on Cloud Computing as follows: ‘‘Cloud computing provides the IT infrastructure and environment to develop/host/run services and applications, on demand, with pay-as-you-go pricing, as a service. It also provides resource and services to store data and run applications, in any  devices, anytime, anywhere, as a service’’.

Why Introduce a Code of Practice?

CIF states that its justification for the introduction of a Code of Practice includes the lack of transparency involved in services provided online; the emergence of new risks in cloud-based services (such as data protection and continuity of operations); and rate of market adoption. CIF comments that the attractiveness of noncapital pay-as-you-use services is significant, and experts predict dramatic take-up over the next few years.

What are the Terms of the Code of Practice?

The Code of Practice revolves around three central principles:

  • Transparency: Organisations must ensure transparency for specified types of information. Commercial terms in particular must be clear, including full disclosure of fully burdened pricing, contract periods, and renewal processes.
  • Capability: Organisations must have documented management systems and resources in place to deliver specified capabilities such as data protection and continuity of operations.
  • Accountability: Organisations shall be accountable for their operational practices and shall agree to binding complaint resolution procedures with customers for Code of Practice-related practices and other complaints.

The Code of Practice will not compete with more specific standards such as SAS70 or ISO9001. CIF states that it will provide participants with a frame of reference on how to compare and contrast the role of the Code of Practice against other relevant standards.

How Will Organisations Comply with the Code of Practice?

An organisation will be certified as compliant with the Code of Practice through self-certification. Selfcertified compliance will be achieved on the basis of
self-assertion (ie. a formal statement by the Board of Directors or equivalent body that the organisation intended to comply with the CIF Code of Practice). The organisation then must conduct self-certification procedures against the Code and make a filing in this regard with CIF. Upon acknowledgement of the filing, the organisation will be entitled to use the CIF Code of Practice mark. The self-certification must be repeated annually. Independent certification will be introduced in 2011.

CIF will ensure credibility of the certifications through random audits, external complaints or whistleblower alerts. CIF will have the capability and authority to enforce removal of the certification mark from organisations deemed not to have complied with the Code of

Participants must pay a nominal fee to CIF to assist in the administration and governance of the Code of Practice. Annual self-certification fees vary, depending on the turnover of the organisation (for example, an organisation with turnover of less than £250,000 (US$390,200) will pay £200 (US$312) per annum and an organisation with turnover of over £10 million (US$15.6 million) will pay £2,000 (US$3,122) per annum).

Further information about the Cloud Industry Forum and its Code of Practice is available on its website at: .

For further information, please contact John O'Connor, Partner and joint head of the Technology and Commercial Contracts Group at Matheson.


This article first appeared in World Data Protection Report (January 2011).



About cookies on our website

Following a revised EU directive on website cookies, each company based, or doing business, in the EU is required to notify users about the cookies used on their website.

Our site uses cookies to improve your experience of certain areas of the site and to allow the use of specific functionality like social media page sharing. You may delete and block all cookies from this site, but as a result parts of the site may not work as intended.

To find out more about what cookies are, which cookies we use on this website and how to delete and block cookies, please see our Which cookies we use page.

Click on the button below to accept the use of cookies on this website (this will prevent the dialogue box from appearing on future visits)