Cloud on the horizon for data-handling outsourcing
Computer/Internet/Software Articles
Submit Articles Back to Articles
News release 27 September 2012
Regulator moves to remind businesses of data
responsibilities
as more look to cloud computing to process
personal information
The Information Commissioner’s Office (ICO)
has published guidelines to businesses today to underline that
companies remain responsible for how personal data is looked after,
even if they pass it to cloud network providers.
More and more businesses are looking to use
cloud computing, with the economies of scale they offer giving access
to a range of computer technologies and expertise that would be
difficult to afford in-house.
But data protection regulator ICO is
concerned that many businesses do not realise they remain responsible
for how the data is looked after, even after passing it to the cloud
network provider.
That’s prompted the ICO to produce a guide to
cloud computing, to help businesses comply with the law. The guide
gives tips including:
- Seek assurances on how your data will be kept
safe. How secure is the cloud network, and what systems are in place to
stop someone hacking in or disrupting your access to the data?
- Think about the physical security of the
cloud provider. Your data will be stored on a server in a data centre,
which needs to have sufficient security in place.
- Have a written contract in place with the
cloud provider. This is a legal requirement, and means the cloud
provider will not be able to change the terms of the service without
your agreement.
- Put a policy in place to make clear the
expectations you have of the cloud provider. This is key where services
are funded through adverts targeted at your customers: if they’re using
personal data and you haven’t asked your customers’ permission, you’re
breaking data protection law.
- Don’t forget that transferring data
internationally brings a number of obligations – that includes using
cloud storage based abroad
Speaking as the guide was launched, author Dr
Simon Rice, ICO technology policy advisor, said:
“The law on outsourcing data is very clear.
As a business, you are responsible for keeping your data safe. You can
out-source some of the processing of that data, as happens with cloud
computing, but how that data is used and protected remains your
responsibility.
“It would be naïve for an organisation to
take the attitude that these guidelines are too much effort to simply
store some data in a different place. Where personal information is
involved, the stakes are high and the ICO has already demonstrated it
will act firmly against those who don’t meet data protection laws”
The
ICO recently issued a monetary penalty of £250,000 to Scottish Borders
Council, after it failed to properly manage a company it had employed
to digitise pension records. The
council did not have a contract with the contractor, and hadn’t made
the necessary security checks.
Simon added: “Figures show that consumers are
concerned about how secure their data is when they use cloud storage
themselves. It takes little imagination to consider that businesses not
reflecting those concerns will quickly find themselves losing
customers’ good will.”
A recent online YouGov survey commissioned by
the ICO found that 46 per cent of UK adults online who use cloud
storage are concerned about the security of their information in cloud
storage.
The survey also found that only 39 per cent
of adults online realised that social media used cloud storage to store
personal data, while 46 per cent did not realise that by hosting their
information on cloud servers, their information could be being stored
anywhere in the world.
The
cloud computing guidance for organisations is available on the ICO
website at:
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/~/media/documents/library/Data_Protection/Practical_application/cloud_computing_guidance_for_organisations.pdf
The
ICO has also produced advice for members of the public on cloud
computing at:
http://www.ico.gov.uk/for_the_public/topic_specific_guides/online/cloud_computing.aspx
Notes
1.
The Information Commissioner’s Office upholds
information rights in the public interest, promoting openness by public
bodies and data privacy for individuals.
2.
The ICO has specific responsibilities set out
in the Data Protection Act 1998, the Freedom of Information Act 2000,
Environmental Information Regulations 2004 and Privacy and Electronic
Communications Regulations 2003.
3.
Anyone who processes personal information must
comply with eight principles of the Data Protection Act, which make
sure that personal information is:
•
Fairly and lawfully processed
•
Processed for limited purposes
•
Adequate, relevant and not excessive
•
Accurate and up to date
•
Not kept for longer than is necessary
•
Processed in line with your rights
•
Secure
•
Not transferred
to other countries without adequate protection
4.
All figures,
unless otherwise stated, are from YouGov Plc.
Total sample size was 2155 adults. Fieldwork was
undertaken between 6th - 9th September 2012.
The survey was carried out online. The figures have been
weighted and are representative of all UK adults (aged 18+).
About the Author
The Information Commissioner’s Office is the UK’s
independent authority set up to uphold information rights in the public
interest, promoting openness by public bodies and data privacy for
individuals. We do this by promoting good practice, ruling on
complaints, providing information to individuals and organisations and
taking appropriate action when the law is broken.
The ICO enforces and oversees the following
legislation:
- Data Protection Act 1998
- Freedom of Information Act 2000
- Privacy and Electronic Communications
Regulations
2003
- Environmental Information Regulations
2004
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2012-10-05 09:05:13 in Computer Articles
All ICO Articles
