The UK Information Commissioner's Office recently published guidance on compliance with the Data Protection Act of 1988 for those who use cloud computing. The guidance emphasizes that a business may outsource its data processing through the use of cloud computing services, but that business remains responsible for how data is used and protected. The guidance recommends that organizations take a number of steps regarding security, including an assessment of a cloud provider's security measures against unauthorized or unlawful processing and accidental loss or destruction of personal data. This assessment may include a security audit by an independent third party. Cloud computing customers should themselves also use encryption and restrict access to personal data. And organizations must assess the data protection risk associated with moving certain data to the cloud, and attempt to mitigate those risks. The guidance offers additional guidance on consumer transparency, recommending that cloud customers are open and transparent with consumers about the processing arrangements they have established, and the rights that data subjects have to access their personal data or object to processing for certain purposes. Lastly, the guidance recommends a written contract with the cloud computing services provider and continual monitoring of the provider's performance. With respect to cloud computing providers located outside of the UK (and the EU), the ICO directs companies to its earlier guidance on this matter.
Tip: Companies subject to UK jurisdiction may find this guidance helpful when setting up and using cloud computing services. They should keep in mind that use of a cloud computing vendor will not, according to the ICO, transfer the risks and responsibilities associated with collecting and processing customer personal information to the vendor.