The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have recently issued ISO/IEC 27018, a document which seeks to establish an international standard with respect to the implementation of personal data protection controls by public cloud service providers acting as personally identifiable information ("PII") processors ("public cloud PII processors").
The international standard's stated objectives are as follows:
- To help public cloud PII processors comply with applicable obligations, whether such obligations fall on the PII processor directly or through contract.
- To enable the public cloud PII processor to be transparent in relevant matters so that cloud service customers can select well-governed cloud-based PII processing services.
- To assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement.
- To provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multi-party, virtualized server (cloud) environment might be impractical technically and might increase risks to those physical and logical network security controls in place.
The new international standard has been developed based on ISO/IEC 27001 and ISO/IEC 27002, which are the existing general standards on information security management systems and controls. The new ISO/IEC 27018 is however particularly notable for its added focus on PII protection standards which might be applicable to public cloud PII processors pursuant to contracts with their customers.
The additional sector-specific controls and implementation guidance, which are classified according to the 11 privacy principles of ISO/IEC 29100, are found in Annex A of ISO/IEC 27018 and they include the following guidelines:
- Use, Retention and Disclosure limitation – the public cloud PII processor should be contractually required to notify the cloud service customer of any legally binding request for disclosure of personal data by law enforcement authorities, and all disclosures of personal data to third parties by the public cloud PII processor should be recorded;
- Obligation to Cooperate Regarding Individuals' Rights – the public cloud PII processor should provide the cloud service customer with the means to enable them to respond to individuals' rights to access or correction of their personal data
- Purpose Legitimacy and Specification – the public cloud PII processor must only process personal information in accordance with the customer's instructions and not for any other purpose, and express consent must be obtained if the public cloud PII processor wishes to process the personal data for marketing and advertising purposes;
- Data Minimization – Temporary files and documents should be erased or destroyed within a specified, documented period;
- Openness, Transparency and Notice – the public cloud PII processor should disclose any use of sub-contractors before they are engaged, and specify the countries in which personal data may be stored;
- Return, Transfer and Disposal – the public cloud PII processor should implement a policy for the return, transfer or disposal of personal data;
- Information Security –
- personnel under the public cloud PII processor's control should be subject to confidentiality obligations;
- creation of hardcopy material containing personal data is restricted, and should be destroyed securely;
- procedures should be established to log any data restoration efforts; and
- personal data should be encrypted prior to transmission.
For organisations which handle personal data in Singapore, the release of this standard is timely, as the Personal Data Protection Act 2012 ("PDPA") has also just fully come into force.
Even though not all the Data Protection Provisions under the PDPA apply to data intermediaries which process personal data on behalf of a customer pursuant to a contract made in writing, the customer would often still seek to ensure full compliance in view of its obligations under the PDPA being the same as if the personal data processed by the data intermediary was processed by the customer itself.
In addition, the PDPA restricts the transfer of personal data outside Singapore, except where in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA ("Transfer Limitation Obligation"). The Transfer Limitation Obligation will thus particularly impact public cloud PII processors and their customers in distributed cloud environments where personal data originating or handled in Singapore will be stored in various countries outside Singapore.
Customers would thus typically impose contractually obligations which meet the requirements of the PDPA (and where data is being transferred overseas, also meeting the requirements of the Transfer Limitation Obligation), and also require practical assurances that these obligations are being met.
The ISO/IEC 27018 certification can thus be useful as an independently audited standard which deals with many of the issues raised under the PDPA. It can be a short-hand tool for customers to have a sense of the cloud service provider’s baseline personal data practices, particularly where a customer has significant PDPA compliance concerns. It can also be useful as a common benchmark against the PDPA when dealing with overseas cloud services providers subject to different legal regimes.
Further, on account of continuing audit requirements, ISO/IEC 27018 may help provide customers some further assurances that personal data protection measures as outlined in the international standard have been implemented.
Of course, whilst ISO/IEC 27018 therefore serves as a good reference standard, customers should still recognise that it is ultimately intended to assist with compliance with personal data obligations in providing best practice recommendations and guiding principles, and it has not been endorsed by the Personal Data Protection Commission. Singaporean cloud services customers should thus still not assume merely on account of a service provider being certified that they need not further consider how obligations arising under the PDPA would need to be addressed.