Cloud computing and data protection

Some information extracted from a guide we'll be publishing soon on data protection implications of cloud utilisation... (this will form part of a series of data protection guides published on the Small Business Network on the Guardian written by Evelynne Wilson and me).  This is advice aimed at businesses considered cloud adoption, and outlines key data protection considerations when thinking when making a decision to move to the cloud.

Introduction

Many businesses now look to store their data virtually (i.e. not storing some or all of their data on their own computing equipment).  This is known as cloud computing.

This can be a complex area for data protection and information security concerns. This guidance aims to introduce areas of consideration when your organisation looks to using cloud services however it does not replace advice given for a specific scenario.

Types of cloud services

All cloud services work on the basis of a service being provided to your company through the internet.

Software as a Service (SaaS) – signing up for access to software from a cloud service provider means that instead of licenses for the different terminals/users in your office, the documents to be accessed from any location. The software may be hosted on a cloud platform or infrastructure, e.g. the storing of documents online such as Google Docs, Microsoft 365

Platform as a Service (PaaS) – allows you to write applications to run within the platform, or another instance of it. This may be hosted on a cloud IaaS – for example, taking the existing functionality of a network and adding to it to e.g. online shopping platforms

Infrastructure as a Service  (IaaS) – the raw computing resources of a cloud service, instead of purchasing the hardware, you purchase access to the cloud service provider’s hardware according to the capacity required, e.g. running a test version of a new application without having to buy the additional hardware for the short testing period.

You may be thinking about adopting one of more of these types of service. For example if you were using a SaaS for only one type of software e.g. spread sheets, then the cloud service provider will only have access to any personal data within those applications. However use of PaaS or IaaS could mean the Cloud Service Provider can access more personal data in different programs or in different forms – and notably, that you are potentially transferring more personal data outside of the EEA.

Data protection implications

The main data protection implications of all cloud service options relate to the 7th (security) and 8th (international data sharing) data protection principles.

Other data protection principles that are likely to be affected are 1, 5 and 6

(1) Personal data must be processed fairly and lawfully

(5) Personal data must not be kept for longer than necessary

(6) Personal data must be processed in line with data subjects’ rights.

It is important to note that it may be different cloud service providers might be offering the separate layers of the service. This means that you may end up dealing with a number of providers and need multiple contracts in place to control and protect your company’s personal and confidential data.

The storage of personal data amounts to a processing activity. This means that when you are contracting with a cloud service provider you need to keep in mind that they will process the data simply by holding it. The contract should also look to what other processes the cloud service provider is allowed to do. A big concern will revolve around the seventh data protection principle re the security of the data.

In 2012 both the Information Commissioner’s Office (ICO) and the Article 29 Working Party (an European independent advisory group set up under the European Directive 95/46/EC) issued guidance on the use of cloud computing. Both of these regulatory bodies recognise the benefits of using cloud service while raising important considerations for businesses before setting up agreements with the service providers.

The Data Controller will remain responsible for complying with data protection obligations while the personal data is within the cloud. As such it is ultimately their responsibility to run checks on the service provider and to ensure there is an adequate contract in place. An adequate contract will contain guarantees from the service provider regarding their technical and organisational security measures; clauses with the details of the instructions that you are giving to the service provider; and clauses for authorised access and disclosure of data to 3rd parties and notification before disclosure.

Ideally before engaging a cloud service provider, someone within your company should conduct a Privacy Impact Assessment (AKA a Data Protection Impact Assessment) on the type of information that will be held in the cloud along with checks on the security of the provider. This will help highlight data protection concerns that need to be addressed before you start using the service, and should increase the transparency of how the personal data will be processed within the cloud. By understanding the risks beforehand you can implement safety steps to protect the personal data. 

Data protection and information security problems may arise because of a lack of transparency when dealing with cloud service providers, especially over where they are hosting the information. This lack of transparency can arise because the cloud service provider refuses to answer the questions that you have regarding how they will be processing the content that you give them. Otherwise they might be ambiguous in their answers or not be willing to make changes to their procedures to suit your requirements.

If you cannot find a way to get information about these considerations you might find it difficult to comply with the 7th and 8th data protection principles. For the 7th principle you need to know that there are appropriate technical and organisational security measures in place, both at your company and the cloud service provider’s company. This means having an understanding of the technical protection they have in place, such as encryption, staff logins etc., through to the training they give staff and policies they follow (organisational security). You may not be complying with the 8th data protection principle because you will not know where the cloud service provider may be storing your personal data (i.e. where their servers are located), which means that you cannot have ensured there are adequate safeguards in place for transferring the data internationally.

