In July 2014, the international Standards Organization (ISO) issued its first privacy standard for protecting Personally Identifiable Information (PII) on the cloud. The standard defined a set of elements to ensure that Cloud Service Providers (CSPs) process PII in a safe and consistent manner. Elements included, Consent, where customers explicit consent is required for advertising and/or marketing activities; Control, customer has full control over his/her data and CSPs are obliged to return, transfer or securely dispose all customers data in a specific timeframe, at his/her request; Transparency, where CSPs must inform customers where their data resides, sub-processors assisting the CSP in performing its data processing services, any changes in sub-contractors identity. If concerned about such changes, customers have the right to object or terminate their contract. Accountability andCommunication are also important elements of the standard where, in case of a breach, CSPs should initiate an investigation to identify any data loss, disclosure or alteration of PII and report it to relevant customer(s) and regulator(s). Finally, Compliance is a key element where CSPs are subject to third-party audit to determine their conformance with ISO 27018 controls.
Since its inception, the standard has gained a large acceptance from different Data Protection Authorities (DPA) in different countries including Hong Kong, Germany, UK, Czech Republic, Slovenia, Belgium, Canada, Australia, and the EU. For example:
- Hong Kong: Office of the Government Chief Information Officer (OGCIO) – In its working paper titled Overview of ISO/IEC 27000 family of Information Security Management System Standards, the OGCIO dedicates a full page summary of ISO/IEC 27018 including a highlighted section of its benefits as noted below:
Benefits of ISO/IEC 2701
ISO/IEC 27018 is applicable to the processing of PII obtained from a customer for the purposes determined by the customer under its contract with the cloud service provider. By adopting ISO/IEC 27018, an organisation can: Use it as a guideline to facilitate the compliance with the relevant data protection requirements; Win the trust of customers to entrust their data in the cloud, and thus broaden their customer base; and Assist public cloud service provider, operating in a multinational market, in coping with various national data protection standards and performing complex assessment in each jurisdiction.
- European Union, European Data Protection Commission – In its Code of Conduct created to provide an environment of trust and transparency and to make it simpler for customers to analyze whether cloud services are suitable for the processing of personal data, the Commission makes multiple references to ISO 27018. In discussing methods to achieve the security objectives, the Commission provides a list of standards for the security of a cloud service and notes the following about ISO 27018:
- Appropriate standards for the security of a cloud service, which must be specifically targeted towards identifying and addressing privacy risks, can be identified and referenced in accordance with the rules set out in the governance section of the Code. Examples of such standards include:
- ISO/IEC 27001, taking into account the privacy risks, as described for example in ISO/IEC 27018;
- The ENISA Information Assurance Framework;
- Guidance documents, recommendations or security reference measures established by national DPAs in relation to information security in general or cloud computing specifically;
- Other relevant national standards adopted by national governments
- The Commission is committed to work with industry to agree on a code of conduct for CSPs to support the uniform application of data protection rules. As part of this overall strategy, the Commission sent the Data Protection Code of Conduct for Cloud Service to the Article 29 Working Party requesting their positive opinion.
- Australia, Office of the Australian Information Commission – In its guide to securing personal information, the Information Commission references ISO 27018. In a list of questions to be asked when evaluating cloud services, the Commission calls out whether the cloud service provider’s information handling practices are certified against information security standards (such as the ISO 27000 group) and notes the following about ISO 27018:
- In 2014, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) also published ISO/IEC 27018:2014 which relates to the implementation of measures to protect personal information while it is being processed in the public cloud. The standard uses a definition of ‘Personally Identifiable Information’ adopted from ISO/IEC 29100:2011. If adopting this standard, entities must ensure that they apply the definitions of personal information and sensitive information in the Privacy Act. More information can be found in the ‘Standards’ section below. The Commission’s guide can be found at: Guide to securing personal information- online version
- Germany, German Data Protection Commission - German DPA cloud guidance highlights the use of ISO 27018 for cloud. https://www.datenschutz-bayern.de/technik/orient/oh_cloud.pdf
- Canada, Office of Saskatchewan Information and Privacy Commissioner (OIPC) -In an article posted on the Commissioner site, Chantal Bernier, LL.B., LL.M, Counsel, Dentons Canada LLP, explains how ISO 27018 addresses the privacy considerations raised by OIPC and concludes the following about ISO 27018:
- ISO/IEC Standard 27018 changes the landscape in relation to the cloud, particularly for public bodies, as it allows them to finally access the benefits of the cloud, and keep control of data.
- This conclusion applies to Saskatchewan as it does to other governments in Canada.
- For public bodies in Canada, ISO Standard 27108 means more safety, same control. The OIPC article can be found at: ISO/IEC 27018 Standard for Privacy on the Cloud - The Meaning for Public Bodies.
In brief, many DPAs are currently endorsing ISO27108 as part of their data protection policy and a key tool for evaluating Cloud Service Providers. In countries where there is no DPA or there is no explicit Data Protection law that addresses the protection of PII, ISO 27018 represents a very convenient base for selecting the right CSP, in addition, its elements can be part of the National Cloud Policy Policy.