Image: 92218641 © Jurij Boiko | Dreamstime.com

Explainers

10 legal considerations for cloud-based platforms

6 January 2021

Cloud platforms have been a huge benefit to construction professionals during the pandemic, allowing remote working across project teams, wherever they are. However, alongside the benefits of cloud computing are the legal ramifications.

Fortunately, for every legal consideration, there is a solution. Here, 3D Repo CEO Jozef Dobos and Buro Happold head of commercial and legal May Winfield provide a top ten list of considerations and examples of best practice to enable you to set up or continue working safely and legally on your cloud platform.

User management

Access rights should be considered at the beginning of a project. During the project, hundreds of people may require access and this needs to be managed appropriately.

User management refers to those with the authority to give others’ data access on a project and the revoking of this access once a project is complete. Best practice is to have a project administrator or access manager who manages and keeps a record of access rights. This will prevent access from being granted to those who don’t need it or somebody who may use the platform maliciously e.g. sharing data with unsolicited users.

At the end of a project, consideration needs to be given to whether all users need access revoking and any implications this may have on data or objects that they ‘owned’ within the platform.

ICO compliance

Anyone with access to data in the UK must be aware of the requirements to comply with the Information Commissioner’s Office (ICO). The organisation responsible for the data must be registered with the ICO. All organisations must have a data handling policy in place that all employees or subcontractors are aware of. When an individual is given access to a cloud platform containing data, they are required to sign the policy and understand the requirements to ensure data is not mistreated.

If there is a breach, the data protection officer for the organisation must contact the ICO to make them aware. This is likely to result in a significant fine and potential reputational damage.  

If the project team expands beyond the UK, data sharing may be subject to additional rules. For example, Canada has a Personal Information Protection and Electronic Documents Act (PIPEDA) and the US has a Privacy Shield. Always check the individual country’s law and, as is the case with the European Economic Area (EEA), that there are no additional overarching requirements.

Cross-country collaboration on projects is achievable through cloud platforms, so long as wherever the physical data is, it’s being managed legally. Most public projects’ data mustn’t leave the soil of the home country.– Jozef Dobos, 3D Repo

Data security

This brings us to data security. One of the benefits of using a cloud platform is storage. Yet, with so many potential mishaps, it’s imperative that you know that the cloud provider is certified, as required by international standards ISO 9001 quality management and ISO 270001 information security.

Data must always be encrypted. When you log onto the cloud, the extra secure connection should be displayed at the start of the URL ‘https://’. When using 3D Repo, your data is secure and is encrypted again once stored on the platform. Therefore, even if the physical servers were stolen, your data could not be read. This also means it could not be shared with someone else on the grounds of national security, e.g. the US Patriot Act. However, the encryption and storage of data must also account for data residency.

Data residency

Data residency, or data localisation, is the location where the data is stored. This means the country where the data is physically held. The data is therefore liable to the data protection regulations for that country.

Cross-country collaboration on projects is achievable through cloud platforms, so long as wherever the physical data is, it’s being managed legally. Most public projects’ data mustn’t leave the soil of the home country. So, if you were to travel to the Middle East, data must not leave the premises of the client. The same applies for high-security installations. Therefore, the users need to ask not only whether the solution is available in a public or private cloud, but also ask about its physical storage location.

Interoperability

Having access to high-quality data can make a substantial difference in how efficiently and quickly a project is delivered, thus creating value.

Therefore, the software should ensure interoperability of data. It should also give users the choice to use the tools they need and want.

Unfortunately, this process is hampered by proprietary data silos. Ideally, particularly at the design and construction stages, project data should be accessible to all and then held by the data owner in an open format. This means information for that particular project remains at the discretion of the data owner but can be easily transferred as and when needed in the future.

Check what file types your cloud provider supports to ensure you are not locked in. The vendor should be supporting more than IFC file formats.

Who is responsible for the integrity in the data accessed by external parties? Is the party hosting the platform responsible for misuse of the platform and data in it? – May Winfield, Buro Happold

Data corruption

Imagine you have applied all the steps above only to find that the data has corrupted. Before you start producing and storing data ensure that you have the correct level of anti-virus software installed.

To ensure everyone with data access is taking the necessary steps to keep it safe, educative measures on data corruption should be mandatory. This should be accompanied by the aforementioned policies to ensure compliance and minimise risk.

Data backups

All data should be backed up and encrypted. In the event of an incident such as a power outage, the data should be stored securely and the cloud platform provider should have appropriate disaster recovery procedures in place.

Using a cloud platform means all data is backed up and encrypted in multiple locations, so it can be recovered in the case of a disaster. A public cloud provider, such as Amazon Web Services, has above 99.99% uptime and 100% data reliability, which means the data will always be available.

For additional reassurance, your IT department may want to keep a physical backup. This is not as reliable or secure as a cloud platform, so ensure the correct levels of security are in place and the data is encrypted should the backup be stolen.

Archival suitability

The power of BIM is the digital asset outcome that assists the property owner in maintaining the building for 50 or even 100 years. With technology’s pace of change, consideration should be given to how suitable the system is for long-term archival purposes.

Opting for an open source platform such as 3D Repo means that the software can be accessed in 10, 20 or even 100 years.  

Audit trail

The benefit of using a cloud platform is that it provides a full audit trail, whenever you need it. An audit trail shows transparency and accountability, making it possible to return to any revisions if needed and giving reassurance to all stakeholders.

Being able to verify the legitimacy of data is imperative, particularly if you are put in a challenging situation. Therefore, you should understand how the audit trail of your data is being managed by your provider: for instance, can they tamper with the records?

Legal proof of change

Another reason for ensuring an accurate audit trail is for legal proof of change. It is essential that you can provide proof of any changes made, and by whom, at any time. Not doing so may result in legal liability and a financial claim.

Question whether your cloud provider can reliably detect changes in your BIM data. The ideal scenario is to ensure all changes are detected as 3D models are passed between project teams and alternating software. A solution to this is 3D Diff, a web-based, real-time change detection software for 3D construction models. It is currently the only cloud-based solution that works in real-time, via an encrypted web browser. Changes can be called up at any point and can be used in court if required.

A note on risk and contractual obligations

On speaking with construction technology legal specialist, May Winfield, she noted that the very benefits of cloud computing to facilitate more collaborative connections – with decisions and actions made based on this connected information – bring a variety of potential misunderstandings, new obligations and/or liabilities and risks. 

For example, who is responsible for the integrity (and errors or corruption) in the data accessed by external parties? Is the party hosting the platform responsible for misuse of the platform and data in it? What obligations do parties accessing platform have to the hosting party, for example in the use and access by their employees and sub-consultants? Are there particular contract terms that restrict which cloud platform can be used, e.g. contract terms limiting the location of the data to certain countries or locations? 

These examples illustrate the importance of clarity in both documentation and risk management processes (including appropriate records and backups), as well as an open discussion between parties, to ensure there is an understanding of how the data is and should be handled, and where liability and risks lie if something goes wrong.

Getting it right first time

There are numerous factors to consider but once your platform is set up correctly, and users understand the importance of protecting data, it can become a seamless operation, transferred from one project to another.

Although this guidance is intended to help, it is always advised that legal advice is sought. Every situation is different and the investment in time and effort in the beginning will contribute to a successful and legitimate outcome.

This article does not constitute legal advice; professional advice should be sought on any specific issues and matters.

Image: 92218641 © Jurij Boiko | Dreamstime.com