The Information Commissioner has published new Guidance on the Use of Cloud Computing for organisations who are, or are considering, using cloud services to process personal data. The benefits of clouds are recognised: these may include “increased security, reliability and resilience for a potentially lower cost”. However cloud customer organisations may also “encounter risks to data protection that they were previously unaware of”. The guide uses a wide definition of cloud computing – “access to computing resources, on demand, via a network”, and recognises that clouds may be layered, for example software as a service may run on infrastructure as a service from a different cloud provider.
The starting point is that moving processing from in house to a cloud service does not change the organisation’s legal status as data controller for any personal data. The same organisation still has overall responsibility for data protection compliance, even though as a cloud customer processing may be shared with cloud providers acting either as data processors or data controllers. Moving to cloud may even create new processing (for example of users’ access and activity logs) and introduce new compliance requirements.
The law requires that there be a written (which includes electronic “writing”) contract between the cloud customer organisation and the cloud provider. Cloud customers should “take care” of entering into contracts that are not negotiable or that allow the provider to change the contract terms without the customer’s agreement. If necessary the organisation should choose a provider based on the appropriateness of its contract. Performance of the contract should be monitored and reviewed to ensure that expectations and contractual duties are being met; for layered services the cloud provider needs to inform the customer of any changes to its arrangements for the underlying platform(s).
The Guide’s approach to compliance is based on risk: “often, the question may be not whether the personal data should be put into the cloud but what the data protection risks are and whether those risks can be mitigated”. The cloud customer should select and document which data and which processes are done by which provider: there may be some processing and data that need to be kept in house because they represent a particular risk. For large or complex services, a formal Privacy Impact Assessment may be appropriate.
Assessing and mitigating risks is mostly about understanding what will and may happen to information and what measures are in place to protect it. Security (both electronic and physical) of the cloud service is obviously an important issue, though it may be more appropriate for the provider to have this audited and monitored by a third party rather than individually by every customer. Customers should know what access control and encryption (both for information in transit and at rest) are used and ensure they are suitable for the sensitivity of the information. Where security or access tools are available to the customer, staff should be trained in how to use them correctly. The service’s policies on data deletion (especially if the customer withdraws from the service) and access by the provider (for example for support services) should be checked. Additional processing by the provider should only be permitted with the agreement of the customer. These questions are summarised in a helpful one page checklist.
International transfers of information are often a concern in using cloud services, but here the Information Commissioner’s Guide continues its risk assessment approach. Cloud customers should know where data may be processed, under what conditions and subject to what safeguards. The Guide includes examples on page 19 and 20 of processing both inside and outside the European Economic Area and shows the kind of safeguards that may be appropriate. Finally there is a recognition that cloud providers in any country may be required to disclose information to law enforcement authorities; the Guide concludes that provided the customer had contracted for appropriate safeguards and the provider had only disclosed in response to a legitimate legal requirement, regulatory action against either would be “unlikely”.
The Guidance is a positive approach to an important new technology.