The move towards cloud computing continues to gather momentum in the UK and around the world as many organisations realise its undeniable benefits. These include a reduction in costs, the streamlining of processes and the potential to introduce exciting and innovative products and services for customers. However, in the rush to take advantage of these benefits, organisations may overlook that outsourcing computing services to a cloud service provider does not obviate their responsibility to comply with their obligations under the Data Protection Act 1998 (DPA).The UK’s Information Commissioner (ICO) has recently issued new guidance for businesses looking to move to the cloud. Similar guidance has been issued by regulators in France, Germany and Italy.
A move to cloud services is likely to increase, not reduce, the need to protect personal data. This is because cloud computing utilises layered services (where different aspects of a service, such as hosting and development, are provided by a number of different providers) and allows for services to be provided from a variety of different locations, including from outside the UK. Cloud computing also allows for a multi-tenancy environment (where a cloud service provider acts as a data processor for a number of cloud customers). It is these characteristics of cloud computing which lead to increased efficiency and cost savings. It is also these characteristics that make regulatory compliance more challenging and increase legal risk.
On 27 September 2012, the ICO published the document "Guidance on the use of cloud computing". It highlights the specific risks to personal data that arise from utilising cloud computing technology and sets out questions a data controller should consider asking a prospective cloud computing service provider before entering into a binding contractual arrangement. The Guidance reminds data controllers that they continue to be responsible for the personal data which they control, even where services are outsourced to a cloud service provider.
The Guidance does not have the force of law, and compliance with its recommendations is not mandatory where those recommendations go beyond the strict requirements of the DPA. The Guidance reflects, however, the ICO’s interpretation of how the provisions of the DPA should apply in the context of cloud computing, and the general approach recommended therein should be followed.
Summary of the Guidance
A summary of the key points in the Guidance:
- Cloud Provider is a Data Processor – The Guidance states that a business will usually remain the data controller of any personal data which it transfers to a cloud services provider. It may become a joint data controller with the cloud services provider, if the cloud services provider is able to use some or all of the personal data for its own purposes (to advertise products or services to the cloud users, for example). More commonly, however, the cloud services provider will simply be a data processor, who only processes personal data on behalf of its customer and in accordance with its instructions. This means that the customer, as data controller, will need to comply with the provision in the DPA regulating the engagement of a data processor (see further below).
- Selection of the Data – The Guidance states that businesses should review the personal data transferred to the cloud service provider. The Guidance emphasises that it may be inappropriate for certain categories of data to be moved to the cloud and each business must make its own decision on suitability taking all the circumstances of the cloud service into account. A clear record of the categories of data which are moved to the cloud should be maintained.
- Selection of the Cloud Service Provider – The prospective cloud service provider must provide sufficient guarantees as to the security measures it will employ to protect any personal data it processes. The ICO recommends in the Guidance that it may be prudent to choose a cloud service that is specifically designed for the type of processing in question, rather than take the increased risks which may be involved in customising a cloud service.
- Security Assessment – The security measures offered by the cloud service provider should be carefully reviewed. The ICO recommends in the Guidance that one solution for a cloud service provider offering services to many different organisations or individuals (such as public cloud) is for the provider itself to engage an independent third party to carry out a detailed audit of its security measures. Copies can then be provided to customers, avoiding the need for each and every customer to carry out its own inspection.
- Encryption – Personal data should be encrypted when in transit and even in certain cases whilst it is being stored, for example, where the data is sensitive. The Guidance recommends that the security of the encryption key is vital for effective encryption and it warns that loss of the key can render data useless, which in turn could constitute the accidental destruction of personal data, in breach of the DPA’s seventh principle.
- Written Agreement – As a cloud service provider will usually be a data processor, it is a legal requirement that it enters into a written agreement with its customer, the data controller, for the provision of the cloud service. The Guidance provides a reminder of this. The agreement must limit the provider’s use of the data to that strictly necessary to provide the service and include a commitment to keep the data secure. The agreement should also clearly set out the circumstances in which the cloud service provider can access the data and place an obligation on the cloud service provider to encrypt data when in transit.
- Information to Users – The Guidance provides that it may be necessary to inform end users of the cloud service (i.e., data subjects within the meaning of the DPA) of any changes to the processing arrangements resulting from the move to cloud.
- Monitoring – The Guidance makes it clear that businesses are under a continuing obligation to monitor their chosen cloud provider’s compliance with its contractual obligations, in particular its maintenance of the agreed security measures. If layered services are provided, this obligation extends to each and every provider in the chain.
- Access Controls – One of the key benefits of cloud computing is the ability of end users to access data from any location, such as from home or the office and using a variety of devices. This, however, significantly increases the risk of unauthorised access and the Guidance highlights the need to set up effective controls, for example, ensuring that each user has a separate account and password.
- Data Retention and Deletion – A cloud service often results in data being held in multiple locations and multiple copies being in existence. The Guidance states that, where this is the case, it is important to ensure that all copies of personal data retained by all providers are deleted when the cloud service is terminated. The contract with the cloud service provider should place an obligation on the cloud service provider to do this within a defined timescale.
- International Data Transfers – A cloud service may frequently involve data being processed outside the UK. If it is processed outside the European Economic Area, special measures may need to be taken to ensure that the data is adequately protected, which are in addition to the usual security measures. For example, Model Clauses may need to be entered into between the customer, the data controller and the cloud service provider. The Guidance provides that a list of the countries in which data may be processed should be obtained from the cloud service provider at the outset, together with an explanation of when data will be processed in each location, in order for the customer to assess what is required for compliance.
Organisations looking to provide or use cloud solutions should also seek legal advice not only on the details of the contract for the provision of cloud services itself but also the nature of their obligations under the applicable data protection rules. The Squire Sanders UK data protection and privacy team combines an in-depth understanding of the relevant data protection issues with experience in outsourcing and other forms of IT contracting. For cloud solutions that involve multiple jurisdictions within and outside Europe, our global Data Protection & Privacy Practice Group can help develop regional data protection and compliance solutions.