Winchester Vacancies

ICO fires warning after publishing guidance on use of cloud computing

The Information Commissioner’s Office has published guidance on the use of cloud computing, warning that organisations remain responsible for how personal data is looked after even when it is passed on to cloud network providers.

The guide, which can be viewed here, covers issues such as how the Data Protection Act applies to information processed in the cloud, the responsibilities of the data controller, and the selection of a cloud provider.

It provides a range of tips. They include that organisations should:

  • Seek assurances on how their data will be kept safe. “How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting access to the data?”
  • Think about the physical security of the cloud provider. “Your data will be stored on a server in a data centre, which needs to have sufficient security in place.”
  • Have a written contract in place with the cloud provider. “This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.”
  • Put a policy in place to make clear the expectations you have of the cloud provider. “This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.”
  • Not forget that transferring data internationally brings a number of obligations – “that includes using cloud storage based abroad”.

The watchdog cited the case of Scottish Borders Council as an example of the possible consequences for a failure to put in place appropriate controls when hiring an external contractor.

The council was issued with a £250,000 monetary penalty – a record sum for local government – earlier this month after former employees’ pension records were discovered in an over-filled paper recycling bank.

Scottish Borders had no contract in place with the third party engaged to digitise the records and sought no guarantees on security.

Dr Simon Rice, ICO technology policy advisor, said: “The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can out-source some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws.”

The watchdog has also published advice for the public on cloud computing. This can be found here.