The Information Commissioner's Office ("ICO") has published a "personal information online code of practice" (the "Code"). The primary aim of the Code is to explain how the Data Protection Act 1998 applies to the collection and use of personal data online. However, the Code also represents the ICO's first attempt to tackle the data protection issues involved in contracting for Cloud Computing services.
The Code acknowledges the obvious risks faced by organisations using cloud-based data storage services (e.g. uncertainty as to where personal data is being processed) and the need for organisations to address the compliance issues raised by those risks.
It advises that organisations using cloud-based services must not relinquish control of personal data or expose it to security risks that would not have arisen had the data remained in their possession in the UK. It further advises organisations to enter into a written contract requiring cloud service providers to only act on the organisation's instructions and to have security levels equivalent to that of the organisation based in the UK.
As good practice, the Code also advises that organisations should conduct a risk analysis before contracting with providers of cloud services. This could involve asking the service provider a series of questions which are set out in the Code, for example:
- Can the service provider guarantee the reliability and training of its staff? Does it have any form of professional accreditation?
- How good is the service provider's security track record?
Unfortunately, the Code does not provide detailed guidance on appropriate technical and security measures that organisations can implement in order to protect themselves and personal data from the security risks inherent in Cloud Computing.
In practice, the Code is likely to be of limited use to organisations wishing to take advantage of the cost-saving benefits associated with a move to Cloud Computing services. Despite its deficiencies, the Code does at least acknowledge the issues with Cloud Computing services. However, it remains to be seen how long it will be before any more meaningful guidance is published by the ICO on this issue.
A copy of the Code is available here.