Embed Size (px)
Citation preview
InterPARESTrustProjectReport
Titleandcode:
TheimpactoftheItalianlegalframeworkforcloudcomputingonelectronicrecordkeepinganddigitalpreservationsystem-EU35
Documenttype: Finalreport
Status: FinalVersion
Version: 1
Researchdomain: Legal
Datesubmitted: January10,2018
Lastreviewed:
Author: InterPARESTrustProject
Writer(s): Stefano Allegrezza, Gabriele Bezzi, Maria Mata Caravaca,MariaGuercio,IlariaPescini,BrizioTommasi
Researchteam: EuropeanTeam
Page 2 of 11
DocumentControlVersionhistoryVersion Date By Versionnotes1 2017/12/12 MariaGuercio 2 2018/01/02 Revisionbytheotherauthors3 2018/01/05 MariaGuercio 4 2018/01/07 Revisionbytheotherauthors5 2018/01/10 MariaGuercio Finalversion
Page 3 of 11
TableofContentsAbstractorExecutiveSummary...................................................................................4
Researchteam.............................................................................................................4
Background..................................................................................................................4
Researchquestions......................................................................................................4
AimsandObjectives/Goals..........................................................................................4
Methodology...............................................................................................................5
Findings.......................................................................................................................5
Conclusions................................................................................................................10
References.................................................................................................................11
Page 4 of 11
AbstractorExecutiveSummaryTheproposalanalysestherecentItalianlegislationandpoliciesforalargeuseofcloudcomputingservicesinthepublicsectorandintendstoassesstheirpeculiaritiesagainstthecrucialrequirementsidentifiedatnationalandinternationallevelsforqualifiedrecordkeepinganddigitalpreservationsystems.ToassesstheItalianlegalframeworkandthecommonpractice(basedonfourcasestudies)theteamadoptedthechecklistdevelopedwithiniTrustforanalyzingcloudservicescontracts(StudyNA14)andtesteditin4casestudies.Thewholestudyisrelatedtotheobjectiveno.3ofInterPARESTrustproject.
TheimpactoftheItalianlegalframeworkforcloudcomputingonelectronicrecordkeepinganddigitalpreservationsystem-Code35
ResearchteamLeadResearcher:MariaGuercioProjectResearchers:StefanoAllegrezza,GabrieleBezzi,MariaMataCaravaca,IlariaPescini,BrizioTommasiWithinInterPARESteamtheinstitutionsinvolvedare:Digilab,RegioneToscanaandRegioneEmiliaRomagna,ICCROM,ConsobandtheUniversityofUdine.
BackgroundTheprojectanalysestherecentItalianlegislationandpoliciesforthelargeuseofcloudcomputingservicesinthepublicsectorandtakesintoaccounttheoutputsachievedbyotherI-TruststudiesandspecificallyCloudContractsChecklist(CodeNA14).
ResearchquestionsTheresearchquestionatthebasisofthestudyconcernstheobjectiveno.3ofI-Trustproject:“Whatsignificancedonational/culturalcontexthaveontrustindigitalrecords”.Thequestionsinvolvedinthestudyconcern:
− therelationoftheItalianrecommendationsforcloudcomputingwiththerelevantandconsolidatedprinciplesrecognizedatinternationallevelandadoptedbytheItalianlegislationinthefieldofrecordkeepingsystemanddigitalpreservation;
Page 5 of 11
− theusefulnessofthechecklistdevelopedbyInterPARES–Trustprojectatnationallevel.
AimsandObjectives/GoalsTheproposalintendstoverify–againstachecklistalreadydevelopedbyInterPARESTrustresearchers–thelevelofcontrolalreadyinplaceaccordingtotheItalianlegislationandpoliciesinadoptingcloudservices.Asecondgoalconcernstheanalysisofthecommonpracticeinfourdifferentcasestudiesrelatedtotheapplicationofcloudservices.ThreeofthemconcernItalianpublicsector,whileathirdoneisrelatedtoICCROM,aninternationalbody.
