In new guidance (25-page / 395KB PDF) it has issued on cloud computing, the UK's data protection watchdog said that businesses that use cloud computing to deliver services to consumers could end up collecting more information about consumers than they think.
The ICO said that businesses are responsible for personal data that they store in the cloud, even though the cloud provider may process some of the information. It said businesses must assess cloud providers' ability to keep personal data secure and that they must also hold a written contract that states that cloud providers only agree to process information in accordance with their instructions. The contract must also set out that the cloud provider agrees to comply with the UK's data protection law requirements around keeping personal data secure, the ICO added.
"The existence of a written contract should mean that the cloud provider will not be able to change the terms of data processing operations during the lifetime of the contract without the cloud customer’s knowledge and agreement," the watchdog said. "Cloud customers should take care if a cloud provider offers a ‘take it or leave it’ set of terms and conditions without the opportunity for negotiation. Such contracts may not allow the cloud customer to retain sufficient control over the data in order to fulfil their data protection obligations."
The ICO acknowledged that it can be difficult for businesses to check that cloud providers meet the standards of UK data protection law. It said that cloud providers could arrange for "an independent third party" to carry out a "detailed security audit" of their services and provide copies of the assessment to businesses in order to help address the problem.
The watchdog said that those audit reports should be "sufficiently detailed" to enable businesses to make "an informed choice" about whether cloud providers' security arrangements are up to standard. The assessment should take account of what "physical, technical and organisational security measures" that providers have put in place and "be appropriate for the particular cloud service."
The assessment should also be able to provide businesses with "appropriate assurances" that all sub-processors of personal data involved in the delivery of "layered cloud services" are compliant with data security standards under the Data Protection Act, if the cloud computing arrangements are so complex, the ICO said. In addition, cloud providers should provide businesses with updates about their compliance with security requirements, it added.
The ICO said it "supports the use of an industry recognised standard or kitemark" that cloud providers could obtain to help indicate the security their service can offer. Whilst such a scheme could help businesses compare cloud services and offer them a degree of confidence that " any independent assessment of the cloud service was sufficiently thorough", businesses would be "unlikely" to be able to rely on the fact that cloud providers have a kitemark in order to "address all aspects of data protection compliance," the ICO said.
The watchdog's guidance also contains advice on how businesses can encrypt personal data stored in the cloud in order to restrict access to the information. In cases where personal data is going to be processed on cloud provider servers in 'third countries' outside the European Economic Area, businesses must ensure those countries have adequate data protection safeguards in place, it said.
The ICO also warned that businesses must be sure that they have consumers' consent to process their personal data for direct marketing purposes if they use cloud providers that deliver targeted adverts to users on the basis of their personal information.
"The cloud customer should ensure that the cloud provider only processes personal data for the specified purposes," the ICO said in its guidance. "Processing for any additional purposes could breach the first data protection principle [that requires that all personal data processing is fair and lawful]. This might be the case if the cloud provider decides to use the data for its own purposes. Contractual arrangements should prevent this."
"A number of [Software as a Service cloud provider] products are supported by advertising that is based on the personal data of cloud users. In order to target advertisements the cloud provider will need access to the personal data of the cloud users. A cloud provider may not process the personal data it processes for its own advertising purposes unless this has been authorised by the cloud customer and the cloud customer has explained this processing to cloud users," it said.
"Remember that individuals have a right to prevent their personal data being used for the purpose of direct marketing. The cloud provider must not process the cloud customer’s or cloud user’s personal data without the agreement of the cloud customer," the ICO added.
Dr Simon Rice, the ICO's technology policy advisor and author of the guide, said: "The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility."
“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place," he added. "Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws”
"Figures show that consumers are concerned about how secure their data is when they use cloud storage themselves. It takes little imagination to consider that businesses not reflecting those concerns will quickly find themselves losing customers’ good will," Dr Rice said.