Cloud storage and the protection of personal information is a vexed and difficult issue to deal with.  Under the Australian Privacy legislation a local entity that provides personal information to a storage facility outside Australia may be exposed to liability that arises if the external storage provider breaches the Australian Privacy Principles.

In 2012, the European Cloud Computing Society identified the absence of an internationally accepted and robust framework for the processing of personal data by cloud service providers as a material barrier for the more widespread adoption of cloud computing.  As a result of such concerns, the International Organisation for Standardization and the International Electro Technical Commission worked to create a cloud specific/privacy related international standard that could be applied.

The result is ISO/IEC27018:2014 which establishes commonly accepted objectives, controls and guidelines for implementing measures to protect personally identifiable information in accordance with privacy principles.

Amongst other things, a provider of cloud services who wishes to be certified under ISO/IEC27018 must comply with the following points but also must submit themselves to auditing by an accredited certification body:

  • Personal information must only be dealt with in accordance with the customer’s instructions.
  • Redundancies must be built into their systems to ensure that personal data is not processed otherwise than in accordance with the customer’s instructions.
  • If subcontractors are to be utilised, details of such subcontractors must be provided and confirmation of the location of the storage notified.  Unauthorised access must be notified immediately.
  • Assistance must be given to customers in responding to access requests.
  • Where personal data is available to law enforcement authorities, it will be provided only when legally compelled to do so and where legally permissible, customers must be notified in advance of the disclosure.
  • Express consent is required for use of personal data for marketing or advertising.  Consent cannot be made a condition of receiving the cloud services.
  • There must be a formal policy for return, transfer and deletion of personal data.
  • Where public data networks are utilised, security measures (predominantly encryption) must be implemented.
  • There are restrictions on the creation of hard copy materials relating to personal data, maintenance of logs and data access.

Certification under the Standard is relatively new and it is not clear how many cloud suppliers have sought or obtained certification at this point.

Having said that, for the protection of personal information when cloud facilities are to be utilised, looking for a certified cloud supplier under ISO/IEC27018:2014 may be a step towards ensuring greater protection of personal data.

In Australia, you should ensure that any party to whom you release personal information has agreed, in writing, to comply with the Australian Privacy Principles. Failure to obtain such agreement could put your company at risk.