ICO reports on the Data Protection issues of Cloud Computing

The ICO has issued a summary of its roundtable event in late February on computing in the cloud and how data protection regulation should apply to it.

It was agreed that there should be greater transparency regarding where in the world personal data was being processed by cloud providers. Binding corporate rules for data processors do not currently exist but may be a possibility in future and could be used as an informal standard when applied to cloud providers.

Under normal circumstances, the activities of cloud providers qualify them as data processors on behalf of the cloud client, who is the data controller and puts the data into the cloud to be stored. However, if a cloud provider is required to comply with a request for information from a law enforcement agency and does so, the provider becomes the data controller since it is making the decision to disclose based on a legal obligation regardless of the client’s wishes. Cloud clients cannot assume they are the only person with a say on what happens to the data they put into the cloud.

Another issue concerning the ICO was determining what level of security is ‘adequate’ under the data protection principles. The Common Assurance Maturity Model was cited as an example of a type of standard which was industry driven and provided a useful analysis to clients of the security provided by cloud providers. Clients can see which providers are simply meeting the minimum requirements and which are exceeding them. It was agreed that it would be beneficial for everyone if there was an officially recognised standard which providers could sign up to, e.g. a cloud ‘Kitemark’. UK based cloud providers might consider something like ISO27001:2005 which is a data security standard adopted by operators of external email security systems which store data on behalf of clients. Cloud clients might also ask their providers what externally recognised standards they have adopted.

The ICO agreed that it would be useful to produce guidance on the cloud, building on the existing work in its Personal Information Online Code of Practice. It was suggested, amongst other things that the guidance needed to provide clarity on the obligations on cloud providers; explain what is new about processing personal data in the cloud; acknowledge the importance of ‘Ts & Cs’ between cloud providers and clients; and explain what all of this actually means to the public.

This guidance is in development and the ICO will be consulting once the first draft is complete. For the full summary of the key points raised in the cloud event, please click here. We can assist with contracts for data processing and IT services in general – click here to contact the Business Law Team.

Daniel Milnes

About Daniel Milnes

Dan is a Partner and Head of Contracts & Projects. Dan’s blogs cover the areas in which his specialities lie in commercial, regulatory and governance law which cover a broad range of matters dealing with contracts, projects, corporate and group structures, funding and compliance with a range of legal regimes including data protection. This also involves writing and advising on various forms of commercial contracts including joint ventures, development and construction agreements and intellectual property contracts including IT agreements, sponsorships and other rights licensing arrangements.
This entry was posted in Corporate & Restructuring and tagged , , .

One response to ICO reports on the Data Protection issues of Cloud Computing

  1. Phillip says:

    This is really interesting, thank you for sharing. After all, if personal data forms the cornerstone of your business then Data Protection should not be neglected.
    Vertex Law

Comments are closed.