Data in the cloud - processing personal information
The new buzz word 'cloud' seems to have grown in significance of late and there are various advantages for businesses, not least cost savings in areas such as storage, power consumption and data retrieval.
The UK's Information Commissioner, responsible for data protection matters in the UK, has recently issued a press release reminding businesses of their data protection responsibilities as more look to cloud computing to process personal information.
In particular, the UK's Information Commissioner has emphasised that companies remain responsible for personal data, even if they pass it to cloud network providers.
The Data Protection Act (which derives from EU law, so will have similar implementation in other Member States) creates a range of obligations on those who 'process' personal data. 'Processing' for these purposes is very broad: from collecting the data, storing it, using it, giving it to someone else, to destroying the data. There are eight key principles with which one should comply when processing personal information, which specify that the data must be:
processed fairly and lawfully (usually requiring the individual's consent);
obtained for specified and lawful purposes;
adequate, relevant and not excessive;
accurate and up to date;
not kept any longer than necessary;
processed in accordance with the individual's rights (which include the right to ask for a copy of all of the data held on them);
securely kept; and
not transferred outside the European Economic Area without adequate protections in situ.
If you are using a cloud services provider, the main issues are around security and ensuring that you have contractual protections in the event of a breach by the service provider. The Information Commissioner's press release is accompanied by a guide (see useful information, above) which includes various tips. In particular, businesses are urged to:
- seek assurances on how your data will be kept safe;
- have a written contract in place with the cloud provider; and
- remember that transferring data internationally (including the use of cloud storage based overseas) carries a number of obligations.
If you are providing a cloud service, the main issue will be understanding your obligations as a data processor, but seeking limits on the extent of your liability under the main service agreement.
You will also want assurances that the client providing the data for use in the cloud has acquired the necessary consents from the individuals concerned.
Penalties for data protection breaches can be very public and of considerable amounts. Recently a monetary penalty of £250,000 was issued against to Scottish Borders Council after it failed to manage a company it had employed to digitise pension records. The council did not have a contract with the contractor and had failed to make necessary security checks.