ICO issues guidelines for data privacy in the cloud

The data watchdog has published a code of practice for businesses that need to protect sensitive personal data held online, including in the cloud
Written by Tom Espiner, Contributor

The UK data protection watchdog has issued a guide for small businesses to help them protect customers' personal information online.

Part of the code of practice, which was published on Wednesday, is designed to help small businesses query cloud providers on how they protect data in their care, said the Information Commissioner's Office (ICO).

"The cloud-computing code of practice will help [SMEs] not just comply with the law, but to run their businesses well," Iain Bourne, the ICO's group manager of policy delivery, said at the Cloud Computing World Forum on Tuesday last week.

Bourne noted that if a cloud provider allows sensitive customer data to be compromised, the responsibility for the breach still lies with the small business that has the relationship with the customers. In April, the ICO gained the power to fine companies up to £500,000 for such data breaches.

ICO head Christopher Graham said in a statement on Wednesday that while companies could greatly benefit from use of the internet, they should also be aware of the risks.

"Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don't need and you are likely to diminish customer trust and face enforcement action from the ICO," said Graham.

The ICO's code of practice addresses how the Data Protection Act applies to information processed online, including how a company should operate internationally. Among other advice, the guidance urges businesses to ensure they have a written contract for cloud services, which should stipulate that the same level of data security be applied to outsourced data as is maintained internally.

In addition, it contains advice including how to collect personal details through an online application form, the use of cookies to target content, and the use of data to market to individuals.

The ICO provided a checklist for small businesses to follow for best practice with the use of personal information. For example, it reminds them that if they are going to use customer information to send marketing material, customers should be given a clear choice about whether they want to receive it.

It is vital for companies to validate the security of their cloud providers, security company McAfee said.

"Security is a prime inhibitor or concern to adopting cloud services," said Marc Olesen, general manager for content and cloud security at McAfee. "Business-sensitive data is stored in the cloud. Customers are asking for transparency to give them confidence in cloud provision."

Olesen argued that relying on security from cloud providers can be more cost effective and efficient for small businesses than relying on their own internal resources.

Security expert Adrian Seccombe, who is a board member of the Jericho Forum security trade group, suggested that companies could combine the ICO guidance with an existing Jericho Forum checklist. "If you add the ICO guidance with the Jericho self-assessment, you get two strong pieces of information," he said.

However, Seccombe questioned whether the onus for security should be placed solely on cloud providers. "You need to architect the solution so it can enter and pass through the cloud securely," he said.

Editorial standards