Jordan: Cloud in Public Sector

The National Information Technology Centre (NITC) was established in 2003². NITC is an independent government organization managed by a board of directors chaired by the Minister of Information and Communication Technology. The mission of NITC is to play the role of an executive authority for all subjects related to information technology in the public sector. NITC is responsible for issuing technical and operational specifications for information technology resources.

Notwithstanding the provisions of the Deployment of Information Technology Resources in Government Organization Law, any governmental institution may prepare plans and programs related to information technology resources, and shall have the power to contract, in accordance with the applicable legislation, with any competent entity provided that they do not conflict with any national strategy, plans and programs (if any) in this regard.

The government has recognized that information technology products and services are increasingly delivered via the Internet and other advanced telecommunications networks. The combination of information technology and telecommunications offers a powerful tool for economic growth and societal development in Jordan. The government will take the necessary steps, where appropriate, to reduce or eliminate any legal impediments to the development and utilization of such new technologies³. The government directs the Ministry of Information and Communication Technology and the NITC to examine the use of new technologies, which will include cloud computing, on an ongoing basis in order to facilitate the provision of e-government services in a more efficient and cost-effective manner. The Ministry of Information and Communication Technology and the NITC shall take appropriate steps, as deemed necessary, to implement such new technologies as part of Jordan’s e-government roadmap.⁴ Indications are that the government intends to use cloud services to expand government-owned storage capacity and to benefit from the data management and application services available in the cloud.⁵

In principle, cloud services are permitted, however certain processes may need to be followed and certain requirements may need to be met before and after a move to cloud services (including those reflected below). A move to cloud services could facilitate the achievement of a number of government policy objectives and regulatory requirements relating to co-operative governance, public participation and procedural fairness, information security, service delivery, rational decision-making and administrative efficiency.

A move to cloud services would require consideration of a number of regulatory regimes.

(i) Data Classification, and State Secrets and Documents

The State Secrets and Documents Law No. 150 of 1971 (State Secrets Law) regulates the exchange of classified information between government entities, sets the procedural requirements for the transfer of each type of classified information and sets the standard of care.

The State Secrets Law defines Secrets and Protected Documents to include ‘any oral information or any document that is written, or typed or that is recorded or typed on wax paper, or a recorder or recording tapes or photocopies or films or plans or drawings or maps or what is similar thereto and which are classified under the terms of this law'.⁶

The State Secrets Law creates four distinct classes of information: Strictly Confidential; Confidential, Restricted and Ordinary.⁷ It specifies procedural steps that mandate the use of envelopes and wax seals for the exchange of Strictly Confidential, Confidential and Restricted Information. Strictly Confidential Information should be kept in an iron safe-deposit vault.

All information which is not Strictly Confidential, Confidential or Restricted is treated as Ordinary Information⁸ and may be handled through electronic means, and by consequence the use of cloud computing by any ministry, department, governmental or private institution.

Any exchange by electronic means of Ordinary information as per the State Secrets Law must ensure that the information:

• is safe guarded.
• is protected against tampering or loss.
• is not disclosed to anyone other than those with an interest.

The Jordanian Electronic Transaction Law No. 15 of 2015 provides that if the law requires that a document be kept for any reason, its retention in the form of an electronic record shall be considered as producing its legal effects provided that it satisfies the conditions stipulated in the law.⁹

(ii) Access to information, transparency, and public participation

In 2007 Jordan enacted the Law on Securing the Right to Information Access No. 47 of 2007. The law stipulates that an Information Council be established to oversee the provision of information.¹⁰ The Council comprises of officials from the Army, Ministry of Interior, Ministry of Justice, Commissioner General of Human Rights in Jordan, Director General of the National Information Technology Centre and others.

The person requesting information must provide his or her name, address and any other information required by the Council.¹¹ A response is expected within 30 days¹², and in case of rejection of the request, the decision must be justified and reasoned, noting that not responding to the request shall be considered a rejection.¹³

There are several exceptions to disclosure¹⁴. These include but are not limited to: classified information about the country's foreign relations, state secrets, correspondence between governmental entities and foreign countries and organizations. The law does not identify what ‘classified’ information entails. Information about pending investigations and proposals to officials as well as information that could violate intellectual property rights or expose banking or medical records are also exempted.

Public sector bodies may be faced with requests for a significant number of records. Storage of information on the cloud can ensure that information held by the public body is accessible, searchable and easy to find with minimal effort to ensure that access to information requests can be addressed timeously.

Jordan is also a member of the global Open Government Partnership. As signatory to this partnership, and in accordance to commitment number (10) within Jordan’s Third National Plan 2016-2018, under the Open Government Partnership Initiative, the Jordanian government is committed to implementing an Open Government Data policy, through using technology to facilitate access to governmental information and increase transparency of government action. The Jordanian government seeks to facilitate access to data in the government’s possession unless it is considered confidential information or a violation of privacy. Such information shall be offered freely and at no cost to its users according to a set of clear and precise principles set out in the Open Government Data policy.¹⁵

The Jordanian government aims to establish a set of stable policies in the area of access to information based on international best practices and standards. The government also aims to better manage how information is made available in the public sector, allowing citizens to access information of concern to them with little or no administrative or bureaucratic obstacles or legislative barriers.

