Morocco: Cloud in Public Sector

The Security of the IT System Department ("DGSSI") within the Ministry of Defence is the government agency responsible for providing information systems, determining approved policy and standards of the IT systems of the public sector, and authorizing and certifying electronic services’ compliance with its security measures.

Cloud services are permitted. However, certain processes may need to be followed and certain requirements may need to be met prior to migrating to cloud services (see below).

A move to cloud services would require consideration of a number of regulatory regimes.

A public sector body must ensure that when it contracts for information, communication, and technology services, it does so in a manner that is fair, equitable, transparent, cost-effective, and competitive.¹ This will ordinarily mean that a public sector body cannot contract directly with a supplier, but must follow a competitive public tender process. It may be possible to deviate from a competitive public tender process and approach a supplier directly in circumstances where, for example, the procurement is urgent, takes place in emergency circumstances, or involves a sole supplier.²

Any citizen is authorized to access information held by the public administration, elected institutions and organisms in charge of public services.³ As a result, it is obliged to make information publicly accessible to allow the public to participate in government processes. The public has the right of access to records of public sector bodies and the information officer of public sector bodies must consider the request and, where it is granted make the documents available within 15 days of the request being made.⁴ Public sector bodies may be faced with requests for a significant number of records. Storage of information on the cloud can ensure that all information held by the public body is accessible, searchable, and easy to find with minimal effort to ensure that access to information requests can be addressed timeously. Microsoft's cloud solutions offer significant data storage capacity and multiple access channels to facilitate the achievement of Morocco's commitment to open data.

Furthermore, any public institution or infrastructure of vital importance⁵ should ensure compliance with the National Directive for the Security of Information Systems⁶ and Decree No. 2-15-712 dated 22 March 2016 laying down the plan for the protection of sensitive information systems of institutions of vital importance and ensure that its sensitive data⁷ is hosted in Morocco. The National Directive for the Security of Information Systems does not define what sensitive data refers to within the context of each institution. Accordingly, a data classification framework that is adopted by an institution and endorsed by the regulator is always recommended in order to define what “sensitive data” means to such institution and stay compliant with the National Directive for the Security of Information Systems. Indeed, each administrative body and public entity should implement the information security policy and must comply with the minimum information security standards policy approved by the DGSSI. Thus before making a decision to move data to the cloud, a public sector body should consider what types of data will be stored in the cloud, the manner in which the information will be stored (using private cloud infrastructure, including on-premises, or hyperscale cloud infrastructure) and whether the cloud service provider meets the relevant security requirements for the type of information that will be stored. Furthermore, regardless of its status of infrastructure, of vital importance and subject to specific exemptions⁸, any public sector body having recourse to encryption means or services is required to file a prior declaration or authorization⁹, as the case may be, before the General Direction for the Security of Information Systems.¹⁰

Under the Law No. 09-08 relating to the protection of individuals with respect to the processing of personal data (the "Law 09-08"), personal information may be transferred out of Morocco as long as the requirements of the Law 09-08 are met. Law 09-08¹¹ permits the transfer of personal information to a third party who is in a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in Law 09-08, or with prior authorization of the National Control Commission for the Protection of Personal Data (CNDP).

Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation which came into force in May 2018.