No organisation has escaped unscathed by COVID-19. However, one sector that has been particularly affected is education, not least by a series of controversial UK government decisions on when to close and reopen schools, social distancing within the classroom, the calculation of GCSE and A-Level grades and, most recently, the return of students to university.
By now, everyone is familiar with the story of how university students were encouraged to move into student halls and begin attending lectures on their university campuses, despite concerns that this would create the perfect conditions for outbreaks of COVID-19 amongst student populations up and down the country.
Of course, the inevitable has now happened, and many students find themselves forcibly locked down in their halls and unable to attend in-person lectures and seminars, if indeed these are taking place at all. Universities are therefore having to rely heavily on remote online learning software and platforms in order to continue to deliver courses to students, amid calls for them to issue partial refunds of student tuition fees.
Prior to COVID-19, there had already been a steady increase in universities engaging cloud service providers to offer online services to students. With this trend only looking to grow over the coming months, we have taken a look at some of the key commercial issues that universities should be considering when seeking to procure online learning solutions from a cloud service provider.
Identify the solution that works best for you
Cloud services provide a number of benefits to universities, including:
- the ability for them to scale the service to suit their usage;
- the convenience of being able to access the services from anywhere and with any device, provided it has an internet connection;
- the savings made from not having to purchase and install expensive IT infrastructure;
- the fact that end users do not have to download or upgrade software in order to use the services;
- the outsourcing of many of the management functions of IT services to the cloud provider.
Cloud providers primarily offer three types of services, which are described in more detail below.
1. Software as a Service (SaaS)
SaaS delivers software applications to clients over the internet, for example, a learning management system or software that allows students to submit assignments electronically.
The applications are fully managed by the cloud provider, meaning clients do not have to worry about issues such as data, network availability, storage and support. The fact that the applications are delivered over the web means clients do not have to incur the expense of installing expensive IT infrastructure.
2. Platform as a Service (PaaS)
PaaS provides a framework or platform via the internet on which clients can design and make available their own software applications. For a university, PaaS can be used where it already has a number of applications which it uses to deliver services to students, but no operating system through which they can all be made available.
Just like SaaS, the cloud provider manages the platform, although PaaS gives the client more flexibility to customise the applications used on the platform.
3. Infrastructure as a Service (IaaS)
IaaS provides clients with access via the internet to hardware and other IT infrastructure such as servers, allowing clients to avoid the need to buy hardware outright and pay for such hardware on a consumption basis instead.
IaaS clients have some responsibilities with regard to the management of the hardware they receive as IaaS (for example, the applications and the data), but the cloud provider will still manage the servers, hard drives, networking, virtualization, and storage relating to such hardware.
For universities, a key concern will be the security and integrity of the vast amount of student personal data which is submitted, processed and stored via the cloud services.
Universities should establish whether the cloud provider is to have access to student personal data and, if so, what personal data this includes.
Where cloud providers are processing personal data, universities should assess:
- for what purposes the cloud provider will collect and process student personal data;
- what measures the cloud provider has in place in order to ensure student personal data is kept secure and not subject to loss and/or damage;
- where the cloud provider and its data servers are based – if this is outside the EEA then student personal data may not be given the same protections as under the GDPR and/or Data Protection Act 2018;
- what contractual protections are in place should the cloud provider commit a personal data breach;
- whether it needs to amend its own privacy notices in order to inform users that their data will be collected and processed by the cloud provider.
Service levels & support
Given the likelihood that many universities will not be able to deliver in-person lectures and seminars for the next few months, they will relying heavily on being able to deliver as much course content as possible (if not all) via e-learning cloud-based solutions.
It is therefore important that the contract with the cloud provider contains concrete commitments to:
- maintain service availability as often as possible;
- maintain a high level of performance, regardless of how many students are accessing the service at any one time; and
- ensure the services remain cyber-secure and free of viruses (etc.).
In connection with this, the university should agree how to resolve issues with the cloud provider and within what time frames. This could be set out in a service level agreement, with the potential for service credits to be imposed where the cloud provider fails to meet certain key service levels.
There will also need to be a support system in place for the services, where students and other users can report any issues with the services.
Depending on what levels of support are offered by the cloud provider, some universities may agree to provide first line support, with the cloud provider responsible for second line support where issues cannot be resolved by the university.
Of course, other universities will prefer to outsource all support functions to the cloud provider, where the time and expense of training university staff to resolve issues relating to the services is not worth the savings in support fees.
Use of branding and ownership of content
Universities should consider how the services are to be delivered/presented to students. Universities wanting to procure white labelled services from cloud providers will need to grant licences in their logos and trade marks in order for the software or platform to be delivered as if it was a “university” service.
However, universities should be mindful of whether cloud service contracts entitle the cloud provider to make any other use of its branding (e.g. in order to promote itself as a supplier to the university on its website or when pitching to other clients). If possible, any additional brand usage rights should only be permitted with the university’s prior written consent.
Universities should also take care to ensure that it retains ownership of any course content that is made available through the services.
Term / termination
Universities should be mindful of how long the cloud services contract is intended to last for and how easy it is for them to exit from the contract.
The appropriate term of the contract will depend on whether the services are being procured as a “quick fix” to get around the COVID-19 restrictions on in-person lectures and seminars or whether they represent a more general change in the way the university wants to deliver courses in the future.
In either case, universities should always try and include a right to terminate for convenience (i.e. without reason) to avoid being locked into a contract for too long, although the period of notice the university has to give (and whether any termination fee should be payable) will be commercial issues to be negotiated between the parties.
Universities should also be wary of whether contracts automatically renew or only by mutual agreement. The latter position is preferred in that it gives the university the opportunity to renegotiate the contract at the end of each term (including key commercial variables like the fees). On the other hand, contracts which automatically renew carry the risk of locking universities in for further periods of time, potentially on unfavourable terms and/or increased pricing.
Universities who have signed up to contracts which automatically renew should ensure they have stringent internal measures in place to remind them of the deadline by which any notice to terminate must be served, in order to minimise the risk of accidentally extending the contract beyond its current term.
Exit / vendor Lock-in
Cloud services have the potential to be the cornerstone on which universities not just deliver courses to students but also carry out various important internal operations.
As such, there is a risk of over-reliance and dependency on particular cloud services, which can cause significant problems when the contract does, for whatever reason, come to an end.
Universities should take care that, on termination or expiry of the contract, the cloud service provider is obliged to assist the university in transitioning the cloud services back in-house or to a new provider, in order to minimise service disruption.
The move within the education industry from in-person to remote learning is nothing new. However, as with many things, COVID-19 is hastening the rate at which this change is happening.
As more and more universities feel the need to incorporate cloud services within their own businesses, it is important they go into negotiations with their eyes open and do not end up contracting for a substandard service on unfavourable terms.
If you are a university who is thinking of procuring cloud services in the future or have an existing cloud services contract you would like reviewed, please do get in touch.