Some information extracted from a guide we'll be publishing soon on data protection implications of cloud utilisation... (this will form part of a series of data protection guides published on the Small Business Network on the Guardian written by Evelynne Wilson and me). This is advice aimed at businesses considered cloud adoption, and outlines key data protection considerations when thinking when making a decision to move to the cloud.
Many businesses now look to store their data virtually (i.e. not storing some or all of their data on their own computing equipment). This is known as cloud computing.
This can be a complex area for data protection and information security concerns. This guidance aims to introduce areas of consideration when your organisation looks to using cloud services however it does not replace advice given for a specific scenario.
Types of cloud services
All cloud services work on the basis of a service being provided to your company through the internet.
Software as a Service (SaaS) – signing up for access to software from a cloud service provider means that instead of licenses for the different terminals/users in your office, the documents to be accessed from any location. The software may be hosted on a cloud platform or infrastructure, e.g. the storing of documents online such as Google Docs, Microsoft 365
Platform as a Service (PaaS) – allows you to write applications to run within the platform, or another instance of it. This may be hosted on a cloud IaaS – for example, taking the existing functionality of a network and adding to it to e.g. online shopping platforms
Infrastructure as a Service (IaaS) – the raw computing resources of a cloud service, instead of purchasing the hardware, you purchase access to the cloud service provider’s hardware according to the capacity required, e.g. running a test version of a new application without having to buy the additional hardware for the short testing period.
You may be thinking about adopting one of more of these types of service. For example if you were using a SaaS for only one type of software e.g. spread sheets, then the cloud service provider will only have access to any personal data within those applications. However use of PaaS or IaaS could mean the Cloud Service Provider can access more personal data in different programs or in different forms – and notably, that you are potentially transferring more personal data outside of the EEA.
Data protection implications
The main data protection implications of all cloud service options relate to the 7th (security) and 8th (international data sharing) data protection principles.
Other data protection principles that are likely to be affected are 1, 5 and 6
(1) Personal data must be processed fairly and lawfully
(5) Personal data must not be kept for longer than necessary
(6) Personal data must be processed in line with data subjects’ rights.
It is important to note that it may be different cloud service providers might be offering the separate layers of the service. This means that you may end up dealing with a number of providers and need multiple contracts in place to control and protect your company’s personal and confidential data.
The storage of personal data amounts to a processing activity. This means that when you are contracting with a cloud service provider you need to keep in mind that they will process the data simply by holding it. The contract should also look to what other processes the cloud service provider is allowed to do. A big concern will revolve around the seventh data protection principle re the security of the data.
In 2012 both the Information Commissioner’s Office (ICO) and the Article 29 Working Party (an European independent advisory group set up under the European Directive 95/46/EC) issued guidance on the use of cloud computing. Both of these regulatory bodies recognise the benefits of using cloud service while raising important considerations for businesses before setting up agreements with the service providers.
The Data Controller will remain responsible for complying with data protection obligations while the personal data is within the cloud. As such it is ultimately their responsibility to run checks on the service provider and to ensure there is an adequate contract in place. An adequate contract will contain guarantees from the service provider regarding their technical and organisational security measures; clauses with the details of the instructions that you are giving to the service provider; and clauses for authorised access and disclosure of data to 3rd parties and notification before disclosure.
Ideally before engaging a cloud service provider, someone within your company should conduct a Privacy Impact Assessment (AKA a Data Protection Impact Assessment) on the type of information that will be held in the cloud along with checks on the security of the provider. This will help highlight data protection concerns that need to be addressed before you start using the service, and should increase the transparency of how the personal data will be processed within the cloud. By understanding the risks beforehand you can implement safety steps to protect the personal data.
Data protection and information security problems may arise because of a lack of transparency when dealing with cloud service providers, especially over where they are hosting the information. This lack of transparency can arise because the cloud service provider refuses to answer the questions that you have regarding how they will be processing the content that you give them. Otherwise they might be ambiguous in their answers or not be willing to make changes to their procedures to suit your requirements.
If you cannot find a way to get information about these considerations you might find it difficult to comply with the 7th and 8th data protection principles. For the 7th principle you need to know that there are appropriate technical and organisational security measures in place, both at your company and the cloud service provider’s company. This means having an understanding of the technical protection they have in place, such as encryption, staff logins etc., through to the training they give staff and policies they follow (organisational security). You may not be complying with the 8th data protection principle because you will not know where the cloud service provider may be storing your personal data (i.e. where their servers are located), which means that you cannot have ensured there are adequate safeguards in place for transferring the data internationally.
For the 8th principle you need to know the location of the service providers’ servers that will store your data at any given point in their processing method. This is because being stored on a server amounts to a data transfer of personal data. After establishing that it is personal data that is being entered into the cloud, you then need to be aware of whether or not the information is being transferred or if it will be in transit. Information is considered to be transferred when it has reached a destination where the information will be processed i.e. stored or manipulated in some way. If the information moves through data centres before coming to rest, then you will probably only need to concern yourself with the start and end points of the transfer, and not the intermediary transit data centres..
The Act states that personal data must not be transferred outside of the European Economic Area (EEA) unless there are adequate controls. There are some exemptions to this, the most common exemptions are sending the data to an adequate country; the recipient is registered with the Safe Harbor scheme (US only) or your own finding of adequacy. The ICO has produced guidance on considerations for international data transfers, available here.
Additionally the 4th, 5th and 6th principles are affected because there are potentially more copies of the personal data than with you keeping the personal data out of the cloud. For the copies held with the cloud service provider you do not have the same level of control over what happens with the data, which again highlights the importance of having a strong contract in place so that you can dictate when the information should be deleted, how it is processed etc. Another consideration affecting how up to date the personal data is and how long it is kept is how many copies get made while the information is being processed in the cloud. It is probable that some back-up copies will be made – you should obtain guarantees that back-up copies will also be deleted in the timeframe that you give.
Being able to access work information through an internet connection could easily lead to more people accessing the work systems from outside of the office e.g. when they are travelling for business purposes or by working from home. This can easily happen where documents are stored online e.g. Google Docs, Microsoft Office 365. These possibilities bring with them other considerations regarding the security of the personal data that they may be accessing; do you want your staff to be able to work from outside of the office and if so, how will you ensure that the personal data/confidential information remains secure and is processed in compliance with the DPA?
Following the latest guidance from the ICO and European Article 29 Working Party there are a number of key clauses / content that should be present in any contract between the data controller and cloud service provider (but you might struggle to negotiate with large cloud providers).