Jisc Cloud Services

Last updated: 
4 days 18 hours ago
Group Manager
This is a place to discuss Jisc Cloud Services and related topics, including cloud storage and research data management, amongst other things. Jisc's cloud blog post is available at: https://cloud.jiscinvolve.org/wp/ There you can read about whether cloud benefits outweigh the challenges and what it costs to migrate apps to the cloud. CESG has some useful documents on Cloud security guidance and best practice - just follow the link https://www.cesg.gov.uk/cloud-security-collection
Log in to request membershipHide group description

Group administrators:

Recent members:

Cloud and Data Protection FAQs

10 October 2014 at 3:37pm

What is the cloud?

Cloud computing is the delivery of IT as services over the internet. Cloud users don't need to purchase or install software and companies don't have to run their own application and data servers; the cloud service providers ("CSPs") host applications and provide the computing power from their data centres.

What are the benefits and disadvantages of using the cloud?

There are a range of well documented benefits that may be achieved from cloud computing solutions, such as increased security, reliability and resilience for a potentially lower cost. Cloud computing arrangements are usually paid for on a service basis, which means that the upfront costs and upgrade fees associated with more traditional software licensing are often avoided.

However, by processing data in the cloud an organisation may also encounter certain risks, which are also well documented, in relation to data protection and privacy that it was previously unaware of or which did not previously apply to its in house IT solution. It is important that data controllers take time to understand the data protection and privacy risks that cloud computing presents.

What are organisations' obligations under the Data Protection Act 1998?

Where a business is located in the UK, it will be subject to the Data Protection Act 1998 ("DPA") when handling personal data.

This document provides an introduction to what an organisation should consider when considering a cloud computing IT solution in order to ensure that the processing of personal data done in the cloud complies with the DPA.

For a more detailed examination of Data Protection compliance in the context of cloud computing, please see the Information Commissioner's Office ("ICO") guidance at http://ico.org.uk/for_organisations/data_protection/topic_guides/online/cloud_computing

i) When does the DPA apply?

The DPA applies to the processing of personal data. Both "personal data" and "processing" are very broadly defined. "Personal data" is any information which identifies a living individual or which, with other information, could identify a living individual. "Processing" will include almost any use of personal data, including simply storing personal data (see the ICO guidance referenced above, paragraph 19).

The DPA requires compliance by data controllers with eight principles of good information handling. These principles specify that personal data must be:

  • Processed fairly and lawfully;
  • Obtained for specified and lawful purposes;
  • Adequate, relevant and not excessive;
  • Accurate and up to date;
  • Not kept any longer than necessary;
  • Processed in accordance with the "data subject's" rights (the data subject being the individual whose data is being processed);
  • Securely kept; and
  • Not transferred to any other country without adequate protection in situ.

It is the last two points on this list which attract the most attention in relation to cloud computing, but the first six must not be forgotten – in particular, the first principle requires that you make sure data subjects know how their data is being used.  To be able to comply with this you must ensure you understand what your CSP is doing with the personal data you transfer to them.

ii) Identifying the data controller; distinction between data controller and data processor

In general terms, the data controller is the person who determines the purpose and the manner in which any personal data is to be processed.  For example, employers will be data controllers in relation to its employees' data which it collects throughout their employment and educational institutions will be data controllers in respect of their students' personal data.

By contrast, a data processor only acts on the instructions of a data controller; it does not itself decide how to use personal data. 

In cloud computing scenarios, as the cloud customer will determine the purposes for which data is being processed, together with the manner in which this processing occurs by the CSP, it will be the cloud customer who will be the data controller and will therefore have responsibility for complying with the DPA.

iii) Data security

Where a third party CSP is appointed to process data then the cloud customer, as data controller, must select a CSP who can offer appropriate guarantees of security.  What is appropriate will depend on the nature of the personal data processed. Sensitive personal data, such as data relating to an individual's ethnicity or religion, requires more protection than other personal data.  For all personal data, sensitive or otherwise, the cloud customer must consider the possible harm to the individual if there were to be unauthorised disclosure in determining what will be an "appropriate" level of security.

The cloud customer must also ensure that the security arrangements and obligations of the CSP in respect of personal data are evidenced in a written contract and must also take reasonable measures to ensure the continued compliance of the CSP with those security arrangements.

iv) Data transfer

The DPA requires that personal data “shall not be transferred to any country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. There are a number of manners in which compliance can be achieved in respect of this rule; those most pertinent to cloud computing solutions are:

  • Transfers to "white-listed countries" considered to have an "adequate level of protection", being (at the time of writing) Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay;
  • Transfers to a company which complies with US-EU Safe Harbor regime (though note that the European Commission has recently raised concerns about the sufficiency of this mechanism, particularly the fact that companies self-certify their compliance with the Safe Harbor principles and there is little oversight for monitoring actual compliance.  There is a risk that this method of compliance may be removed by the European Commission if it is not improved); and
  • European Commission approved data export agreements (known as Standard Contractual Clauses or Model Clauses).  These agreements are often the preferred method for compliance and are now offered by a number of the large cloud providers.

Cloud customers should also ascertain whether its CSP uses any sub-processors to provide the cloud services and, if so, where those sub-processors are located. The customer should ensure that its agreement with its CSP also provides adequate protection in respect of those sub-processors (for example, by ensuring that security measures and audit rights apply equally to sub-processors).

v) Further considerations for the data controller

Before considering which cloud service or cloud provider is right for an organisation the cloud customer must also consider the nature of the personal data which is to be processed in the cloud and how this personal data will be processed in order to then assess the risks and ensure any agreement suits its needs.

The use of cloud computing introduces new compliance requirements which a data controller may not have previously encountered. For example, reviewing and selecting which data should be moved to the cloud and selecting the most appropriate CSP, then monitoring the CSP's activities as data processor. 

When selecting a CSP, the ICO Guidance stresses the importance of assessing the security arrangements that the CSP has in place to ensure appropriate personal data to be processed. This includes assessing the provider’s technical and organisational security measures for data processing, protection of data and use of encryption, control over data access (including the CSP's access), retention and deletion of data and using cloud services from outside the UK.

Customers should, additionally, seek an independent security audit of the service provider and ensure adequate ongoing audit rights are contained in the agreement. Please note the ICO guidance accepts that this need not be a right to physically access premises as long as an appropriate independent third party audit is undertaken which allows the cloud customer to make an informed choice about the CSP and its security measures.

Disclaimer

This guide discusses typical legal issues found in cloud computing agreements available at the time of its publication and is not intended to be comprehensive in its treatment of those issues. This guide must not be relied upon as legal advice. Any cloud customer should always ensure that they have properly reviewed, and obtained all necessary specific legal advice on, any agreement they wish to enter.

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo
DPA
Cloud FAQs