ICO publishes cloud data guidelines

The ICO has published new guidelines that underline businesses’ sole responsibility for the protection of data

The Information Commissioner’s Office (ICO) has published new guidelines that underline businesses’ sole responsibility for the protection of data, even if it has been outsourced to third-party cloud network providers.

As more businesses begin using cloud services, many may not realise they remain responsible for how the data is protected, said the UK data watchdog. So, to help businesses comply with UK data protection law, a guide to cloud computing has been published.

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility,” said Simon Rice, ICO technology policy advisor.

“Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws,” he said.

Top ICO tips for data protection in the cloud 

  • Seek assurances on how your data will be kept safe. How secure is the cloud network and what systems are in place to stop someone hacking in or disrupting your access to the data?
  • Think about the physical security of the cloud provider. Your data will be stored on a server in a datacentre, which needs to have sufficient security in place.
  • Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
  • Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they are using personal data and you have not asked your customers’ permission, you are breaking data protection law.
  • Do not forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad

The ICO recently issued a monetary penalty of £250,000 to Scottish Borders Council, after it failed to manage a company it had employed to digitise pension records. The council did not have a contract with the contractor, and had not made the necessary security checks.

“Figures show that consumers are concerned about how secure their data is when they use cloud storage themselves. It takes little imagination to realise that businesses not reflecting those concerns will quickly find themselves losing customers’ good will,” said Rice.

The guidelines include tips for businesses – including securing assurances from cloud service providers on how data will be kept safe – as well as suggesting the implementation of a written contract between both parties involved.

Paul Ayers, European vice-president of data security firm Vormetric said the ICO’s guidelines serve as a timely reminder of the full extent of organisations’ data protection responsibilities and the dangers of failing to manage them properly.  

It is wishful thinking that using cloud services enables organisations to wash their hands of the need to secure their data, he said.

“That is not the case, as companies still need to be able to establish where their data is held and define what data protection policies are in place,” said Ayers.

Many organisations are cognisant of ICO guidelines, along with regulations such as the US Patriot Act, he said. This is motivating UK businesses to secure cloud data with encryption, but to hold the encryption keys to that data on premise within their datacentres. 

“However, it’s clear from the recurring data breach headlines that some organisations still have a way to go on this point,” he said.


Read more on Privacy and data protection