Where does the ICO's new cloud guidance take you?

It is not possible to follow the ICO's advice on cloud computing and still have a “cloud” solution

The Information Commissioner’s Office (ICO) has issued its long-awaited guidance on cloud computing. Unfortunately, the wait has not lived up to expectations. As a result, it is not possible to follow the ICO advice on cloud computing and still have a solution that could be called a “cloud” solution. 

The information commissioner acknowledges that organisations might find it difficult to exercise any meaningful control over their cloud providers. However, he warns, that does not mean that cloud customers will not be ultimately responsible for any data breaches by their service provider.

The ICO warns organisations to tread cautiously if a cloud provider offers "take it or leave it" terms and conditions. Such contracts, it says, may not allow the cloud customer to retain sufficient control over the data to fulfil their data protection obligations

Organisations must therefore check their cloud provider's terms of service carefully, to ensure they meet their obligations under the Data Protection Act.

There is only one way to read this guidance. Since most cloud service providers do not comply with the provisions of the Data Protection Act 1998 (DPA), the ICO is, in effect, banning the use of cloud services. 

Since most cloud service providers do not comply with the Data Protection Act, the ICO is, in effect, banning the use of cloud services

Dai Davis, lawyer

The reality is, the whole purpose of commercial cloud services is to “pile it high and sell it cheap”. It is not that those services "may" not give sufficient control to a cloud customer – they are designed not to. None of them do so. That is the whole rationale behind piling it high and selling it cheap.

The result is that none of those cloud services give meaningful legal guarantees to cloud customers. 

Yes, a cloud customer could negotiate a one-off solution from a cloud provider. If the cloud customer is willing to pay enough, anything is possible. But the cloud customer would not then end up with what a normal businessman would regard as a cloud solution – it would end up with a bespoke outsourcing solution. And it would not end up with most of the benefits of the cloud – certainly not the cost benefits. 

Assessing cloud security

The information commissioner recommends an assessment be made of the cloud provider’s security arrangements. He recognises, however, that it is “unlikely that a cloud provider would be willing to permit each of its prospective and current customers to enter its premises to carry out an audit”.

His recommendation to overcome this, by having an independent third party assess the supplier, does not stand up to analysis. 

There are currently only two schemes of consequence:

  1. The Cloud Service Provider Code of Practice from time to time proffered by the Cloud Industry Forum of the UK; 
  2. Registration under the Security, Trust & Assurance Register of the Cloud Security Alliance of the US.

While these are both laudable attempts by cloud providers to self-regulate, the first suffers because it is UK-centric, whereas the majority of cloud services emanate from outside the UK. The second suffers because it is wholly a self-certification and disclosure scheme.   

There is, however, a more insidious danger, not recognised by the ICO: the more people who assess the security measures of the cloud provider, the less secure those measures are. 

A cloud provider initially has a system in which only a few people are aware of the security measures. When any external assessments take place, the cloud provider ends up with a system in which many more people know about those measures.   

Teminating a cloud contract

The ICO urges cloud customers to find out what will happen to personal data if it decides to withdraw from the cloud service in the future. 

Yes, the cloud customer should find out, but in practice the cloud provider will be reluctant to tell the customer what will happen, particularly where the cloud service is a social media service.

Indeed many, if not most, social media sites, from Facebook to LinkedIn, are designed to use that data. Of course, the cloud provider is going to use that personal data, both before and after the cloud customer stops using the cloud service. That is why the service is provided for “free”. 

You might be forgiven for thinking that the ICO was not really trying to ban use by businesses of Facebook. Actually, it really is. 

The guidance warns: “The cloud customer should ensure that the cloud provider only processes personal data for the specified purposes. Processing for any additional purposes could breach the first data protection principle. This might be the case if the cloud provider decides to use the data for its own purposes. Contractual arrangements should prevent this.”

I am not aware of any business that has its own contractual arrangements to prevent social media sites such as Facebook using personal (or any other) data placed on Facebook’s site by that organisation. Perhaps the ICO does. The ICO also uses Facebook.

Or perhaps the ICO wants to use social media sites such as Facebook without revealing any personal information at all. That would be a challenge. 

Dai Davis (pictured) is a chartered engineer and has been a specialist technology lawyer for over 25 years.

Read more on Data protection regulations and compliance