The Information Commissioner’s Office (ICO) recently published practical guidance on the use of cloud computing for businesses. With increasing numbers of organisations moving to the cloud, the guidance serves as a reminder to companies that they remain responsible for personal data, even when it is passed to cloud network providers, by highlighting the potential risks and setting out steps to follow when selecting a cloud provider.

BACKGROUND

The ICO appreciates that there is an ongoing shift towards cloud computing, driven primarily by the flexibility and cost savings offered by these services. The guidance defines in plain English the various deployment and service models that exist in relation to cloud computing, and recognises that different services can be layered on top of one another (software, platform and infrastructure could all be provided by different organisations, for example) creating complex supply chains.

The guidance provides a wide-ranging checklist of legal and commercial issues for businesses to consider when moving to the cloud, analysing aspects of cloud computing by reference to the relevant Data Protection Act (DPA) principles.

DISCUSSION

Two of the most problematic issues raised in relation to cloud computing are: i) discerning the distinction between a data controller and data processor, and ii) the prohibition on export of data outside the European Economic Area (EEA) without adequate safeguards. The guidance considers the identity of the data controller and data processor in various service models. The precise status of the cloud provider will need to be reviewed on a case by case basis, but, for the most part, the cloud customer will be the data controller, determining the purposes for which, and the manner in which, personal data is processed, and therefore ultimately responsible for complying with the DPA.

The guidance also addresses the compliance issues raised by the global nature of cloud computing and identifies the following key issues to be resolved when selecting a cloud provider.

Codification of The Relationship

The DPA requires the data controller to have a written contract with the data processor, stating that the cloud provider will not be able to change the terms of data processing activities without the cloud customer’s consent. Customers should be wary of providers that offer “take it or leave it” terms and conditions, as such contracts may not allow them to retain sufficient control over the data to enable them to fulfill their DPA obligations.

Auditing The Cloud Provider

Organisations should choose a cloud provider that provides sufficient guarantees of security measures. Given the logistical challenges associated with customers concurrently exercising audit rights in respect of the cloud provider, the guidance proposes that the provider arranges for an independent third party to conduct a detailed security review and then provide a copy of the report to the provider’s customers. The ICO also supports the introduction of an industry-recognised standard to assist cloud customers in assessing the security offered.

Encryption of Data

Data in transit between terminals should be secure and protected from interception by the use of encryption that meets recognised industry standards. Customers should also consider encrypting data when it is stored within the cloud service, especially when sensitive personal data is being processed.

Data Retention and Deletion

A cloud provider is likely to have multiple copies of data stored in various locations. The customer should ensure that its provider agrees to delete all copies of personal data in line with the customer’s deletion timeline.

Cloud Services Outside The United Kingdom

Given the restrictions imposed by the DPA on data transferred outside the EEA, the customer should request from its provider a list of countries where data is likely to be processed and details of the safeguards implemented in such countries.