Key issues for contracting authorities to consider when procuring cloud services

Monday, November 22, 2021

Irish contracting authorities are increasingly looking to cloud services as possible solutions to their IT needs. Cloud IT services often present a number of clear benefits to the public sector:

more attractive pricing models (with the ability to scale up and down as needed);
greater functionality in most instances than on-premise solutions; and
lower in-house IT support requirements.

As a consequence, the Office of the Government Chief Information Officer previously advised that the public sector should take a “cloud-first approach”, reinforced in its October 2019 Advice Note. However, there are four key issues faced by the public sector in tendering for cloud computing services:

The OGP Services Contract, used for almost all tender processes in Ireland, is unsuitable for the procurement of cloud services (and ICT in general). This is acknowledged by the OGP in the User Guide for the Services Contract and is largely due to the intellectual property provisions of the OGP Services Contract and the respective lack of a default liability cap. These provisions do not reflect market realities, and suppliers often refuse to sign up to these terms (instead proposing the use of their own terms and conditions).
The vast majority of tender processes conducted in Ireland are either open or restricted procurement processes, which do not allow for negotiations during tender processes and only permit post-tender changes that do not affect the commercial terms of the contract. This means that cloud computing suppliers are often faced with the dilemma of deciding not to bid for a public sector tender opportunity or hoping to force a contracting authority into accepting amendments after the tender has been awarded. Contracting authorities, likewise, are often forced into accepting amendments to the draft contract as issues only come to light after the successful supplier has been selected.
Cloud computing suppliers typically rely upon a complex interlinking set of terms and conditions, reflecting the “Russian doll” nature of their services. A cloud supplier could offer to a contracting authority a solution that consists of the configuration (subject to one set of terms and conditions) of a standard product (such to other general terms and conditions) which runs upon the infrastructure of a major cloud provider (such as Amazon Web Services or Microsoft Azure, bringing their own terms and conditions).[1]
Finally, cloud suppliers often have different commercial offerings – making it difficult for the public sector buyer to evaluate like for like. The traditional fixed cost model used for tender processes may not apply, as certain suppliers may offer a “pay as you go” model based on usage of the service (e.g. storage, tickets raised, expenses paid etc.).

The Office of Government Procurement’s Cloud Services Procurement Guidance Note published in February of this year provides some helpful clarification on the approach to be taken by public bodies. Whilst the note indicates several times that legal advice should be obtained, it does provide valuable guidance on key contract terms to be considered and how best to conduct a tender process for cloud services.

The Guidance Note cautiously endorses a common approach where a cloud service provider’s standard terms and conditions are included as a schedule to the contract tendered by the contracting authority, with the contracting authority’s terms and conditions taking precedence over the cloud service provider’s standard terms and conditions in the case of a conflict. This is a similar approach to that taken by the UK’s G-Cloud, where some minimum contractual terms are specified to allow for a degree of certainty for cloud suppliers.

The Guidance Note emphasises the need for the public sector to undertake pre-market engagement, and in particular the need to engage with the private sector on the contractual and commercial terms that would govern any contract. Pre-market engagement is permitted (and encouraged) by public procurement legislation, provided that equal opportunity is provided to suppliers – as a consequence, contracting authorities should consider publishing a prior information notice on eTenders and/or the OJEU to obtain the greatest level of input and to potentially “net out” any issues from potential suppliers (such as unrealistic liability caps or service requirements or discriminatory specifications).

As the public sector’s terms will take precedence, the form of contract issued with the tender must be fit for purpose in the first instance. As identified above, the open and restricted tender procedures do not allow for negotiation and if the contract terms that take precedence include terms that are too onerous the position will be very similar to that already experienced by the public sector. Appendix 1 of the Guidance Note contains a non-exhaustive list of issues to be considered in preparing a cloud services contract and (in our opinion) reflects many, if not most of, the key issues arising in public sector IT contracts. However, whilst the Guidance Note provides a number of considerations for the public sector to take into account for the preparation of cloud services tenders, it does not recommend any particular positions on key issues. On topics such as indemnification and liability caps – key commercial and risk sharing issues that frequently cause conflict between the public sector and cloud service providers – contracting authorities are simply informed that they should “conduct appropriate risk assessments and seek the advice of the State Claims Agency and/or their legal advisors, as required”.

Despite these drawbacks the publication of this Guidance Note should be welcomed – the considerations raised in Appendix 1 are sensible and provide some comfort to contracting authorities that are procuring cloud services. The procurement of cloud services by Irish contracting authorities is an inherently complex area and, as the Guidance Note suggests, contracting authorities should obtain expert assistance and legal advice on the preparation of its tender procedure and its proposed contract. In particular, we recommend that contracting authorities consider whether the competitive dialogue procedure is a more appropriate route to procure a cloud services provider (particularly in high value or complex procurements) as this permits discussion with the market on all aspects of the tender and greater flexibility to finalise the form of contract with the preferred tenderer.

Given these complexities and the emphasis placed on the procurement of cloud services by the Irish Government, it remains a great shame that the Government Cloud Services Catalogue (GCSC) was cancelled in 2015. With the proposed revitalisation of the Metrolink and DART expansion projects, perhaps the GCSC should be viewed with similar nostalgia.

[1] The OGP note provides a useful diagram showing this in Figure 1 (page 11).

Our IT procurement team advises the public sector on some of the largest public sector IT projects currently being undertaken in Ireland, including numerous competitive dialogue processes. For more information on this article, or our IT procurement team, please contact Kerri Crossen, Sean McElligott or Patrick Kane.

Back To News

Cookie	Type	Duration	Description
Necessary
cookielawinfo-checkbox-non-necessary	session	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	session	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
cookielawinfo-checkbox-necessary	session	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
Analytics
_gat_gtag_UA_180138433_1	third-party	1 minute	Google uses this cookie to distinguish users.
GPS	session	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
_gid	session	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_ga	persistent	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
Preferences
_gat_UA-25168621-1	session	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
Advertisement
VISITOR_INFO1_LIVE	third-party	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
IDE	persistent	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
Performance
YSC	third-party		This cookies is set by Youtube and is used to track the views of embedded videos.

Contact The Team

Key issues for contracting authorities to consider when procuring cloud services

Author

Kerri Crossen

Sean McElligott

Patrick Kane

Contact The Team

Subscribe

Key issues for contracting authorities to consider when procuring cloud services

Author

Kerri Crossen

Sean McElligott

Patrick Kane