ICO issues guidelines for data privacy in the cloud

ICO issues guidelines for data privacy in the cloud

Summary: The data watchdog has published a code of practice for businesses that need to protect sensitive personal data held online, including in the cloud

TOPICS: Security

The UK data protection watchdog has issued a guide for small businesses to help them protect customers' personal information online.

Part of the code of practice, which was published on Wednesday, is designed to help small businesses query cloud providers on how they protect data in their care, said the Information Commissioner's Office (ICO).

"The cloud-computing code of practice will help [SMEs] not just comply with the law, but to run their businesses well," Iain Bourne, the ICO's group manager of policy delivery, said at the Cloud Computing World Forum on Tuesday last week.

Bourne noted that if a cloud provider allows sensitive customer data to be compromised, the responsibility for the breach still lies with the small business that has the relationship with the customers. In April, the ICO gained the power to fine companies up to £500,000 for such data breaches.

ICO head Christopher Graham said in a statement on Wednesday that while companies could greatly benefit from use of the internet, they should also be aware of the risks.

"Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don't need and you are likely to diminish customer trust and face enforcement action from the ICO," said Graham.

The ICO's code of practice addresses how the Data Protection Act applies to information processed online, including how a company should operate internationally. Among other advice, the guidance urges businesses to ensure they have a written contract for cloud services, which should stipulate that the same level of data security be applied to outsourced data as is maintained internally.

In addition, it contains advice including how to collect personal details through an online application form, the use of cookies to target content, and the use of data to market to individuals.

The ICO provided a checklist for small businesses to follow for best practice with the use of personal information. For example, it reminds them that if they are going to use customer information to send marketing material, customers should be given a clear choice about whether they want to receive it.

It is vital for companies to validate the security of their cloud providers, security company McAfee said.

"Security is a prime inhibitor or concern to adopting cloud services," said Marc Olesen, general manager for content and cloud security at McAfee. "Business-sensitive data is stored in the cloud. Customers are asking for transparency to give them confidence in cloud provision."

Olesen argued that relying on security from cloud providers can be more cost effective and efficient for small businesses than relying on their own internal resources.

Security expert Adrian Seccombe, who is a board member of the Jericho Forum security trade group, suggested that companies could combine the ICO guidance with an existing Jericho Forum checklist. "If you add the ICO guidance with the Jericho self-assessment, you get two strong pieces of information," he said.

However, Seccombe questioned whether the onus for security should be placed solely on cloud providers. "You need to architect the solution so it can enter and pass through the cloud securely," he said.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The ICO’s new code of practice can only be a good thing, but it’s essential for organisations to understand what this means and how to remain compliant. When the ICO recently introduced data breach fines, almost half (45%) of IT directors were not aware they had come into force and this can’t afford to happen again. Even more worrying is that of those who do know about the potential punishments, only 55% believe they will change their business practices as a result.

    After a run of high-profile data losses in the press, consumers have got to be able to feel they can trust businesses and public organisations with their personal details. How many more cases of lost laptops and vulnerable data will we see before organisations realise they have to do more to reassure the public?

    The ICO is absolutely right in publishing this code of practice, but it also needs to advise businesses on the range of security options available to protect data, particularly if it ends up in the wrong hands. It doesn’t have to be a case of just hoping it doesn’t happen, businesses need to be more aware of who and what is available to help them avoid data breach and the ICO can lead the way with this.

    Dave Everitt
    General manager of EMEA
    Absolute Software
  • The ICO’s code of practice should definitely be welcomed, a lot of time, effort and consultation has gone into its drafting, to produce a good workable code that will help both Public and private sectors to improve customer trust and confidence in their online activities.

    Above all, transparency is key. Information sharing online can be a force for good, but it’s essential for the consumer to be told what’s being done and why. Sometimes organisations themselves aren’t aware when they’re sharing data, let alone whether they’re doing it legitimately or not. The code of practice aims to ease these pressures, outlining how organisations can increase transparency and compliance with the Data Protection Act.

    There is an argument that says ‘If we shared less data we’d have less risk’ but the reality is that organisations need data, and will have to get it from somewhere, so lets do it properly. The ICO’s code of practice is the first of its kind in the world - there is no one country that has set the example for others to follow so far. Organisations need to take note of the guidance given within the document. While following the code is not a legal requirement, applying its advice on good practice with online consumer interaction will help build consumer trust, brand reputation and limit the likelihood of regulator enforcement and fines.

    Neil Matthews,
    UK Privacy Officer
  • for $500, Alex, what is 16k AES?