On 27 September 2012 the Information Commissioner’s Office (ICO) published a set of guidelines for businesses in relation to cloud computing. With increasing numbers of organisations moving to the cloud, the guidance sets out potential risks, details practical steps for customers to follow when selecting a cloud provider and serves as an important reminder to companies that they remain responsible for personal data, even when it is passed to cloud network providers.
The guidance begins by addressing the application of the rules contained in the Data Protection Act (DPA) to the processing of information in the cloud. The DPA covers all ‘personal data that is processed’. As ‘processing’ is defined very widely it will include most operations occurring in the cloud, including the simple storage of data.
The distinction between data controller and data processor can sometimes be murky; this is particularly true for cloud computing. The guidance runs through the three main types of cloud deployment model (private, community and public) and considers which role will be filled by the customer and provider. As the cloud customer will be making decisions on the purposes and manner in which the data are processed, it will generally be the data controller and therefore be ultimately liable for compliance with the DPA. However, the precise role of the cloud provider should be reviewed on a case-by-case basis to determine whether it is processing personal data to such an extent that it could be operating as a data controller in its own right.
The guide then highlights the following key areas, which should be considered by companies looking to move the processing of personal data to the cloud:
Codification of the relationship
•The DPA requires the data controller to have a written contract with the data processor, which includes obligations on the processor to “act only on instructions from the data controller” and to “comply with security obligations equivalent to those imposed on the data controller itself”. Many cloud providers offer ‘take it or leave it’ terms and conditions when signing up to the service. Therefore, cloud customers should take care to check that any terms of service allow them to retain sufficient control over the data to avoid falling foul of their DPA obligations.
Auditing/Monitoring the cloud provider
•As the DPA requires data controllers to take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data”, companies should be careful when choosing a cloud provider and ensure that the provider offers sufficient guarantees about their technical and organisational security measures, which should also be precisely spelled out in the contractual documentation.
•An audit (including an inspection of the provider’s premises) should be carried out to review the security measures of any potential data processor. However, the ICO recognises the logistical difficulty of multiple customers conducting individual audits. Therefore, the guidance recommends that the cloud provider instruct an independent third party to conduct a detailed security audit of its service, which can then be made available to prospective customers.
•Where cloud services are layered, this assessment should include assurances that the security of any sub-processor complies with the same security requirements set out by the cloud provider.
•Customers should recognise that their obligations as data controller do not end once the cloud provider is selected. Ongoing monitoring, review and assessment is necessary to ensure that the service is run properly as set out in the terms of the contract.
Protection of data
•Data ‘in transit’ between endpoints should be encrypted to ensure that it is secure and protected from interception. The encryption algorithm should meet recognised industry standards.
•It may be appropriate for cloud customers to use encryption on data ‘at rest’ (i.e. stored within a cloud service). When making this decision, the sensitivity of the data should be considered along with the type of processing undertaken in the cloud.
•Care should be taken when using an authentication process to allow users to access data remotely and a clear policy should be put in place to dictate the situations where the cloud provider may access the personal data.
•There is an increased risk when a single cloud provider acts as a data processor for multiple cloud customers in a multi-tenancy environment. Robust safeguards should be put in place to prevent any data ‘mix-ups’.
Data retention and deletion
•The DPA contains specific provisions that deal with the deletion of data. Cloud customers should ensure that the cloud provider can delete all copies of personal data within a timescale in line with the customer’s own deletion schedule. This may be complicated by the fact that cloud providers often maintain multiple copies of data for resiliency reasons.
•Under the DPA, personal data should be obtained only for specified and lawful purposes and should not be further processed in any manner incompatible with those specified purposes. The contract for the provision of the cloud service should therefore prevent the cloud provider from using the data for any of its own purposes.
•The ICO notes that a number of Software as a Service (SaaS) products are supported by targeted advertising based on the personal data of cloud users. Cloud providers should be careful to get specific authorisation for this from the cloud customer and the customer should ensure that their own end-users are fully aware of how their data are being processed.
•Using cloud services from outside the UK
•The DPA imposes restrictions on personal data being transferred outside of the EEA. Therefore, cloud customers should request from a potential provider a list of countries where data are likely to be processed along with the safeguards in place in each location.
For further information and the European perspective on the topic of data protection and cloud computing, the Article 29 Working Party has published opinion 05/2012 on cloud computing, which was adopted on 1 July 2012.