MethodologyTheresearchersadoptedtwotypesofactions:asurveyoftheItalianlegislationandpoliciesconductedonthebasisoftheCloudContractsChecklist(CodeNA14)andtheassessment(againstthechecklist)ofthreecasestudiesofinstitutionswherecloudserviceshavebeenalreadyimplementedforsomespecificareas.ThesurveyusestheanalysisalreadydevelopedinthepreviousprojectEU4(Policiesforrecordkeepinganddigitalpreservation.Recommendationsforanalysisandassessmentservices)
Findings
1. StateofartandlegalframeworksinItalyonrecordkeepingandpreservationsystemsplayedwithcloudservices
Asalreadymentionedinthedescriptionofthemethodology,thesurveystartedwiththeconclusionofthepreviousstudydedicatedtotheanalysisofthelegalframeworkforrecordkeepinganddigitalpreservationinItalywhereaspecificlegislation“abletoproviderulesforgoverningcloudsystems(atleastforthepublicadministration)isnotyetinplace,butthegeneralframeworkforelectronicrecordskeepingsystemsanddigitalpreservationsystems(andalsoforthepubliccontracts)isconsistentenoughtosupportfuturerisksincloudenvironment”. Becauseofthelackofadedicatedlegislationoncloudservicesforpublicadministrations,theresearchershaveidentifiedalistofrulesandpoliciesusefulatdifferentlevelsfordescribingtheframeworktoconsiderwhenrecordkeepingandpreservationfunctionsareimplementedascloudservices.Forthispurpose,variouscategoriesofrulesarerelevant,allofthemconsistentwiththeguidelinesapprovedin
Page 6 of 11
EuropewithintheprojectCloudforEurope(www.agid.gov.it/cloudforeurope)whichusespre-commercialprocurementasaninstrumentforpublicsectorinnovation1:
a. specificpolicies,recommendationsandguidelinesfocusedontheuseofcloudcomputinginthepublicsector(withoutreferencetotherecordkeepingandpreservationsystems):Raccomandazioneepropostesull’utilizzodelcloudcomputingnellapubblicaamministrazione,DigitPA,2012,www.agid.gov.it/agenda-digitale/infrastrutture-architetture/cloud-computing;Caratterizzazionedeisistemicloudperlapubblicaamministrazione,Agid,2013,www.agid.gov.it/notizie/2013/10/16/linee-guida-le-soluzioni-cloud-spc.Manyobligationsarepartofthegenerallegislationonpublicprocurement(decreeofthePresidentofRepublic207/2010).AtthemomenttheserulesimplythatthestoragefordigitalpreservationmustbelocatedinItalytoallowauditbynationalauthorities(Agid).Newregulationsareunderdevelopmentandseemtoconsiderthepossibilityoflocatingthemainsystemoutsidethenationalterritoryifatleast‘acopy’oftherecords/informationiskeptinItaly(draftoftheCodeforDigitalAdministration,2017).Nationalplans(suchasthedigitalAgendaplan2017-2020:Three-Year Plan For Ict In Public Administration 2017 - 2019 https://pianotriennale-ict.readthedocs.io/en/latest/)definepolicyandstrategicprogramswhichcouldberelevantfordefiningframeworksandrequirementsforcloudcomputing.MorespecificallythedigitalAgendaapprovedin2017definesapolicyforregionalizationofdatacentersinthepublicsector:asmallnumberofnationaldatacentersandpreservationcenterswillbeidentifiedattheendoftheproject(December2018)andwillbeabletosupportthepublicservicesdeliveredincloudsystems.TheCentralArchivesoftheStateandpublicpreservationcenterssuchasthosedevelopedbysomeRegionswillbealsoincludedinthislist.TheAgendaandspecificprojectincludealsotherealizationofaprivatecloudforpublicadministrationsdataandrecords.FromageneralpointofviewtheAgendaincludesalsoanewperspectivefortheuseofcloudcomputinginItalyandamodelinthepublicsector(SPCCloudTender)whosecharacteristicswillbeconsideredindetailingthecomplianceofthenationalsystemwiththeiTrustchecklist.ThePlanwilldevelopalongthreemaindirections:
− thereorganisationofthepublicadministrationdatacentresthroughrationalisationwork,bothtoreducemanagementcostsandadaptandincreasethequalityofservicesofferedtopublicadministrations,includingintermsofbusinesscontinuity,disasterrecoveryandenergyefficiency;
1TheproblemsrelatedtotheprocurementareverycomplexinEuropeandevenmoreinItaly.Itwillnotbeanalyzedindetailsinthisreport,butonlywithreferencetothechecklistspecificrequirements.
