Companies are forgetting about their data protection responsibilities when they shift data into the cloud, according to the UK's privacy watchdog.
As cloud computing slowly moves into the mainstream, more and more personal data is being moved out of companies' own datacentres and into the cloud, which means the data could potentially reside on servers anywhere on the planet.
But the UK has strict rules around how data can be processed, and UK data protection watchdog the Information Commissioner's Office (ICO) is concerned that many businesses do not realise they remain responsible for how the data is looked after, even after handing it over to a cloud provider.
ICO technology policy advisor Dr Simon Rice said the law on outsourcing data is very clear.
"As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility," he said in an ICO statement on Thursday.
Rice warned the British privacy watchdog will act against organisations that don't meet data protection laws. For example, the ICO hit Scottish Borders Council with a £250,000 penalty after it failed to properly manage a company it had employed to digitise pension records.
Guidelines for moving data to the cloud
To highlight this message, the ICO has issued a set of guidelines for businesses moving data into the cloud. It said companies first need to review the personal data they process and determine whether there is any data that should not be put into the cloud — for example, because specific assurances were given when the personal data was collected.
"As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data... but how that data is protected remains your responsibility" - Dr Simon Rice, ICO
Businesses may also need to inform end users of the cloud service about the processing arrangements that they have put in place. In addition, they have to ensure their cloud service provider has sufficient technical and organisational security measures in place.
While the best way to assess security measures is to inspect the supplier's premises, the ICO said it is "unlikely that a cloud provider would be willing to permit each of its prospective and current customers to enter its premises to carry out an audit", so an independent third-party audit is another option.
The watchdog also said encryption of data in transit and potentially "at rest" is an important consideration, especially when sensitive personal data is being processed.
Where does the data go?
The UK's Data Protection Act requires that personal information is not transferred outside the European Economic Area, unless the destination country ensures an adequate level of data protection. Given this, companies intending to use cloud services should ask the provider for a list of countries where data is likely to be processed and for information relating to the safeguards in place there.
"The cloud provider should be able to explain when data will be transferred to these locations," the ICO said.
It had one other reminder for businesses using cloud services where the data is held outside of the UK: these should remember that a foreign law enforcement agency may have the power to get access to personal data or disrupt the availability of the personal data to cloud customers and users.