Data Protection In The Cloud

Cloud computing is developing rapidly. More and more organisations are using cloud-based applications and storing vast amounts of data there. Why? Because it is cost-effective ...

Although cloud computing is hugely convenient, you must ensure you have a complete understanding of the data protection laws which will keep you on the right side of the UK Information Commissioner!

It is easy to sign up to cloud services, and often departments within companies will do, without reference to the IT powers that be. If they feel their IT department is not meeting their needs, they will just go ahead and obtain what they need elsewhere. With or without this factor, there are issues with data protection!

With most big cloud service providers - and Google is an obvious one - you do not know where your data is being stored. When data is stored outside the UK or EU there is a higher risk of violating the Data Protection Act (DPA).

You need to dictate where you store your data!

To quote the UK's Information Commissioner's Office (ICO), the organisation that polices the DPA and provides much guidance: "In cloud computing, it will be the cloud customer who will determine the purposes for which and the manner in which any personal data are being processed. Therefore it is the cloud customer who will most likely be the data controller and therefore will have overall responsibility for complying with the DPA."

It is quite clear that moving data into the cloud and generating data there increases the need for vigilance in protecting the data. Services are often multi-layered, involving multiple service providers and multi-tenancy. With the latter, more than one (and often many thousands of) organisations' data is on a discrete server cluster at the same time.

UK organisations have to pay particular attention in cases where data may be stored in the United States. The likelihood of data being stored in the US is high as it is the most developed market for cloud computing.

The US is not on the White List of countries the EU recognises as having implemented adequate data protection standards!

The ICO has published a very useful set of guidance, running to 24 pages (an international version is available at https://ico.org.uk/for-organisations/guide-to-data-protection. The messages that come across loud and clear are that the cloud customer (as quoted above) is most likely to be the data controller and that in moving their activity to the cloud, it is essential to conduct a risk assessment surrounding personal data, i.e. the data covered by the DPA.

It is important to understand that the focus here is personal data. The ICO is not concerned with your sales data, other than contact/customer data.

Here is a good example of assessing risk taken from the guidance document:

• A school is considering expanding its computer facilities by converting two classrooms to computer rooms. Traditionally this would require the appropriate software licences for each computer. If it switches to a cloud-based SaaS model for some software, it expects to have lower overall licencing and maintenance costs.
• An online productivity suite would allow students remote access to their work and other educational resources. If personal data such as student assessment, attainment or attendance data were transferred to the cloud service, they may not be adequately protected, For example, against unauthorised access if the cloud service does not have proper authentication controls.
• The school determines that the cloud service must only be used for student work and educational resources and retains the existing network for staff to process personal data of the students.

Keeping personal data in the terrestrial environment - and inside the organisation's network perimeter - would seem to be a good way to ensure protection in many cases.

The Guidance also talks about having the right level of contract and to be wary of 'standard' terms and conditions - ones where there is no room for negotiation. It also states that the DPA requires the data controller be satisfied about the technical and organisational security of the cloud provider, where the provider processes data on the controller's behalf. It also suggests encryption of the data really helps in securing and protecting the data.

So this brings us back to the issue of data held in data centres outside the EU (and European Economic Area). The DPA requires that personal data:

"Shall not be transferred to any country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

You can find detailed guidance on how to determine the adequacy of protection in relation to international transfers of data here . Unfortunately this advice is now out of date!

The EU further complicates the position and is driving reform and tightening of the rules!

The last set of regulations in 1995 prompted the 1998 DPA, which is the governing legislation in the UK currently. A committee within the EU has approved the EU Commission's proposed reforms, which will now be implemented (as regulations rather than a directive, i.e. they will be imposed).

The changes appear to override bilateral agreements such as the Safe Harbour Agreement between the US and the EU. This agreement provides some measure of comfort to those multinational organisations that need to move personal data between countries, but the obligations to protect remain and are being strengthened.

In the meantime the European Court of Justice has overridden the Safe Harbour agreement, so the EU's careful stepping is academic. The Safe Harbour agreement is no more. The bottom line is that if you store personal data do it in the EU! If you use Google, Amazon, Microsoft etc as your cloud provider, insist on European cloud servers and data stores.

All in all, this is a complicated area. For bigger companies with legislation compliance teams, this is a manageable area, except of course when managers act unilaterally, but for small and medium organisations, who are increasingly using the cloud, this is a potentially expensive minefield. Store European!

Read my blog at www.andrewspencer.uk.com.
Call me on +44 (0) 1908 565460 if you'd like to know more.

? 2015 by Andrew Spencer