Dr Jozef Doboš, CEO of 3D Repo, shares ten legal considerations for construction cloud computing, including cyber security.
During the past year, 46% of UK businesses have experienced cyber attacks or data breaches, according to the National Cyber Security Centre. Cloud platforms have been a huge benefit to construction professionals during the pandemic, allowing remote working across project teams. However, alongside the benefits of cloud computing are the legal ramifications. Here is a list of considerations and examples of best practice to enable you to work safely and legally on your cloud platform.
1. User management
This refers to those with the authority to give and revoke data access to a project. Best practice is to have a project administrator or access manager, who oversees access rights. This prevents access from being granted to somebody who may use the platform maliciously.
2. ICO compliance
Anyone with access to data in the UK must comply with the Information Commissioner’s Office (ICO). The organisation responsible for the data must be registered with the ICO. All organisations must have a data-handling policy that all employees or subcontractors are aware of.
If there is a breach, the organisation’s data protection officer must inform the ICO. This is likely to result in a significant fine and potential reputational damage.
3. Data security
Your cloud provider should always be certified, as required by international standards ISO 9001 quality management and ISO 27001 information security.
Data must always be encrypted. When logging onto the cloud, https:// should be displayed at the start of the URL, denoting the extra secure connection. When using digital platforms for Building Information Modelling (BIM) data and co-ordination in the cloud, such as 3D Repo, your data is secure and is encrypted again once stored on the platform. Therefore, even if the physical servers were stolen, your data could not be read. This also means it couldn’t be shared on the grounds of national security – for example, the US Patriot Act. However, data security must also account for data residency.
4. Data residency
Data residency, or data localisation, applies to the country where the data is physically held. The data is therefore liable to data protection regulations for that country.
Cloud platforms make international collaboration easier, but the physical data must be managed legally. The data for most public projects must not leave the soil of the home country. The same applies for high-security installations. Check whether the solution is available in a public or private cloud and where it is physically located.
Having access to high-quality data can make a substantial difference in how efficiently a project is delivered. Therefore, the software should ensure data interoperability and enable users to use the tools of their choice.
Unfortunately, this process is hampered by proprietary data silos. Ideally, particularly at the design and construction stages, project data should be accessible to all and then held by the data owner in an open format. This means information for that project remains at the discretion of the data owner but can be easily transferred in the future.
Check what file types your cloud provider supports to ensure you are not locked in. The vendor should support more than IFC file formats.
6. Data corruption
Imagine you have applied all the steps above only to find that the data has corrupted. Before you start producing and storing data, ensure that you have the correct level of anti-virus software installed.
Ensure everyone understands the mandatory steps to keeping data safe. This should be accompanied by the aforementioned policies to ensure compliance and minimise risk.
7. Data backups
All data should be backed up and encrypted. Using a cloud platform means all data is backed up and encrypted in multiple locations, so it can be recovered in the case of a disaster. A public cloud provider, such as Amazon Web Services (AWS), has 99.99% uptime and 100% data reliability, which means the data will always be available.
Ask your IT department to keep a physical backup. This is not as reliable or secure as a cloud platform, so ensure that the correct levels of security are in place and that the data is encrypted should the backup be stolen.
8. Archival suitability
The power of BIM is the digital asset outcome that assists the property owner in maintaining the building for 50 or even 100 years. With technology’s pace of change, consider how suitable the system is for long-term archival purposes.
Opting for an open-source platform (such as 3D Repo) means that the software can be accessed in 10, 20 or even 100 years.
9. Audit trail
Another benefit of using a cloud platform is that it provides a full audit trail. Verifying the legitimacy of data is imperative, particularly in a challenging situation. Understand how the audit trail of your data is being managed by your provider. For instance, can they tamper with the records?
10. Legal proof of change
An accurate audit trail is useful for legal proof of change. It is essential that you can provide proof of any changes made, and by whom, at any time. Not doing so may result in legal liability and a financial claim.
Question whether your cloud provider can reliably detect changes in your BIM data. Ideally, all changes should be detected as 3D models are passed between project teams and alternating software. One solution is 3D Diff, a web-based, real-time change detection software for 3D construction models. It is currently the only cloud-based solution that works in real-time, via an encrypted web browser. Changes can be called up at any point and can be used in court if required.
There are numerous factors to consider, but once your platform is set up correctly, and users understand the importance of protecting data, it becomes a seamless process that can be transferred from one project to another.
Although this guidance is intended to help, legal professionals should always be consulted. Every situation is different, and the investment in time and effort in the beginning will contribute to a successful and legitimate outcome.
For more, visit 3drepo.com