Page 7 of 11
− theimplementationofthePAcloud,enablingvirtualisationofthemachineryofallpublicadministrations,withsignificantmaintenanceandcostmanagementbenefits.CloudserviceswillbeofferedinIaaS(InfrastructureasaService)PaaS(PlatformasaService)andSaaS(SoftwareasaService)modes;
− therationalisationofpublicadministrationconnectivitycostsandtheincreaseinthespreadofconnectivityinpublicplacesforthebenefitofcitizens.
ThePlanhastheaimtoCreateaPAcloudenvironment,homogeneousfromthecontractualandtechnologicalpointofview,byretraininginternalresourcesexistinginPAsorbyresortingtoresourcesofqualifiedexternalparties,withtheuseofpublicandprivatecloudforstorageandcomputingandthesystematicadoptionofthecloudparadigm.
b. Themainpartofthelegislation(intheformofacts,regulationsandguidelines)concerningcloudservicesforRKSanddigitalpreservationexistsinareasnotdirectlyrelatedtocloudcomputing.Morespecifically,therulesarepresentinthegenerallegislationrelatedonprocurementandtendersforthepublicsector,whileanewareaforauditandcontrolisunderdevelopmentthankstotheinitiativeofANAC–NationalAuthorityforTransparencyandAccountability.Therulesinquestionsinclude:thelegislationonrecordkeepingsystems(decreeofPresidentofRepublic445/2000andrelatedregulationsapprovedwithadecreeofPrimeMinister3December2013);thelegislationondigitalpreservation(CodeofDigitalAdministrationapprovedwithalegislativedecree82/2005andcontinuouslyupdated)anditsregulationapprovedwithanotherdecreeofPrimeMinister3December2013);guidelinesadoptedbyAgidwithspecificreferencetoauditandcertificationofdigitalrepositories(circolare65/2014,Accreditamentodeisoggettipubblicieprivatichesvolgonoattivitàdiconservazionedeidocumentiinformaticipercontoterzi,Requisitidiqualitàesicurezzaperl’accreditamentoelavigilanza,www.agid.gov.it/sites/default/files/documentazione/requisiti_di_qualita_e_sicurezza_v.1.1.pdfandLineeguidaperlaconservazionedeidocumentiinformatici,www.agid.gov.it/sites/default/files/linee_guida/la_conservazione_dei_documenti_informatici_rev_def.pdf).
2. ThecomparisonwithiTrustchecklist OnthebasisofthepreviousanalysisoftheItalianlegislation,thechecklistadoptedbyiTrustwastheframeworkforassessingthefragmentedandcomplexItalianlegislationoncurrentcloudservicecontractsfromarecordsmanagement,archival,andlegalperspective.Becauseofthecomprehensivenatureofthechecklist,notallthequestionsthereincludedarerelevantperseorcouldplayameaningfulroleforthespecificcasestudieschoseninthepartofthereport(suchasthosefocusedonthedefinitionof
Page 8 of 11
individualagreements),buttheteamhasconsideredtheusefulnessofthechecklistbytakingintoaccounttheItaliangeneral.Forthisreason,thechecklistwashereusedasalistofcrucialquestionstobeconsideredandansweredfirstofallbyanalyzingthenationalframeworkandsecondlyineachchecklistarea(1.Agreement,2.Dataownershipanduse,3.Availability,retrievalanduse,4.Datastorageandpreservation,5.Dataretentionanddisposition,6.Security,confidentialityandprivacy,7.Datalocationandcross-borderdataflowsand8.Endofservice–contracttermination).TheItalianlegislationdoesnotconsiderallthesequestionsandforthisreasontheteamhadtoadaptthechecklistor,better,tolimittheelementsofthechecklisttocomparewiththepresentnationalframework.Thereportincludesthemainfindingfromthiscomparison:
1. Agreement2. Dataownershipanduse3. Availability,retrievalanduse4. Datastorageandpreservation5. Dataretentionanddisposition6. Security,confidentialityandprivacy7. Datalocationandcross-borderdataflows8. Endofservice–contracttermination
1. Agreement AllthequestionsinvolvedareruledintheItalianlegislationby
