The loss of direct control over data transferred to the cloud throws up challenges in complying with privacy and data protection laws. A new security standard (ISO/IEC 27018) has been released which should assist governments and providers meet these challenges.
In August 2014, the International Organisation for Standardisation (“ISO”) and the International Electrotechnical Commission (“IEC”) published a new voluntary security standard for cloud services: ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (“PII”) in public clouds acting as PII processors (“ISO/IEC 27018”).
ISO/IEC 27018 creates a common set of security categories and controls tailored specifically for cloud services which deal with personal information. ISO/IEC 27018 does not replace existing laws and regulations and it provides an international common standard of security controls.
The key issues in regards to data and privacy protection addressed in the standard include:
Control of PPI
- Does the provider handle PII according to the customer’s directions?
- Does the provider enable end-users to access, amend and delete their PII?
- Does the provider have a policy which governs the return, transfer or destruction of PII
- Does the provider allow for the provision of PII to law enforcement agencies only to the extent that the law requires?
- Does the provider give notice to a customer of a legal obligation to disclose PII?
- Does the provider follow through with their policy for the return, transfer, or deletion of PPI following the termination of a contract?
- Does the provider refrain from using PII for its own purposes?
- Does the provider obtain express consent before using PII for marketing or advertising purposes?
- Does the provider reveal the locations where PII may be handled?
- Does the provider release the names of any sub-processors who may be handing PPI before entering into a contract?
Breach of Data
- Does the provider assist customers fulfil their data breach notice obligations?
- Does the provider give notice to customers of data breaches?
- Does the provider have a policy that states when a notice for data breach will be given?
- Does the cloud provider keep records of the data breaches?
- Does the provider enter into confidentiality agreements with personnel who handle PII?
- Does the provider agree to independent information-security reviews?
Whilst using the standard provides a helpful guide it should by no means be viewed as a conclusive checklist. Indeed, government departments in certain industries such as health and education owe additional obligations which will require further consideration.
Nevertheless, the ISO/IEC 27018 goes a long way in standardising international data and privacy protection obligations and may reduce costs and provide efficiencies in evaluating the services of potential cloud providers.