Monthly Archives: July 2014

Data Protection and the ICO

Data privacy

Data Protection Complaints 2013 – 2014

Yesterday I read that the Information Commissioner’s Office handled 259,903 calls to its helpline and has resolved 15,492 data protection complaints last year. This is an increase of 10% over the previous year.  And here’s another staggering figure – the ICO received 161,720 reports from people about spam texts and nuisance calls.

Half the total complaints received related to “subject access”, with a range of organisations about whom complaints were made, including lenders, local government, educational providers and local health providers.

The importance of data protection in business

Organisations and businesses can no longer ignore the importance of data protection governance, compliance and security – they now have no choice but to understand and meet their regulatory requirements to avoid the penalties of non-compliance.  Last year’s attitude to and handling of ‘subject access requests’ is a perfect illustration of the current complacency seen among some data users.

The sheer volume of personal data being collected physically and digitally every day is multiplying at an extraordinary rate and organisations are continuing to find ever more complicated ways of using data.  Use of big data continues to develop with organisations trying to navigate their way through woefully outdated legislation.

The importance of the ICO

As a result, the data protection challenges to business, the consumer and the ICO are spiralling. It’s increasingly important for the data subject to know that a strong, independent body – which means the ICO – can be trusted to keep watch and offer protection.

With this increase in volume and demand, it’s hardly surprising that the ICO is calling for greater powers, greater independence, and additional funding.

Funding is a particularly difficult area as the EU data protection reforms currently propose the removal of the notification requirement and accompanying fees that fund the ICO’s DPA work. Lack of funding will inevitably give rise to cuts in the services provided by the ICO – for example, it has no legal obligation to provide a helpline, and reduced funding makes it unlikely to be able to continue to handle its current – let alone future – volumes of calls a year.

So it’s absolutely vital not only to individuals but also to businesses, organisations, government and the ICO itself that necessary resource, funding, independence and evolving powers are provided to allow the Information Commissioner to continue to protect, update and enforce data protection legislation.

ICO’s internal data security breach

However, it is somewhat unfortunate that at the time the ICO is asking for greater funding, independence and stronger powers, they are also admitting to their own “non-trivial” data breach. The incident was treated as a self-reported breach and was apparently investigated and treated no differently from similar incidents reported to the ICO by others. After an internal investigation the ICO concluded that the likelihood of damage or distress to any affected data subjects was low, and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted.

However, later information suggests that this breach is now linked to a criminal investigation. So the breach investigation has not, seemingly, been closed.

Data Compliant


If you have any concerns over data protection compliance or security, don’t hesitate to get in touch – call 01787 277742 or email



Data Compliance and Cloud Computing

It’s clear that the innovative and accessible technical services provided by cloud computing are increasingly being selected and used by businesses.  And there are good reasons for doing so – not least accessibility, cost, reliability, resilience, and innovative products.  However, there are also risks to data protection which data controllers need to consider and be sure that such their cloud processing activity complies with the Data Protection Act.

What is cloud computing?

Cloud computing covers a broad range of services and technology, but the Information Commissioner’s Office (ICO) defines it as:

“access to computing resources, on demand, via a network”

To explain:

Resources include storage, processing, software

On Demand simply means that the resources are available to the customer or user on a scalable, elastic basis, typically through virtualised resources

Via a Network refers to the transit of data to and from the cloud provider, which may be over a local or private network, or across the internet.

The Data Protection Act (DPA) and Cloud Computing

All operations involving personal data that take place in the cloud – including storage – must comply with the DPA, and it is the data controller who has ultimate responsibility for that compliance.

However, if layered cloud services are being used (eg different cloud providers of software, platforms or infrastructure) then it’s quite possible that there will be a number of data controllers and data processors working together to deliver services which included processing personal data.

The cloud customer is most likely to be the data controller, and will therefore have overall responsibility for complying with the DPA.  However, depending on precisely the role of the cloud provider, the customer must assess whether the cloud provider is simply a contracted data processor or is, indeed, a data controller in its own right – which may be the case if a cloud provider in any way determines the purpose(s) for which the personal data are to be processed. In this case the cloud provider will be responsible for its own data protection compliance.

12 Cloud-specific DPA Considerations

Data Compliant Cloud considerationsThere are some specific considerations for data controllers who have moved or are considering moving personal data to the cloud.  Below are twelve:

  1. What personal data is to be processed (and how) in the cloud, and what are the inherent data protection risks
  2. What steps can be taken to mitigate those risks (eg authorisation protocols)
  3. Who is the data controller
  4. What additional personal data may be collected in the cloud (eg usage stats, transaction histories of users and other such ‘metadata’)
  5. Does the cloud customer’s privacy policy provide adequate information about processing data in the cloud
  6. Does the cloud customer need to run a privacy impact assessment to identify any privacy concerns and address them from the beginning of the process
  7. Does customisation of an existing cloud service cause any additional privacy risks
  8. What monitoring, review and assessment requirements between cloud customer and cloud provider should be put in place to ensure the cloud service runs as expected and to contract
  9. What commitment does the cloud provider have to keep the cloud customer informed in the event of changes in the chain of sub-processors taking place during the provision of the cloud service
  10. A written contract is required by the DPA between the data controller and the data processor – beware of a cloud provider which offers terms and conditions with no opportunity for negotiation.  The risk that those terms and conditions may subsequently change needs to be taken into consideration.
  11. The data controller is responsible for the security of its data processor – assessment of the security of the cloud provider is mandatory
  12. Data outside the UK / EEA – the data controller must check the countries where data is likely to be processed and satisfy itself that the relevant security arrangements are in place

8 Essential Policies and Processes

Cloud with lock on white background. Isolated 3D imageAny business will benefit from formal, documented policies and procedures.  Having made a decision to use cloud services, there are some specific requirements that are particularly important from a personal data compliance perspective:

  1. Access control – the data is, by the nature of cloud computing, accessible from any location – home, the office or on a range of devices.  Sufficient measures need to be put in place to prevent unauthorised access to the data
  2. Authentication processes – to verify that a cloud user is authorised to access the data
  3. A system is required to create, update, suspect and delete user accounts
  4. Leaver protocols need to be put in place
  5. Data retention and deletion policies are required – consider your cloud provider’s deletion issues across multiple locations and back-ups
  6. Cloud provider access policies need to be in place for occasions when the cloud provider needs access in order to provide services
  7. Staff training on cloud processes and controls is required to maintain the security of the cloud service
  8. Regular audits of procedures and policies in place will help ensure ongoing compliance

The cloud is here to stay.  If you’d like any information or have any concerns about your own cloud provider contracts, policies or compliance issues, please don’t hesitate to contact us:

01787 277742