theregulationondigitalpreservation(decree3.12.2013whichstatestheobligationofspecificagreementforanyservicesrelatedtothedigitalarchivinginthepublicsector,butalsoincaseofprivaterecords;thedecreeinquestionimpliesthedefinitionofaveryspecificanddetailedmanualwhichincludesresponsibilities,termsofservices,levelofinteroperability,etc.TheAgencyinchargewiththecontrol,Agid,hasdefinedaprototype(seetheindexinappendix)foralltherepositorieswhichrequirecertificationandintendtopreservepublicrecords
2. Dataownershipanduse
Alsointhiscasetheregulationmentionedatpoint1isquiteinclusiveandprecise:agreementsmustbeinplace;theownershipiswelldefinedbythegeneralItalianlegislation;thetechnicalissuesareregulatedindetailsonlywhenpublicdataandrecordsarepreservedbythirdparties.InthiscaseAgidpoliciesandguidelinesareverystrictandallthecrucialaspectsareconsideredincompliancewithstandardsOAISandISO16363.Withreferencetothemetadataissues(forinteroperability,butalsoforaccessandforprivacy)havebeenidentifiedintherulesforrecordkeeping(decree445/2000;decree3.12.2013)andinthelegislationdedicatedtothecreationofelectronicrecords(CodeofDigitalAdministration
Page 9 of 11
andregulation13.11.2014).Anationalstandardisalsoinplaceforensuringinteroperability,evenifthisstandard(UniSincro)hastoomanyareasnotwelldetailed.
3. Availability,retrievalanduse
Thisareaisgenerallypresentinthemanualsandthereisspecificobligationforalltherepositoriesaskingforaccreditation,butthereisnoevidence,atthemoment,oftheircompliancewiththerequirementsincludedinthechecklist.Thelegalterminthenationallegislation“esibizione”isclearlydefinedintheregulationsandisalwayshandledbytheformalmanuals
4. Datastorageandpreservation
Alltherepositoriescertifiedastrustedrepositoriesagainstthespecificlegislationmustbecompliantwithalltherelevantstandardsforsecurityandpreservation;becauseoftheobligatorycompliancewithOAISandISO16363alltherelevantquestionsrelatedtotheauthenticityandintegrityandtheirdocumentationandevidenceareincludedinthefundamentalrequirementstherepositorieshavetomeet
5. Dataretentionanddisposition
ThissectorhasbeenregulatedbytheNationalArchives(circulars40and41/2015butalsodecree445/2000)incompliancewiththegeneralarchivallegislation(Codicedeibeniculturali).Thecontrolsareverystrictforthepublicsector.
6. Security,confidentialityandprivacy
Alltherequirementsarepartofthegeneralobligationsoftherepositoriesinchargeofkeepingpublicrecords.However,somespecificrulesimplythecapacityoftherecordscreatorstobeactiveincontrollingandassessingthequalityoftheservice.Manycreators(suchasthemunicipalitiesandlocalauthorities)havenotechnicalcapacityforaproactivecontroloftheserequirements.Theprivacysector(6.3)isstrictlyruledaccordingtotheItalianandEuropeanlegislation.Aspecialagencyhasapowerfulcapacityofcontrollingtherespectoftherulesinplace.Accreditationandauditing(6.4)areverywelldefinedwithreferencetothedigitalrecordscreatedbythepublicadministration.SeethecircularsandtheguidelinesadoptedbyAgidandmentionedinthepreviouspartofthisreport:circolare65/2014,Accreditamentodeisoggettipubblicieprivatichesvolgonoattivitàdiconservazionedeidocumentiinformaticipercontoterzi,Requisitidiqualitàesicurezzaperl’accreditamentoelavigilanza,www.agid.gov.it/sites/default/files/documentazione/requisiti_di_qualita_e_sicurezza_v.1.1.pdfandLineeguidaperlaconservazionedeidocumentiinformatici,www.agid.gov.it/sites/default/files/linee_guida/la_conservazi
Page 10 of 11
one_dei_documenti_informatici_rev_def.pdf).7. Datalocation
andcross-borderdataflows
Atthemoment,asalreadymentionedinthereport,thelocationofdatamustincludeonlythenationalboundaries.Inthenewstrategicplanunderdevelopmentanewrule(notyetclarified)seemstoallowforaninternationaldatalocationwiththeconditionthatatleastonecopymustberetainedinItaly
8. Endofservice–contracttermination
ThisissueisexplicitlyruledInthelegislationandonthisbasismustbedefinedineachspecificagreement.Itisnotcleariftherulesaresufficientlyconvincing.
