Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Data categorisation can help with risk assessment of hosting services, says expert


Organisations that categorise the data they store will be better placed to decide the extent to which to utilise public cloud and other external hosting services, an expert has said.

Separating data on the basis of whether it is subject to legal, contractual or commercial constraints can help businesses evaluate whether the benefits of using cloud data processing and storage services outweigh any risk to the privacy of the information, data protection law expert Charles Park of Pinsent Masons, the law firm behind Out-Law.com, said.

"In any decision that involves the outsourcing of data, organisations need to evaluate the risks involved with the benefits that can be derived," Park said. "In assessing cloud options, businesses need to understand the profile of the data that may be placed in the cloud and understand the governmental, contractual and confidentiality restrictions that could limit their ability to do so.”

"In the last 12 to 18 months data storage suppliers, including some of the biggest US-headquartered cloud providers, have clearly responded to the need to address the data protection concerns of their EU customers." he added. "However, businesses must also evaluate the legal frameworks that cloud providers are themselves subject to when assessing the risks of contracting with them."

Park was responding to news that the UK Houses of Parliament is expecting to enter a contract with Microsoft for its Microsoft 365 cloud services. The director of Parliamentary ICT, Joan Miller, said that she had considered the risks involved in using Microsoft's cloud offering to store Parliamentary data, according to a report by PC Advisor.

"The purpose of parliament is to transparently provide legislation and scrutinise government, so it is not quite as risky as it looks," Miller said, according to the report. "We have been measuring our opportunity against our risks, and the risk of moving into a Microsoft cloud for instance is small because of the level of sensitivity of our data, which is IL2 or below mostly."

The US Patriot Act gives law enforcement bodies the right, subject to certain conditions, to obtain information on individuals from US "electronic communication service providers" without those individuals' knowledge or consent.

The US' Foreign Intelligence Surveillance Act (FISA) sets out the procedures that US intelligence agencies have to follow in order to gather foreign intelligence information about foreign based individuals for the purposes of protecting against attacks on the US, such as terrorism. Under the regime intelligence agencies require a court to sanction the acquisition of data.

Recent media reports have centred on FISA after information leaked by a whistleblower suggested the US' National Security Agency (NSA) was using a computer program called 'Prism' to obtain data direct from the systems of some major technology companies.

Many of the companies said to be involved have released statements admitting that they do accede to legal requests for access to data they store whilst denying their knowledge of Prism or their participation in any surveillance programme that involves granting direct access to their systems. US government and intelligence officials have said that the surveillance of data is conducted in accordance with FISA.

"Organisations must take into account whether data sovereignty is more important than achieving any of the benefits that cloud or external hosting can bring," Park said. "This evaluation will involve reviewing the circumstances in which data held by storage providers could be accessed."

"Companies that categorise the data they have must determine the sensitivity of the information – such as by establishing whether it is subject to legal, contractual or commercial constraints – will be better placed to assess the risk of third parties storing and processing that data," Park said.

"In some cases it may be clear that information is too sensitive for it to be subject to surveillance by foreign law enforcement bodies, for example where the information is held by a security contractor and has implications for national security. On that view it is likely that companies will be able to utilise cloud services for storing some categories of data, but elect to retain data sovereignty over other, more sensitive, information. Organisations should also bear in mind that it is not just the US law enforcement bodies that have access rights to data," he said.

Guidance issued last year by the UK's Information Commissioner's Office (ICO) made clear the attitude it would adopt to enforcing the Data Protection Act in cases where foreign law enforcement bodies had accessed personal data stored by cloud providers on behalf of UK companies.

"If a cloud provider is required to comply with a request for information from a foreign law enforcement agency, and did  comply, the ICO would be likely to take the view that, provided the cloud customer had taken appropriate steps to ensure that the use of the cloud services would ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud, regulatory action against the cloud customer (in respect of the disclosure of personal data to the foreign law enforcement agency) would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure," the ICO said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.