For the 8th principle you need to know the location of the service providers’ servers that will store your data at any given point in their processing method. This is because being stored on a server amounts to a data transfer of personal data. After establishing that it is personal data that is being entered into the cloud, you then need to be aware of whether or not the information is being transferred or if it will be in transit. Information is considered to be transferred when it has reached a destination where the information will be processed i.e. stored or manipulated in some way.  If the information moves through data centres before coming to rest, then you will probably only need to concern yourself with the start and end points of the transfer, and not the intermediary transit data centres..

The Act states that personal data must not be transferred outside of the European Economic Area (EEA) unless there are adequate controls. There are some exemptions to this, the most common exemptions are sending the data to an adequate country; the recipient is registered with the Safe Harbor scheme (US only) or your own finding of adequacy. The ICO has produced guidance on considerations for international data transfers, available here.

Additionally the 4th, 5th and 6th principles are affected because there are potentially more copies of the personal data than with you keeping the personal data out of the cloud. For the copies held with the cloud service provider you do not have the same level of control over what happens with the data, which again highlights the importance of having a strong contract in place so that you can dictate when the information should be deleted, how it is processed etc. Another consideration affecting how up to date the personal data is and how long it is kept is how many copies get made while the information is being processed in the cloud. It is probable that some back-up copies will be made – you should obtain guarantees that back-up copies will also be deleted in the timeframe that you give.

Being able to access work information through an internet connection could easily lead to more people accessing the work systems from outside of the office e.g. when they are travelling for business purposes or by working from home. This can easily happen where documents are stored online e.g. Google Docs, Microsoft Office 365. These possibilities bring with them other considerations regarding the security of the personal data that they may be accessing; do you want your staff to be able to work from outside of the office and if so, how will you ensure that the personal data/confidential information remains secure and is processed in compliance with the DPA?

Following the latest guidance from the ICO and European Article 29 Working Party there are a number of key clauses / content that should be present in any contract between the data controller and cloud service provider (but you might struggle to negotiate with large cloud providers).

  1. The contract should be in a written form.
  2. The cloud service provider (processor) should be obliged to inform the data controller (cloud customer) of any changes to the service or any sub-controller(s) [and entitle the controller to terminate the contract if it does not agree with the new sub-controller].
  3. Clauses to allow the data controller to stop any changes to the processing service/the sub-processor(s).
  4. For sub-contractors to be used there needs to be consent from the data controller (can be general consent and contained in the contract).
  5. The contracts between cloud provider and sub-controllers must reflect the obligations placed on the cloud provider by the data controller.
  6. The time frame for the processing set by the data controller.
  7. The jurisdiction for the contract.
  8. Penalties the controller can impose for the non-compliance by the cloud provider or their chosen sub-contractors.
  9. Clauses limiting access to the data to authorised employees.
  10. Clauses for the disclosure of the data to third parties e.g. national law enforcement agencies – the data controller should always be notified, unless the notification is prohibited by law.
  11. The countries where data may be located at any given stage of the process.
  12. That the cloud provider must comply with requests for copies of the data from the data controller.
  13. That the cloud provider must co-operate in fulfilling data subject access requests.
  14. The cloud provider must not act in a way that hinders the exercising of data subjects’ rights.
  15. That the cloud provider is responsible for securing the confidentiality of the data.
  16. Cloud provider’s guarantees for technical security.
  17. Cloud provider’s guarantees for organisational measures.
  18. Clauses regarding the logging and auditing of the process.
  19. Clause for the cloud provider to ensure/an obligation on the cloud provider to ensure that any sub-contractors used comply with Data Protection Directive 1995
  20. Inclusion of measures to improve availability, integrity, confidentiality, isolation, intervenability and portability of the data.
  21. Clauses for data retention – the data held by the cloud provider should be deleted in line with the data retention policies of the data controller.
  22. Clauses for all copies of the data (including back-up data) to be deleted as required.
  23. A clause about what the cloud provider has to do once the time frame has ended/processing is no longer required.
  24. Clauses for the encryption of the data.
  25. Clauses for the encryption of communication to the servers holding the data.