It’s clear that the innovative and accessible technical services provided by cloud computing are increasingly being selected and used by businesses. And there are good reasons for doing so – not least accessibility, cost, reliability, resilience, and innovative products. However, there are also risks to data protection which data controllers need to consider and be sure that such their cloud processing activity complies with the Data Protection Act.
What is cloud computing?
Cloud computing covers a broad range of services and technology, but the Information Commissioner’s Office (ICO) defines it as:
“access to computing resources, on demand, via a network”
Resources include storage, processing, software
On Demand simply means that the resources are available to the customer or user on a scalable, elastic basis, typically through virtualised resources
Via a Network refers to the transit of data to and from the cloud provider, which may be over a local or private network, or across the internet.
The Data Protection Act (DPA) and Cloud Computing
All operations involving personal data that take place in the cloud – including storage – must comply with the DPA, and it is the data controller who has ultimate responsibility for that compliance.
However, if layered cloud services are being used (eg different cloud providers of software, platforms or infrastructure) then it’s quite possible that there will be a number of data controllers and data processors working together to deliver services which included processing personal data.
The cloud customer is most likely to be the data controller, and will therefore have overall responsibility for complying with the DPA. However, depending on precisely the role of the cloud provider, the customer must assess whether the cloud provider is simply a contracted data processor or is, indeed, a data controller in its own right – which may be the case if a cloud provider in any way determines the purpose(s) for which the personal data are to be processed. In this case the cloud provider will be responsible for its own data protection compliance.
12 Cloud-specific DPA Considerations
There are some specific considerations for data controllers who have moved or are considering moving personal data to the cloud. Below are twelve:
- What personal data is to be processed (and how) in the cloud, and what are the inherent data protection risks
- What steps can be taken to mitigate those risks (eg authorisation protocols)
- Who is the data controller
- What additional personal data may be collected in the cloud (eg usage stats, transaction histories of users and other such ‘metadata’)
- Does the cloud customer need to run a privacy impact assessment to identify any privacy concerns and address them from the beginning of the process
- Does customisation of an existing cloud service cause any additional privacy risks
- What monitoring, review and assessment requirements between cloud customer and cloud provider should be put in place to ensure the cloud service runs as expected and to contract
- What commitment does the cloud provider have to keep the cloud customer informed in the event of changes in the chain of sub-processors taking place during the provision of the cloud service
- A written contract is required by the DPA between the data controller and the data processor – beware of a cloud provider which offers terms and conditions with no opportunity for negotiation. The risk that those terms and conditions may subsequently change needs to be taken into consideration.
- The data controller is responsible for the security of its data processor – assessment of the security of the cloud provider is mandatory
- Data outside the UK / EEA – the data controller must check the countries where data is likely to be processed and satisfy itself that the relevant security arrangements are in place
8 Essential Policies and Processes
Any business will benefit from formal, documented policies and procedures. Having made a decision to use cloud services, there are some specific requirements that are particularly important from a personal data compliance perspective:
- Access control – the data is, by the nature of cloud computing, accessible from any location – home, the office or on a range of devices. Sufficient measures need to be put in place to prevent unauthorised access to the data
- Authentication processes – to verify that a cloud user is authorised to access the data
- A system is required to create, update, suspect and delete user accounts
- Leaver protocols need to be put in place
- Data retention and deletion policies are required – consider your cloud provider’s deletion issues across multiple locations and back-ups
- Cloud provider access policies need to be in place for occasions when the cloud provider needs access in order to provide services
- Staff training on cloud processes and controls is required to maintain the security of the cloud service
- Regular audits of procedures and policies in place will help ensure ongoing compliance
The cloud is here to stay. If you’d like any information or have any concerns about your own cloud provider contracts, policies or compliance issues, please don’t hesitate to contact us: