Out-Law News 3 min. read
07 Aug 2013, 12:11 pm
Research company Gartner recently outlined concerns relating to the ambiguity of cloud contract terms on the subject of data security. It predicted that 80% of IT procurement professionals will be dissatisfied with the language used and security protections offered in contracts with 'software as a service' (SaaS) cloud providers through 2015.
Gartner said businesses should at least agree contract terms with providers that allow for an annual security audit and certification to be undertaken by a third party and insist on a clause allowing them to terminate a contract should a security breach occur and the provider "fails on any material measure".
However, data protection law and cloud computing specialist Charles Park of Pinsent Masons, the law firm behind Out-Law.com, said securing such contract terms alone may not be sufficient for UK businesses to comply with the Data Protection Act (DPA) when transferring personal data outside of the European Economic Area (EEA). The EEA includes all 28 EU member states, Iceland, Norway and Liechtenstein.
He said businesses should consider whether there are gaps in their compliance that exist in spite of having contract terms in place with cloud providers relating to data protection and security. Adoption of EU-backed model contract clauses, sufficiency of Safe Harbor and potentially, undertaking a self-assessment may be required to address those gaps, he said.
Under the DPA, data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
When outsourcing personal data processing to others, data controllers are required to select processors that can provide "sufficient guarantees" that they can properly meet the "technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance".
The data controllers must establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to comply with the "technical and organisational measures" requirements under the DPA. Data controllers are also responsible for any failure of processors in meeting those personal data security standards.
However, where personal data processing by sourcing providers, such as cloud computing platforms, will or could take place outside of the EEA under the terms of the outsourcing agreement, further rules under the DPA also need to be adhered to.
According to the eighth principle of the DPA, organisations are prohibited from transferring personal data they are responsible for outside of the EEA unless "an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data" exists in that country.
Currently, only a small number of 'third' countries, including Argentina, Canada and Switzerland, have been designated as providing adequate data protection. For the US, the EU recognises the 'Safe Harbor' regime operated by the US, although some commentators have doubted the efficacy of this agreement on EU-US data transfers in the light of revelations made by NSA whistleblower Edward Snowden.
"Businesses will put in place contractual agreements with cloud providers that enable them to adhere to the rules on data security and outsourcing under the Data Protection Act should data be processed within the EEA, but they need to be aware that those provisions may not necessarily ensure compliance with the Act in cases where processing will or could take place outside of the EEA, even with Safe Harbor and Model Clauses in place," Park said.
"Businesses should therefore assess whether, in those cases, they need to conduct their own self-assessment of the data protection framework applicable to processing in those third countries in order to demonstrate their compliance with the Act," he said.
A self assessment exercise may involve companies looking at the strength of local laws that apply in third countries, the physical security cloud providers put in place at data centres, whether data is encrypted in the cloud, and assessing the sensitivity of personal data to be transferred to those countries. It may involve putting in place a number of safeguards to ensure adequate data protection.
"Many of the larger US cloud providers leave open the possibility of using non-EEA sub-contractors to process personal data held in the cloud. Businesses should therefore assess whether they need to engage in a data protection self-assessment when using cloud suppliers in order to put in place necessary safeguards that allow them to demonstrate compliance with the DPA if asked by the Information Commissioner to do so," the expert said.
The Information Commissioner's Office (ICO) last year issued guidance on cloud computing in which it outlined its conditional support for businesses using independent auditors of cloud providers' data and security practices when evaluating whether cloud providers meet the standards required.
