The United Kingdom's Information Commissioner's Office (ICO) recently issued Guidance on Personal Data and Cloud Computing, offering best practices for companies that are using - or contemplating using - cloud computing services to store or process personal data and information regarding how to conform to the UK's Data Protection Act (DPA).
At the outset, the ICO's Guidance reiterates that while they may outsource their data storage and processing to third parties through cloud computing services, organizations remain as responsible under the DPA for how personal data is stored, used and protected as if they stored and processed the data on their own servers. The Guidance also warns that using cloud computing services to store and process personal data may entail data security risks of which businesses may be unaware, and suggests issues that businesses should consider and action steps they should take prior to contracting with prospective cloud service providers.
The DPA applies to the "processing" of personal data, which is defined so broadly that most of the operations that are likely to occur in the cloud, including simple storage of data, would fall within the definition. Depending on the services that cloud service providers undertake, they may also be considered "data controllers" and therefore subject to the requirements of the DPA, rather than merely data processors on behalf of their customers. According to the Guidance, the cloud customer determines the purposes for which and the manner in which any personal data is processed, and therefore the cloud customer most likely will be the data controller and have overall responsibility for complying with the DPA. The precise role of cloud providers in each case determines whether they merely act as "data processors" on behalf of data controllers or whether they are data controllers with primary responsibility under the DPA as well.
The Guidance suggests a number of action steps and includes a checklist for businesses considering moving data to the cloud. The checklist includes:
- steps for assessing the risks of moving data to the cloud (understanding the personal data the business may hold and how the data will be processed in the cloud);
- the confidentiality of the personal data in the cloud (encryption for both storage and transmission of data; third-party audits of the service providers' systems; timescales for data creation, retention, suspension and deletion; whether any data is shared with third parties or across other services the providers offer; and how the providers address vulnerabilities that may be identified in their systems);
- the integrity of cloud providers' systems (whether the cloud provider can provide data in a useable format upon request, how fast the provider can restore data from a backup, and whether the provider provides audit trails in order to view who has accessed the data);
- the availability of both the service and the data, and how interruptions likely will impact business operations; and
- the legal aspects of moving to the cloud, including contract terms (the Guidance warns against providers that issue "take it or leave it" terms) and any intercountry transfer of data.
The Guidance also offers additional suggestions on consumer transparency, recommending that businesses that contract for cloud services be open and transparent with their customers about the processing arrangements they have made and the rights their customers have to access their personal data and to object to the processing of their data for certain purposes. In addition to requiring a written contract with cloud computing services providers, the Guidance also suggests that businesses engage in continual monitoring of the provider's performance.