With a need for mobile access to data and the influx of innovative and affordable cloud computing products to global markets, organisations are shifting towards a greater use of the cloud. In response to its growing popularity, the Information Commissioner’s Office (ICO) has published guidelines on data protection compliance issues surrounding cloud computing. The practical guidelines not only provide a high-level analysis of how to apply data protection rules to cloud contracts, but also consider the various issues surrounding migration to the cloud and provide a checklist for those organisations adopting cloud services.
The distinction between data controller and data processor is of critical importance to data protection and can be complex in relation to cloud computing. The ICO helps navigate this issue by demonstrating data controller and processor roles in various scenarios. The cloud customer is generally considered the data controller as it determines the purposes and the manner in which any personal data are being processed. The ICO suggests that the precise role of the organisation that owns and operates the cloud service (“Cloud Provider”) should be reviewed in each case in order to determine whether or not it is processing personal data.
Data controllers, to remain compliant with the UK Data Protection Act, must consider the following key areas:
- Assess personal data and the risk to that data by putting it into the cloud.
- Obtain sufficient guarantees from the cloud provider about security measures. The ICO supports the use of industry-recognised standards.
- Protect personal data in transit through use of encryption, especially where sensitive data is being processed.
- Ensure measures are in place to prevent unauthorised access, including individual usernames and passwords for each cloud user.
- Institute a continual cycle of monitoring, review and assessment of the cloud provider’s security controls.
Data Retention and Deletion
- As most cloud providers are likely to have multiple copies of data stored in various locations for disaster recovery, cloud customers should ensure that all copies of personal data no longer required can be securely and timely deleted.
- If it is not possible to obtain audit rights because of shared cloud services, the ICO recommends an independent third party to avoid the need for each customer to conduct a separate audit.
- The cloud provider should only be permitted to process personal data for specified purposes and not without the agreement of the cloud customer.
- Cloud servers may be located outside the UK which can make it difficult to establish where data is being processed. The cloud customer should therefore request from the cloud provider a list of countries where data will be processed and the safeguards in place in each location. Furthermore, the cloud provider should explain when data will be transferred to the locations.
The ICO recognizes the benefit of cloud computing and this new guidance contains pragmatic suggestions to assist organizations in conducting due diligence on a cloud supplier, and in ensuring data protection compliance.