As both public and private sector organisations grapple with the increasing volume and complexity of data they hold in their data centres, many are turning to outsourced cloud-based hosting solutions. Ivan Waide, partner in the IP & Technology team at A&L Goodbody in Belfast examines below some of the key issues arising.
In today’s age of “big data”, many organisations are increasingly holding very large volumes of data. Due to historical, operational or other reasons, this data is often spread over several traditional data centre sites in different geographical locations, some of which may be “in-house” with other parts held in third party data centres. It is therefore no surprise that many of these organisations are looking at ways of consolidating their approach to the use of data centres, and turning to outsourced cloud-based hosting solutions.
UK Government’s G-Cloud Programme
For some time now the UK Government has been positively encouraging UK public sector organisations, through its G-Cloud Programme, to further explore cloud-based solutions. The G-Cloud Programme sets out to define how the public sector could utilise the cloud computing approach to ICT delivery and to explore what benefits and challenges this approach creates. The G-Cloud Programme is a core element of the UK Government's ICT Strategy and is an enabler of cost savings targets for the 2011-2014 period, as well as other government objectives such as enhanced public services, improved data centre services and the green agenda.
Since February 2012, UK public sector organisations have been able to purchase a range of IT services off the shelf from the UK government’s CloudStore on a “pay-as-you-go” basis, rather than having to develop their own systems. And in October 2012, the UK Cabinet Office announced the latest framework of G-Cloud suppliers (comprising some 458 suppliers in total) for the next 12-month period. It is hoped this will drive efficiency and value through standardisation, sharing and re-use of services, as well as providing a route for rapid access to a portfolio of G-Cloud services, including cloud-based hosting services.
Ensuring Data Security and Compliance with Data Protection Legislation
Any customer (whether public or private sector) outsourcing the provision of data centre services will want to ensure appropriate legal protections are in place to ensure data integrity, security and (where personal data is involved) compliance with data protection legislation. A threshold issue for organisations to consider will be what type of data it allows into the cloud. For example, an organisation may decide to use the cloud only for its non-commercially sensitive and non-personal data.
Generally, a customer will need to carry out pre-contract due diligence on the cloud provider, its proposed security measures and its track record for safeguarding customer’s data. The customer will also want to ensure that its contract contains meaningful service levels and appropriate liability provisions in the event of a breach.
If personal data is being processed in the cloud, the so-called 7th Principle under the Data Protection Act 1998 requires that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing and against the accidental loss or destruction of, or damage to, the personal data.
The customer will also want to know where its data is going to be stored and processed. Under the so-called 8th Principle in the DPA, personal data may only be transferred outside of the EEA if certain conditions are met (e.g. obtaining the consent of the data subject, or where the transfer is pursuant to a contract incorporating EU-approved clauses). In a traditional outsourcing situation, the customer generally knows where its data is going and where it will be stored and processed. In the cloud environment (particularly in a public cloud), it may be more difficult to tell where the data is at any given point in time. Possible solutions include requesting provision from the cloud provider of a European Cloud offering – in that scenario the data would never leave the EEA so there is no issue in respect of the 8th principle. An alternative solution would be to ensure that the cloud provider signs up to the EU-approved clauses for transfers of personal data outside the EEA.
Although there are some valid data protection compliance and other data security issues to consider in the context of outsourcing data centre services to the cloud, there are various ways a customer can seek to manage these risks. It is also important to consider the potential advantages that the cloud can provide - with careful planning, due diligence and the appropriate legal protections in place, a consolidated cloud-based hosting solution can offer significant cost-savings and other service benefits, including access to enhanced data security measures, business continuity and disaster recovery services.