Developers of New Zealand's code of practice for cloud computing have suggested a "multi-tiered" approach, whereby it will be compulsory to make disclosures on some factors of cloud-computing operations, such as security and privacy controls, while information on other factors can be voluntarily supplied to gain a higher grade of compliance.

The code is currently seen as voluntary, with compliance to be obtained by simple disclosure rather than active auditing of the truth of the statements made; but the current consultation draft does not rule out future evolution of the code, possibly to a stricter form.

A consultation document was issued on December 23 following country-wide workshops and a survey of attendees. In the survey, 23 percent of respondents thought third-party assessment would be needed. Another 29 percent were in favour of self-assessment with random independent audits being held of a small proportion of providers.

The public have until Friday January 27 to respond to the consultation document, although late submissions will be accepted at the discretion of the New Zealand Computer Society, which is coordinating the development of the code.

The 10 factors thought to be essential elements for disclosure are:

the identity of the company

who owns the data stored -- the provider or the client

security

geographical data location

diversity of location

access to data, both during the service's operation and after any failure of the company

backup and maintenance

service level and support undertakings

a warranty of the provider's competence to supply the services advertised

privacy policies.

Seven additional suggested factors that can be specified for higher grades of compliance are:

enhanced security

data transportability and migration

dependencies on upstream service providers and steps to be taken should these providers fail

business continuity provisions

human resources policies

data formats used

"disclosure of jurisdictions that are relevant to the service being supplied"