New ICO guidance on the use of cloud services

The Information Commissioner’s Office (ICO) has published new guidance on the use of cloud computing services. The guidance is intended to provide an overview of how data protection law applies to businesses that utilise cloud based solutions to handle and process data.

The guidance is essential reading for any organisation that currently utilises (or is considering utilising) cloud based solutions, and emphasises that organisations remain responsible for the security of data that they store or process in the cloud.

The guidance
The guidance covers a variety of cloud based services, including infrastrastructure as a service (IaaS), platform as a service (Paas), and software as a service (SaaS). It also considers the differences between private, public and hybrid deployment models, and “layered” services where, for example, a SaaS vendor is in turn utilising a third party IaaS vendor – such as using a third party SaaS service that is hosted on servers by Amazon Web Services.

Issues covered by the guidance include:

  • Identifying the data controller (or data controllers)
  • The data controller’s responsibilities – including risk assessment, due diligence and monitoring
  • Selecting a cloud provider
  • Access control and protecting your data
  • Encryption
  • Understanding how the cloud provider will process data – for example, will it use any of the data processed by it for the purposes of targeted advertising?
  • Use of cloud services located outside the UK/EEA – including the importance of understanding where the cloud provider will store and process data
  • Staff training

The guidance also provides a checklist to help organisations assess the risks of using a cloud service, covering confidentiality, integrity of the data, availability and legal/contractual issues.

Assessing the cloud provider’s security measures
As with previous ICO guidance on outsourcing, the guidance emphasises the importance of pre-contractual diligence, appropriate written contractual terms between the data controller and the cloud provider (which prevent the cloud provider from changing the terms of service without your approval), and regular monitoring and oversight of the cloud provider’s compliance with the agreed information security measures. As the ICO notes, the fact that auditing and oversight may be harder with a cloud provider does not lessen the data controller’s obligations under the Data Protection Act.

The ICO does recognise the role that independent security audits (such as an ISAE3402 or SSAE16 report) can play in verifying the adequacy of the cloud provider’s security measures. For more on the use of such audits see this previous TechBlog post.

Organisations should, however, be aware that the ICO draws a distinction between security audits conducted in accordance with recognised independent standards, and industry recognised standards and kitemark schemes, as a kitemark is unlikely to address all aspects of data protection compliance.

Increased regulatory focus
As the fine issued last month to Scottish Borders Council illustrates, the adequacy of outsourcing arrangements is a area coming under increased scrutiny from the ICO, with hefty fines being levied where data controllers have failed to exercise appropriate oversight of their data processors.

For organisations that are increasingly looking to use cloud based services, this guidance will provide a timely reminder of the important steps that should be taken to ensure that such services do not adversely impact upon the security of personal data.

You can download the guidance from the ICO website.

0 Responses to “New ICO guidance on the use of cloud services”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

October 2012
« Sep   Nov »

%d bloggers like this: