The Information Commissioner’s Office (“ICO”), which is responsible for enforcing the Data Protection Act 1998 (“DPA”) in the UK, recently issued guidance on the use of cloud computing (“Guidance”). The Guidance was issued in response to the increased usage of cloud services and is primarily aimed at helping organisations which are using or considering a move to cloud services to fully understand their obligations as well as to promote good practice. It also aims to increase awareness among cloud service providers of the data protection issues which their current and prospective customers may need to deal with.
One of the central messages made by the ICO is that by processing data in the cloud an organisation may encounter risks to data protection that they were previously unaware of and so it is important that data controllers take time to understand the data protection risks that cloud computing presents.
The Guidance specifically addresses the following key areas:
- What cloud computing is: acknowledging that the term cloud computing is used to describe a wide range of technologies, the Guidance defines it as “access to computing resources, on demand, via a network” and provides an overview of deployment models (private/community/public clouds), service models (IaaS/PaaS/SaaS) and how different cloud services can be layered.
- How the DPA applies to information processed in the cloud: the DPA’s broad definition of “processing” data is likely to include most of the operations that are likely to occur in the cloud, including simple storage of data. Any organisation which is currently a data controller under the DPA will therefore continue to be so if it moves its data processing to the cloud.
- Identifying the data controller: as the cloud customer will determine the purposes for which and the manner in which any personal data is being processed by the cloud provider it will be the cloud customer who will most likely be the data controller and have overall responsibility for complying with the DPA. Due to the use of layered services, it is also possible that the provision of a cloud service could involve a number of data controllers and data processors and the precise role of the cloud provider will have to be reviewed in each case.
- Responsibilities of the data controller: in addition to the responsibilities relating to collection, storage and retention of personal data outlined in the ICO’s Personal information online code of practice, the use of cloud computing may require a data controller to comply with additional compliance requirements which it has not encountered previously. These include reviewing and selecting which data should be moved to the cloud and the most appropriate cloud service and provider, entering into a written contract with the cloud provider imposing specific processing obligations on them as a data processor, and monitoring their performance.
- Selecting a cloud provider: the Guidance stresses the importance of assessing the security arrangements that a cloud provider has in place and sets out the issues which a cloud customer should consider and ask prospective cloud providers before selecting which one to use. These include assessing the provider’s technical and organisational security measures for data processing, protection of data and use of encryption, control over data access (including the provider’s access), retention and deletion of data, and using cloud services from outside the UK.
- Checklist: the Guidance includes a concise 1 page checklist of issues for users and prospective users of cloud services to consider.
The Guidance broadly reflects the opinion issued in July 2012 by the Article 29 Working Party on the application of EU data protection legislation to cloud computing and together these documents provide welcome clarity for users and providers of cloud services in the UK on the application of the DPA and the steps which should be taken to ensure compliance.
Link to the Guidance: