On 1 July, the Article 29 Data Protection Working Party adopted a new Opinion, which identifies common data protection risks associated with cloud computing and provides a ‘checklist’ of recommendations for ensuring compliance with data protection legislation.
The majority of risks identified in the Opinion fall into two broad categories – lack of control and lack of transparency about the processing activities being undertaken.
The Opinion helpfully sets out the types of issues which should be covered in any contract a data controller enters into with a service provider for cloud computing, including:
- specification of minimum security measures that the service provider needs to comply with;
- an obligation on the service provider to provide a list of locations where the data may be stored and processed;
- notification of any requests for disclosure of personal data by a law enforcement authority (unless prohibited);
- rights to monitor and/or audit the service provider’s data processing activities; and
- specification of conditions for destroying and/or returning personal data on termination/expiry of the agreement.
The Working Party also highlights the need for public sector organisations to take ‘special precautions’ over and above what would be expected of the private sector in relation to cloud computing. This includes carrying out an assessment of whether the processing and storage of data outside the UK may expose the security and privacy of data subjects to ‘unacceptable risks’. The Working Party notes that this type of assessment will be particularly important in respect of sensitive databases e.g. those that contain information about student disabilities or employees’ membership of trade unions.
As an interesting final point, the Working Party asks national governments and the European Union to consider whether the creation of a ‘supra-national virtual space’ might be appropriate to ensure that a consistent and harmonized set of rules apply to cloud computing in the public sector. I suspect however that this is just a pipeline dream for now.
A full copy of the Opinion is available here.