3. ThecasestudiesAsmentionedearlier,theframeworkhasbeenconsideredusefulforassessingsomespecificcasesandagreements.Ofcourse,whentheframeworkisadoptedtoanalyzesingleandveryspecificsituationsandcontractsmanyissuesarenotrelevantorapplicable.Thecasestudiesherepresentedconcern:
− RegioneEmiliaRomagna(annex1):thecontractfortheuseincloudofOffice365andtheagreementforlong-termdigitalpreservationservices;
− RegioneToscana(annex2):thecontractsimplementedfortheToscanacommunityinrelationtotheuseoftheprivatecloudcomputingsystemTIXanditsrelatedICTservices;
− UniversityofUdine(annex3):thecontracttouseMicrosoftAzureVirtualMachineservicestoexecutemachinelearningsolutions;
− ICCROM(annex4):thecontractsignedtouseAzure,theMicrosoftcloudservice,requiredforsupportingtheproprietaryfinancialaccountingsystemSAP.
Allthecasestudies,evenifrelatedtodifferentareasandtypesofservices,testifythesamekindofcriticalities:averylimitedattentionfortherisksofrecords,ofauthenticityandintegrityoftheinformationinvolvedintheservices.Whenstandardcontractsareinplacethemainissuesarerelatedtothecontractual/commercialaspectsandlegalrestriction(suchaspricing,andpayment,renewal,agreementterm,terminationandsuspension,warranties,claims,limitationsofliability,obligations).Thetechnicalstorageisalsoconsideredfromaverylimitedpointofview:datalocation,security,confidentialityandprivacyarethebasicaspectsundercontrol.TheonlyexceptionhasbeentheagreementapprovedbyRegioneEmiliaRomagnaforitsdigitalpreservationservice,wherethenatureofthefunctionhasimpliedaseriousattentionforthearchivalaspectsandhasprovedtheusefulnessoftheiTrustchecklist.
Conclusions
Page 11 of 11
Theprojectworkanditsfindingstestify(frommanypointsofview)theneedforamorepreciseanddetailedeffortwhencloudservicesareinplace.Italsoconfirmstherelevanceofacommonchecklisttoanalyzecomplexfunctions.Theinternationalnatureofthechecklistwasnotanegativeaspectandcouldbeeasilyappliedtothenationalenvironment.Thecomparisonwasveryfruitfulwhenspecificallyreferredtotherecordkeepinganddigitalpreservationdimension.Ontheopposite,whenusedfortheexamofcontractsnotspecificallyrelatedtotherecordkeepingorwhentheofficersinplacedidnotpayattentiontotheseaspectsindevelopingcloudsystemsandacceptstandardno-negotiatedcontracts,thechecklistseemsmute:theresearchershaddifficultiesindescribingthelackofattention.Nevertheless,alsointhiscasetheexercisewasusefulbecauseitmakesexplicittherelevantrisksinplacewhenrecordmanagersorarchivistsarenotconsultedandthelackofawarenessoftheothersectorsintheorganizations,evenwhentheyareusedtobecompliantwitharchivalstandards.
References
M.Guercio,TheItaliancase:legalframeworkandgoodpracticesfordigitalpreservation,inCULTURALHERITAGEonline–“Trusteddigitalrepositories&trustedprofessionals.Firenze11-12December2013,Firenze,2013,
EU4(Policiesforrecordkeepinganddigitalpreservation.Recommendationsforanalysisandassessmentservices)
ForumPA,CloudComputing,qualiscenariperlaPubblicaAmministrazione,28aprile2011http://www.forumpa.it/cloud-computing-quali-scenari-per-la-pubblica-amministrazione-on-line-gli-atti
I-TrustChecklistforCloudServiceContracts,finalversion,2016
ISO/TC46/SC!!Callforexpert(s)-WG17CloudinRecords–Preliminaryworkitem(TR)–ISO/WI/DTR–Informationanddocumentation–Recordsmanagementincloud:issuesandconcernes,2016
NISTCloudComputingProgram,CloudcomputingandaccessibilityconsiderationsR.B.Bhon,JTobiaseds),2016,https://www.nist.gov/programs-projects/nist-cloud-computing-program-nccp