Microsoft's cloud solutions offer significant data storage capacity and multiple access channels to facilitate the achievement of Jordan's commitment to open data.

(iii) Cyber security

Each governmental department should set appropriate instructions and procedures to implement the national policies for the security and protection of information. These policies are considered to be the minimum standards for the security and protection of information practices in the department.

National policies for the security and protection of information¹⁶ are guidelines that define the frameworks, define roles and responsibilities, and identify the best practices and minimum obligations to be observed and implemented by employees and clients of government departments to ensure the security, integrity and availability of information circulating between government departments, citizens and public and private institutions alike.

The National Information Assurance and Cyber Security Strategy (NIACSS) intends to secure the Internet cyberspace, and to provide a secure and trusted computing environment for all technology-related infrastructure throughout all identified national priorities. The NIACSS aims to augment the overall National Security Strategy (NSS) for Jordan. The main purpose of the NIACSS is to give structure, involve, and empower all concerned organizations to more effectively secure computer networks they own, operate, control, or with which they interact.

The NIACSS applies to all information domains to achieve comprehensive information security in Jordan. The Strategy states that although the government is the developer of the Strategy, a successful implementation requires collaboration among all involved parties including government, international partners, and the private sector, and the strategies and policies developed by the private sector should augment, comply, and be consistent with this strategy.¹⁷

(iv) Data Protection

There is no specific data protection law in Jordan¹⁸, but certain laws refer to the requirement to keep certain information confidential.¹⁹

(v) Public Procurement

Procurement of cloud services for the public sector is likely to be subject to applicable public procurement regulation.

Jordanian public procurement is governed by Procurement Regulation No. 32 of 1993 and the instructions Regulating Tendering Procedures and Participating Conditions No. 1 of 2008. Public works and services are governed by the Regulation of Government Works No. 71 of 1986. Certain contracting entities have in place specific regulations for the purpose of regulating their procurement exercises. These contracting entities only refer to the Procurement Regulation if there was a legislative void in the specific regulation being applied. The Procurement Regulation is applicable to all of the public entities whose budget is listed in the General Budget, the public entities that do not have specific regulations for public procurement, and any other department designated by the Cabinet.

The transactions of purchasing supplies and storage for any Ministry, department, authority, or public official institution (Department) shall be carried out using electronic means through the:

• use of the electronic system to manage, regulate and control the government stock, and
• use of the electronic system to purchase supplies.²⁰

The concerned Minister shall issue the necessary instructions to implement the provisions of the law, including the following:

• creation, preservation and issuance of electronic records, forms and documents;
• electronic signature, authentication and relevant procedures; and
• security, protection, confidentiality and integrity of electronic records and transactions.

Article 14 permits direct procurement from a foreign supplier in any of the following cases, provided that the competent authority indicates the reasons for its decision:

• If such supplies are not available in Jordan and cannot be purchased by correspondence.
• If the procuring entity determines that it is more beneficial to seek direct procurement.

(vi) Co-operative Governance and Interoperability

All spheres of government and all organs of state within each sphere are required to act in accordance with the principles of co-operative government. These include co-operating with one another in mutual trust and good faith by informing one another of and consulting one another on matters of common interest and co-ordinating their actions and legislation with one another so as to avoid wasteful duplication and to ensure coherent government and effective provision of services.

The Implementation Plan (2016-2019) of the Ministry of Public Sector Development aims to enable sectors, ministries and government departments to focus on their core missions and responsibilities, develop and implement policies and procedures that reflect national priorities, ensure the optimal utilization of financial resources and focus on results. This is done by reviewing and developing the organizational structure of the public sector, improving public services, and developing human and financial resources based on the standards of excellence and tools that enhance accountability, transparency, decentralization and partnerships with the private sector and civil society organizations.

The objective of one of the pillars of the Plan is to develop government services and simplify procedures via different initiative and projects. One of these initiatives is providing government institutions with technical support in the field of services development, procedures re-engineering and revision of legislation that regulates service delivery in order to automate them in cooperation with e-government.

A further pillar of the Plan tackles Government Streamlining by rationalizing the size of government apparatus, including ministries, institutions and government departments, in a way that ensures focusing on the core responsibilities of each sector, while eliminating overlap and duplication of roles and functions, as well as building organizational structures to enable government bodies to perform their roles and functions effectively and best utilize available resources.

All of these obligations can be met cost effectively and comprehensively through the use of Microsoft cloud services.

There is no specific restriction on the transfer of personal information to a third party who is in a foreign country. Microsoft nonetheless holds itself accountable to and is subject to laws of general application applicable to information technology service providers, including security breach notification law, and has binding agreements. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation which came into force in May 2018.