ICT Management. > Legal Issues
Cloud Computing - Data Protection And Other Legal Issues
Basic
By Paul Ticher
Using the cloud raises legal and other risks, but these need not be show-stoppers. The important thing is to be fully aware of them before deciding to put valuable, confidential data into the cloud. In this article, Paul Ticher looks at the data protection requirements, security and other legal considerations.
Terms and conditions
Before entrusting your data to a cloud provider you need to have a very close read of their terms and conditions , and that you cannot eliminate all the risks you are responsible for. You need to take a balanced decision on whether the undoubted benefits of using the cloud outweigh the risks in your particular case.
The legislation has not caught up with widespread cloud computing. This might change. For example, the EU Commission as reported by Out-law.com, has said that it may establish standard terms and conditions for cloud computing services. This might make a significant difference. At the moment potential users of cloud services have no real bargaining power with the providers; the terms and conditions are non-negotiable, and not necessarily favourable to the customer.
The Data Protection Principles
The Data Protection Act is based on eight legally-binding Principles. Of these two are particularly relevant to cloud computing:
- Principle 7, which says you must have appropriate security, and
- Principle 8, which controls transfers of data abroad
All the Principles are aimed firstly at preventing harm to individuals and secondly at ensuring that they are treated fairly whenever their data is used.
Security is one of the most important safeguards from harm. The Principle says that you must take appropriate steps to prevent:
- Unauthorised access
- Accidental loss or damage
You cannot transfer this responsibility to the cloud provider. If they lose your data, or if their security is breached, you are responsible for any harm caused to the individuals whose data you placed in the cloud.
The potential costs of a security breach are incalculable. They could include:
- Notifying potentially affected individuals, if appropriate
- Assistance to potentially affected individuals
- Compensation to individuals for harm and associated distress
- Damage to your business (including reputation)
- Data restoration
- Penalties from the Information Commissioner (up to £500,000)
So you need to be confident that your cloud provider’s security is up to scratch.
You also need to know where they store your data. If it is stored outside certain European countries the provisions of Principle 8 come into play. In that case you also have to make your Data Subjects aware that their data is being transferred abroad, so that they can make their own decision on whether the risk is acceptable.
Security
Cloud providers typically stress the degree to which they take security seriously, and it is often claimed that their security is likely to be considerably tighter than in most small organisations. This is probably true, but cloud providers are also a more tempting target, and breaches undoubtedly do occur.
You must, therefore, undertake due diligence in assessing their security undertakings, so you need to understand what you are checking. The key international standard is the ISO 27000 series. (Copies can be bought from the British Standards Institution)
ISO 27001 is the overall framework, and can be externally certified. So the first thing to check is whether the cloud provider has been certified (which costs money), or just self-assessed as compliant. It is also worth checking the credentials of the certifying company if the provider is claiming to have been certified.
You should also check that the provider’s ISO 27000 certificate applies to the issues that concern your data, as set out in its ISO 27000 Statement of Applicability.
Organisations that have close dealings with government agencies may also want to review the cloud provider’s offering against the HMG Security Framework, which is substantially based on ISO 27000.
Many US organisations rely on SAS (Statement on Auditing Standards) 70 compliance. This is not a security standard but an auditing process which checks that the company is meeting its own stated objectives.
Transfers abroad
Under Principle 8, transfers of data outside the European Economic Area are allowed if:
- the jurisdiction it is going to has an acceptable law; or
- the recipient in the USA is signed up to Safe Harbor; or
- one of a set of conditions is met.
Transfers include storing data on a cloud provider’s system abroad, even if the data is not intended to be used anywhere outside the UK.
Almost all European countries are OK, one way or another, but almost no others. Australia and Hong Kong, for example, have Data Protection laws but these are not deemed adequate.
There are serious questions over whether Safe Harbor scheme in the US provides an adequate basis for Data Protection compliance when using cloud services. The scheme is a kludge, designed to avoid an argument between the US and Europe. Among its drawbacks are:
- It is very flimsy, being self assessed and largely self-policed
- It only covers data types that are subject to Federal Trade Commission or Department of Transportation oversight. HR data, for example, cannot therefore be covered.
- Most entries in the Safe Harbor register refer to data that the US company holds about its customers abroad, but do not refer to the data it holds on behalf of its customers as part of a cloud service (Salesforce is a notable exception).
Other options include:
- A contract – but it must be EU authorised, which currently cloud terms and conditions are not, and these contracts are also a bit hazy about onward transfers to another country.
- Consent from each of your Data Subjects – but what if they don’t agree?
In effect, a cloud service where the data is guaranteed to be held only within Europe – which some services offer – might appear a much simpler and less risky option in terms of compliance. This may be easier said than done, however. Many of the big providers, with Google as a prime example, refuse to say where your data is held (for ‘security’ reasons), and explicitly rule out holding it only within Europe.
Copyright © 2011 Paul Ticher
