Forty six percent of adults of UK adults online who use cloud storage are concerned about the security of their information, according to a recent YouGov survey.
Whether or not the public’s perception of cloud computing solutions is correct it highlights a concern that has led the Information Commissioner’s Office to publish a new guidance note entitled “Guidance on the use of Cloud Computing” (see guide here).
In addition to the well known risks of cloud computing, such as ineffective or even non-existent disaster recovery provision, the Guidance reminds businesses of their responsibilities under the Data Protection Act 1988 (“DPA”) and confirms that the DPA applies to any processing of personal data which takes place in the cloud.
Data breaches can lead to expensive fines and a recent example of the Information Commissioner’s appetite to penalise breaches of the DPA is provided by the £250,000 fine handed out to the Scottish Borders Council in September 2012 for a data breach after the council’s former employees’ pension records were found in an overfilled paper recycling bank in a supermarket car park.
The council had employed an outside company to digitise the pension records of its former employees but failed to put a written contract in place with the third party processor and failed to seek appropriate guarantees as to how the personal data would be kept secure whilst being processed and destroyed shortly thereafter.
To avoid similar fines the basic obligation for businesses to bear in mind is that as a business you are responsible for keeping your data safe. The processing of that data can be outsourced but how the data is used and protected remains your responsibility.
The main points detailed in the Guidance to consider are:
- If processing is outsourced a written contract must be in place to comply with the provisions of the DPA.
- The customer must take steps to ensure that the cloud provider adequately addresses the risks discussed in the Guidance. It cannot assume that the cloud provider’s standard terms and conditions will allow the customer to retain sufficient control over the data in order to fulfil their data protection obligations.
- Consider whether all the data that you are putting into the cloud really needs to be there. A customer should actively review its data and determine whether there is any data that should not be put into the cloud, and keep a clear record about the types of data that intends to move to the cloud.
- If the cloud provider is to act as a data processor (which it will in most circumstances) the provider must give sufficient guarantees about the technical and organisational security measures governing the processing to be carried out and the customer must take reasonable steps to ensure compliance with those measures. Data which is deleted is rarely entirely removed from the underlying storage media unless additional steps are taken. The customer should therefore ensure that the provider is able to delete all copies of personal data within the timescale that is in line with the customer’s own data retention schedule. If data is to be transferred to any country outside the European Economic Area it may only be transferred to a country or territory that ensures an adequate level of protection for the rights and freedom of data subjects in relation to the processing of their personal data. The customer must ensure that the cloud provider’s solution guarantees compliance.
- Once a cloud provider has been chosen the customer should continually monitor, review and assess whether the cloud service is being run as expected.
The Guidance provides a valuable checklist of matters for businesses to consider before signing up for cloud computing and you would be well advised familiarise yourself with them urgently or risk facing a potentially costly conflict with the Information Commissioner.