Software as a service (SaaS) arrangements are quickly overtaking traditional on-premises software licensing for many businesses. Some say they already have.
SaaS infrastructure (sometimes referred to as ‘cloud-based’ software) is often provided by a large supplier in a one-to-many model. Some big names include Amazon Web Services (AWS) and Azure. The scale of their operations means solutions can be offered by the software provider to multiple customers in a cost-effective and economical way. Fees are usually subscription or volume based.
For the customer, advantages include quick start up, scalability and flexibility as to device and location. Access to the provider's disaster recovery arrangements can also bean important benefit.
This model does depend on acceptable and reliable internet connectivity. Other business risks include service availability, service levels and data security. Service customisation is often limited.
These differ from the on-premises model where the concerns were around configuration, implementation and acceptance.
Deal is usually on the provider's standard terms and conditions and often 'take it or leave it', except for the very largest customers.
Service availability and service levels can be locked down in the SaaS procurement contract, and the contract can provide recompense for any defaults – for example through service credits.
For healthcare providers in particular, risks around data security could be a deal breaker, depending on the amount and type of personal information that will be being used in the solution.
If you are considering using SaaS, you need to be satisfied of the supplier's standing and reputation. You would also be looking for certain warranties from the supplier about:
The SaaS terms must document an agreed action plan in the event of a data breach. At a minimum it needs to acknowledge the requirements of the Privacy Act 1988 (Cth),for example that the supplier will report and provide an action plan to the client within 24 hours of any suspected data breach in relation to its platform and the parties will work together in good faith in assessing, mitigating, remediating and if necessary, reporting the data breach as required by the data breach notification provisions of the Privacy Act 1988 (Cth).
Justin Fung is a lawyer and the Head of Commercial and Corporate in our Avant Law team. Justin has over 15 years’ experience advising in commercial, corporate, risk, compliance, governance, regulatory enforcement and dispute resolution and advises clients in the private and public sectors. He was previously General Counsel of a national allied health group of companies and held Group and Divisional Head of Legal roles in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. Prior to these in-house legal roles, Justin was an Executive Counsel with the global law firm Herbert Smith Freehills where he practiced for over 10 years.
Disclaimer: The information in this article is general in nature and is current to 15 July. It does not take into account individual circumstances and is not professional legal, financial or taxation advice. Avant Law provides legal services. It does not provide taxation or financial advisory services.
Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme.
