Cloud computing? You still can't dodge data protection rules

Cloud computing? You still can't dodge data protection rules

Summary: Cloud computing makes it easier to shift data across the planet. But UK companies must not use the the cloud to dodge their responsibility for data security and protection, according to the Information Commissioner's Office


Companies are forgetting about their data protection responsibilities when they shift data into the cloud, according to the UK's privacy watchdog.

As cloud computing slowly moves into the mainstream, more and more personal data is being moved out of companies' own datacentres and into the cloud, which means the data could potentially reside on servers anywhere on the planet.

But the UK has strict rules around how data can be processed, and UK data protection watchdog the Information Commissioner's Office (ICO) is concerned that many businesses do not realise they remain responsible for how the data is looked after, even after handing it over to a cloud provider.

ICO technology policy advisor Dr Simon Rice said the law on outsourcing data is very clear.

"As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility," he said in an ICO statement on Thursday.

Rice warned the British privacy watchdog will act against organisations that don't meet data protection laws. For example, the ICO hit Scottish Borders Council with a £250,000 penalty after it failed to properly manage a company it had employed to digitise pension records.

Guidelines for moving data to the cloud

To highlight this message, the ICO has issued a set of guidelines for businesses moving data into the cloud. It said companies first need to review the personal data they process and determine whether there is any data that should not be put into the cloud — for example, because specific assurances were given when the personal data was collected.

"As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data... but how that data is protected remains your responsibility" - Dr Simon Rice, ICO

Businesses may also need to inform end users of the cloud service about the processing arrangements that they have put in place. In addition, they have to ensure their cloud service provider has sufficient technical and organisational security measures in place.

While the best way to assess security measures is to inspect the supplier's premises, the ICO said it is "unlikely that a cloud provider would be willing to permit each of its prospective and current customers to enter its premises to carry out an audit", so an independent third-party audit is another option.

The watchdog also said encryption of data in transit and potentially "at rest" is an important consideration, especially when sensitive personal data is being processed.

Where does the data go?

The UK's Data Protection Act requires that personal information is not transferred outside the European Economic Area, unless the destination country ensures an adequate level of data protection. Given this, companies intending to use cloud services should ask the provider for a list of countries where data is likely to be processed and for information relating to the safeguards in place there.

"The cloud provider should be able to explain when data will be transferred to these locations," the ICO said.

It had one other reminder for businesses using cloud services where the data is held outside of the UK: these should remember that a foreign law enforcement agency may have the power to get access to personal data or disrupt the availability of the personal data to cloud customers and users.

Topics: Cloud, Privacy, United Kingdom

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Don't over look the implications of the PATRIOT Act

    One thing you forgot to mention is that even public cloud data stored within the UK can be subject to the PATRIOT Act, which violates many of the information regulations you cite. The PATRIOT Act extends to any US corporation and their non-US based entities and subsidiaries. This is an often overlooked gotcha for data requirements on sovereign soil.
    Dave Packer
  • Moving to the cloud?

    Very interesting write up here. I would like to share with you a good read that I came across in the my search. This is very helpful especially for those still reluctant to move to the cloud.
  • among the clouds under the light of Sun

    well, I intend to send my data to the clouds under the light of Sun when I have solid reasons to believe it's real safe up there, in the 23rd century maybe ; it is not secret nor sensitive, but you never know what stupid interpretation can be given to my tepid data on islamic civilization and arts by police or national security bureaucrats :-). Or maybe later, if the servers are located in Saudi Arabia or elsewhere in such a democratic safe habour.
  • is protected data safer anywhere in the clouds ?

    If my data was crypted, l might have really serious problems ; it will be proof that I have something to hide from the eyes of Bigbrother. Hope that I'm wrong. But I prefer to stay on the safe side of the sky : no clouds.