All government related data from state and central departments residing in cloud storage networks should be located servers in India and not in foreign countries, the Ministry of Electronics & Information Technology (MEITY) said in its latest set of guidelines. These guidelines must be followed by cloud service providers, every time they sign a contract with a government entity for data storage.

The new guidelines specify that any company looking to offer cloud services to government entities will first need to go through rigorous Standardisation Testing and Quality Certification (STQC) which is issued by the MEITY itself.  STQC testing for cloud storage companies specifies certain benchmarks, standard encryptions techniques etc. to ensure that sensitive data being stored on the cloud is safe.  As of now,

As of now, MEITY has certified 11 companies that can provide cloud solution to government departments. These include Microsoft, HP, IBM India, Tata Communications, Bharat Sanchar Nigam Limited (BSNL), Net Magic IT Services, Sify Technologies and CtrlS Data Centers.

Additionally, the cloud provider must agree to all requests from law enforcement entities. “The onus shall be on the Service Provider to perform all due diligence before releasing any such information to any such law enforcement agency,” the guideline added.

Contract clauses for agreements for cloud providers

Apart from this, MEITY has specified certain contractual terms that may be included in the agreements between the cloud service provider and government entity:

– Central search system for govt: The cloud provider should place an “e-discovery” system to allow search and retrieval of data stored in the cloud. This system can be accessed only by a government entity “in the context of or criminal cases/proceedings or investigation,” MEITY said. This could mean a dashboard with an inbuilt search system that can be accessible to the government entity only.
Encryption for sensitive data: A clause that mandates data encryption as a “standard security process” for all sensitive and confidential data maintained by the government in the cloud.
Prior notification for foreign companies requesting data: MEITY added that the agreement can mandate the cloud provider to notify all instances of security breaches, intrusions, and requests from foreign government agencies for access to data stored in the cloud. Any unauthorized access by employees of either partygovernment or cloud providershould also be reported to it.
– Cloud provider should ensure the security of government data: The cloud solution provider must treat information passed on to them “as classified”. Information stored on the cloud should not be published or advertised by the cloud provider to any person or organization without permission from the government entity.

ReadGuidelines for Government Departments On Contractual Terms Related to Cloud Services (pdf)