“The law on outsourcing data is very clear,” explained the report’s author and ICO technology policy advisor Dr Simon Rice. “As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.”
The report offers advice on how cloud users can discharge that responsibility. Key to this, of course, is choosing a cloud provider that can adequately protect data, and will not use that data for other purposes without the customers’ consent. For example, a cloud provider might provide free or subsidized services through advertising revenue based on the sale of personal data to marketing companies. This could breach the first data protection principle which states that “personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”
What this means is that the cloud user is still responsible for the data of his customers regardless of how his provider uses that data, and those customers have the right to know and decline any use of their personal data for targeted advertising – even if the provider does so surreptitiously. The only way to solve this is by a watertight contract between the cloud user and the cloud provider that both ensures compliance with the Data Protection Act today, and prevents any future arbitrary changes to the terms of that contract.
The contract alone, of course, doesn’t mean that the provider is secure in terms of data protection. The report recognizes that it is difficult for individual customers to adequately audit a large cloud provider with processing and storage capacity distributed around the world. And while the ICO supports “the use of an industry recognised standard or kitemark,” such a device is “unlikely to address all aspects of data protection compliance.” One solution the ICO recommends would be for the provider itself to arrange for an independent third-party security audit that could then be made available to potential customers.
But choosing a secure provider still doesn’t discharge the customer’s responsibility for its data, and the report offers a series of guidelines and advice for the customer. Encryption should be considered for both the data at rest with the provider and in transit to the user – but with a specific warning about adequate key management. The “loss of an encryption key could render the data useless,” warns the report, and this “could amount to the accidental destruction of personal data – this would be a breach of the DPA’s security principle.”
If this is all beginning to seem like a minefield, it’s because it is. A methodical approach to ensuring security and compliance in the use of cloud services, however, can provide safe passage. To this end the report includes a checklist of considerations under the headings risks, confidentiality, integrity, availability and legal. The implication is that any customer satisfying this checklist will be compliant with with the DPA and cloud.
But there’s one final warning. A brief section towards the end of the document makes it clear that it’s okay for the FBI to demand personal data in accordance with US laws (such as the PATRIOT Act). The ICO will “take the view that” regulatory action against the cloud customer “would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure.” Similarly, there would be no regulatory action against a cloud provider who acts “in accordance with a legal requirement to comply with the disclosure request.” What this means is that neither individual UK users nor businesses have any DPA redress against companies like Facebook or Twitter or Google who hand over their personal details under subpoena from the US courts.