The ToR were published for comment late last month by an establishment group led by the New Zealand Computer Society.
NZCS CEO Paul Matthews quotes Rizwan Ahmad, the New Zealand director of the global Cloud Security Alliance (CSA) saying "globally, New Zealand is lagging behind much of the rest of the world" in the area of practice guidelines for cloud computing.
"This is not what New Zealand wants to hear from the local representative of the global cloud security organisation. We seriously can't lag behind the rest of the world in this area," Matthews says.
The idea of a code for cloud providers was at the InternetNZ-organised NetHui earlier this year, amid persistent scepticism about the challenges cloud computing presents, particularly for privacy and reliability. Prime movers of the code included Rod Drury of cloud service provider Xero.
A clause in the terms of reference appears to put NZCS firmly in the driving seat.
"The NZCS National Council shall be the final authority as to whether the code is formally adopted on behalf of the profession," it says. However, the Society insists this is merely a formality.
"It is hoped that all significant ICT groups and bodies and the vendor community will adopt and endorse the code," the document says.
Matthews says it is not the intention of this clause to put the NZCS in complete charge of the exercise. A rewording of the clause is already being considered to avoid that impression. However, some organisation has to be the focus for final approval, he says, and this cannot be done by the steering group, since this is not its role; it exists to facilitate consultation.
"The intention [of the clause] is to make it clear that NZCS is not formally endorsing the code until it is complete," he says in an email. "This is primarily because we are simply facilitating a process rather than developing it 'in-house'. While we are confident of achieving a result that has widespread endorsement, we can't jump ahead of ourselves."
Even if the Society were approving the code purely for itself, the National Council would be the final arbiter of adoption, he says; that is the reason the council is referred to.
Good privacy legislation is a start to projecting a positive image of New Zealand as a home for cloud computing, says Matthews, but it is not enough. "The CloudCode will serve to show that New Zealand is serious about good practice and standards in the cloud," he says. "The CloudCode will help build New Zealand's technology reputation globally."
To fall down on the job would be to entertain "rogue operators", who would further detract from the country's reputation, he says.
The initial phase of the project will decide the structure and approach of the code. This will then be put out for public comment before the detail is filled in.
The steering group will provide "governance and direction" and will be chosen from ICT industry organisations and attendees at an initial workshop, with a representative from the Privacy Commissioner's office.
The steering group will consult with a reference group drawn from a wide range of cloud computing stakeholders and will have two public consultation phases. The first, in November, will be on the overall shape of the code, though there will also be workshops in Auckland, Wellington and Christchurch where detail will be discussed. The formal consultation and call for submissions on the detail of the code will be in December.
Despite the NZCS having plenty of other work on its plate, it is crucial that it take a lead role in formulating the code, Matthews says. Living up to its status as a professional society demands it. "You only have to look as far as the work of the NZ Institute of Chartered Accountants, Institute of Professional Engineers, Law Society, etc," he says on the NZCS blog. "These are bodies of professionals who work on the standards and practices in these fields, engaging with all stakeholders in the process."
Detail of the code's implementation is outside the scope of the current project, as are the potentially controversial questions of initially assessing organisations' practices against the code and deciding subsequently when an organisation has fallen into non-compliance and how that should be penalised.
The NZCS set up a budget for the exercise and this has already been oversubscribed by companies and industry organisations, such as NZRise, InternetNZ, Gen-i, Onenet, Equinox, Xero and the NZCS itself. This is a gratifying measure of the degree of industry commitment, Matthews says. The oversubscription may be handled by reducing the originally set subscription amount for everyone or by keeping the extra funds in reserve.