“Store it host it develop it in the cloud” extols a HP website. With an increasing number of providers offering cloud-based solutions, businesses are likely to find themselves using cloud computing to provide additional resource for the processing or storage of data alongside their own in-house IT infrastructure.

The Information Commissioner has issued a timely reminder to businesses that they remain responsible for safeguarding personal data in their possession even where that data is passed to a cloud service provider.

ICO’s technology policy adviser Dr Simon Rice observes:“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.”

The ICO guide reminds business of their obligations when using cloud providers. If something goes wrong and there is a data breach through the cloud provider, a business providing the personal data will be held responsible unless they can demonstrate they took adequate steps to safeguard the security of that personal data. Businesses should therefore consider the following steps before entrusting personal data to a cloud provider:

  • Seek assurances as to the security of the cloud network, and understand what systems are in place to stop someone hacking in or disrupting access to the data;
  • Make enquiries as to the physical security of the cloud provider and location where the data will be stored;
  • Put a written contract in place with the cloud provider guaranteeing that the security and protection for your data will remain the same through the duration of the contract;
  • Put policies in place with regard to the use of cloud providers and the purposes for which data can be accessed;
  • Ascertain if data may be transferred to or accessed from locations outside the EC and if so check that the necessary legal obligations have been complied with.

The draft Data Protection Regulation currently before the European parliament contains a proposal that will give individuals whose data is lost an additional right of action against a cloud provider who is at fault. However that will not remove the primary responsibility for the security of that data from the business that was entrusted with it in the first place. Please see Related links for the ICO’s guidance on the use of cloud computing.