Speed read

The new ISO 27018 sets out international standards for handling personal and sensitive information by cloud service providers (CSPs), both domestically and internationally. With questions around cloud security, cloud breaches (eg the Hollywood actresses’ selfies), poor CSP terms, and some loss of confidence in CSPs, ISO 27018 takes an internationally based approach to security and protection of private information by CSPs.

A CSP agreeing to comply with ISO 27018 is also more likely to comply with data protection legislation internationally including the NZ Privacy Act. And they are more likely to reassure their customers about cloud security, thereby leading to more business.

It is too early to say if ISO 27018 will have a major role in the future. This could be a slow burner. Or it could ignite.

The Detail

ISO 27018 is the new International Standards Organisation’s “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”. It is the first internationally robust standard for CSPs. It builds on existing ISO standards especially ISO 27001. Providers that adopt this standard agree:

  • not to use data for their own purposes such as marketing;
  • to provide transparency about who processes customers’ data;
  • to return or dispose of data of customers who leave the service; and
  • to undergo third-party verification for compliance.

The Standard states its objectives as:

  • To help the CSP to comply with applicable obligations such as statutory and other legal obligations including contract, etc;
  • To enable transparency so that customers can select well-governed CSPs;
  • To be a basis for contracting between a CSP and its customers;
  • To enable audit and compliance mechanisms in multi-party virtualised server environments.

Cloud computing often involves transfer of information between countries and this international standard will help to deal with that. While the standard is modelled  on EU data protection concepts, it is a valuable implementation of NZ Privacy Act requirements. (In any event, both regimes flow from OECD antecedents so there is much in common). The NZ Privacy Act has regard to good industry practice. Compliance with ISO standards can demonstrate compliance with good industry practice. As we’ve pointed out in our earlier article, Cloud Computing - Privacy and Security Legal Issues, complying with good industry practice reduces much legal risk, ranging from contract and statute to negligence and the duty of confidentiality.

CSPs that can market their services by confirming ISO 27018 will provide greater reassurance to prospects as to the quality of their services