Scope

The Cloud Policy outlines that it applies to all public sector enterprises under the federal governments intending to make new ICT investments. Further, the Cloud Policy is intended to serve as a useful guidance to regulated sectors and private sector organisations as they continue to undertake the process of digital transformation (Section 4 of the Cloud Policy).

Definitions

In particular, the Cloud Policy defines a Cloud Service Provider ('CSP') as a third-party company which offers components of cloud computing, including, among others, software, storage, and applications (Section 1.2 of the Cloud Policy). Further, the Cloud Policy provides, with regard to the interaction between the public and private sectors, that Public Sector Entities ('PSEs') include ministries, departments, agencies, dependencies, and institutions at the federal level, as well as corporations fully or partially owned by the Federal Government of Pakistan ('the Government') (Section 1.4 of the Cloud Policy).

General provisions

In particular, the Cloud Policy aims to guide and empower organisations to transition to cloud-based solutions, noting that the MOITT expects that the Cloud Policy will result in cloud adoption across a variety of markets and industries and foster growth within the local IT industry by enabling access to cloud-based technologies and complementing emerging technologies, such as Artificial Intelligence ('AI'), machine learning, and the Internet of Things ('IoT'). In this regard, the Cloud Policy is a significant achievement for the Digital Pakistan Policy, which advocates the mass adoption of emerging digital technologies (Section 2 of the Cloud Policy).

The Cloud Policy provides general aims to promote the adoption of cloud-based technologies, outlining the need for information security, and for CSPs to hold internationally recognised security certifications that are assessed by third-party security professionals. Furthermore, the Cloud Policy notes that information security challenges are more adequately addressed via cloud computing by following international standards and best practices (Section 2(b) of the Cloud Policy).

In addition, the Cloud Policy addresses data privacy, highlighting that CSPs should implement technical and administrative controls to protect data - both stored and in transit. Furthermore, formal engagements with CSPs should generally define data protection standards and establish service level agreements that outline security and privacy measures. These measures include, but are not limited to, adequate technical controls, such as end-to-end encryption or tokenisation, as well as data loss prevention tools (Section 2(c) of the Cloud Policy). More specifically, the Cloud Policy notes the application of transparency and accountability to cloud computing, with particular application to public administration (Section 2(d) of the Cloud Policy).

Supervisory authority

The Cloud Policy intends to fulfil its implementation, whilst the MOITT will establish a dedicated office to facilitate and supervise matters connected. Generally, the Islamic Republic of Pakistan will ensure the Cloud Policy's implementation through a cloud office, whose functions include (Section 9.1 of the Cloud Policy):

• establishing a classification, accreditation, registration, and compliance framework for CSPs based on international benchmarks;
• carrying out or seeking compliance from CSPs against established benchmarks;
• promoting a cloud culture and adoption of cloud services across PSEs;
• providing a time-based No Objection Certificate ('NOC') if there is a legitimate reason for deviation/exemption to the Cloud Policy;
• enforcement of modalities for cloud first investments; and
• supporting provinces in adoption of a cloud-first policy in their jurisdictions.

In addition, the Cloud Policy provides that CSPs must meet domestic and international standards set for accreditation of CSPs to fulfil the requirements of the cloud office. Further, the Cloud Policy sets out that the cloud office will formulate accreditation criteria and benchmarks for all CSPs opting to provide services to PSEs. In formulating such standards, the Cloud Policy details that criteria will be based on international benchmarks, such as security, reliability, cost, interoperability, availability, and any other established parameters (Section 9.2 of the Cloud Policy). More specifically, the Cloud Policy provides that the cloud office will maintain a list of accredited CSPs for PSEs and will have the authority to revoke accreditation of CSPs in case of non-compliance (Section 9.2 of the Cloud Policy).

Information security

The Cloud Policy outlines that the cloud office will define security baselines, based on domestic and international standards, for different cloud models designated to host different data classes for PSEa. Furthermore, the Cloud Policy notes that any data breach must be disclosed to the cloud office and any other relevant authorities as soon as the breach is discovered (Section 9.8 of the Cloud Policy).

Cloud contracts

The Cloud Policy provides that the cloud office will issue guidelines for the execution of cloud computing contracts between PSEs and CSPs (Section 10.1 of the Cloud Policy).

Further, the Cloud Policy outlines the minimum suggested requirements for contracts, including among other things (Section 17, Annex F of the Cloud Policy):

• CSPs' adherence to the due diligence process and conformity of public procurement guidelines/processes;
• a clear description of service to be provided;
• the contract's duration (unless it is of unlimited duration);
• rules on handling cloud customer data, including their processing, destruction, and restoration;
• customers' right to retrieve their data stored in CSP systems, if the cloud contract is terminated; and
• limitation of CSPs' right to exclude their liability unreasonably or to impose unfair contract terms related, for instance, to any loss of, or damage to, customer data, quality of service degradations, such as service unavailability, or data breaches.

Data sovereignty

The Cloud Policy explicitly addresses data sovereignty and data flows, providing that the policy acknowledges the capabilities and economies of scale obtained when there are no data residency requirements in place. More directly, the Cloud Policy notes that with no data residency requirement in place, the data belonging to the Government may be stored outside of Pakistan and there is a possibility that the Government loses access to its data or that the data may be subject to the laws of other countries.

Nonetheless, the Cloud Policy significantly provides that whenever there are legitimate use-cases requiring cross-border data flows, then the relevant stakeholders may consult with the cloud office to ensure that appropriate security standards and controls are in place for such data flows (Section 8 of the Cloud Policy).

Data classification

The Cloud Policy provides for the organisations of data into categories dependent on its sensitivity and criticality, outlining that highly sensitive information requires different protection mechanisms, as well as security measures or products and services for other less sensitive information (Section 9.7 of the Cloud Policy).

More specifically, the Cloud Policy highlights five data classifications (Section 15, Annex D of the Cloud Policy):

• Open data: Publicly available data structured in a way that the data is fully discoverable and usable by end-users.
• Public data: Data related to the public sector that is non-confidential and publicly available.
• Restricted data: Data related to public sector business, operations, and services which, even if publicly available, could compromise the reputation of Pakistan internationally.
• Sensitive/confidential data: Information not intended to be published, which should be accessed only by certain people having proper authorisation and which justifies moderate protective measures:
  • phone numbers, registration numbers, or passports;
  • information that contains at least one personally identifiable information, like name, address, or biometrics;
  • data classified as confidential, and perhaps, certain categories of secret data; and
  • information accessible through the Intranet only, but available to broadly defined categories of authorised officials and public servants, and drafts of laws and regulations that are not yet in the public domain.
• Secret Information requiring the highest level of protection from serious threats, whose breach will likely cause threats to life or public security, financial loss, or serious damage to public interests:
  • leading directly to widespread loss of life;
  • threatening directly the internal stability of Pakistan or friendly nations;
  • raising international tension;
  • causing exceptionally grave damage to relations with friendly nations;
  • causing exceptionally grave damage to the continuing effectiveness of extremely valuable security or intelligence operations;
  • causing long-term damage to the Pakistani economy; and
  • causing major long-term impairment to the ability to investigate or prosecute serious organised crime.

Harry Chambers Privacy Analyst
[email protected]