Use of Commercial SaaS Solutions in Swedish Public Sector Organisations under Unknown Contract Terms

Abstract

Lawful and appropriate use of cloud-based globally provided Software-as-a-Service (SaaS) solutions by a public sector organisation (PSO) for data processing and maintenance of digital assets presupposes an investigation of all relevant contract terms. Having obtained, analysed, and filed all relevant contract terms when using a SaaS solution is a prerequisite for good administration. Identifying and obtaining all relevant contract terms for a SaaS solution involves significant obstacles which in practice may be impossible to overcome for each PSO. This paper addresses how PSOs investigate contract terms prior to adoption, and why PSOs use a globally provided SaaS solution without having identified and obtained all relevant contract terms. Through a review of responses to questions and public documents from Swedish PSOs we analysed how each PSO had investigated contract terms and licences for the Microsoft 365 (M365) solution prior to adoption and use of the solution in each PSO. We find that no PSO had investigated all relevant contract terms prior to use of M365, which implies that each PSO uses M365 under unknown contract terms. Further, we find that all PSOs use M365 for data processing of its digital assets under unknown contract terms and that each PSO has significant dependence and trust in its supplier.