Cloud Computing: Cloud computing systems (i.e. access to computing resources, on demand, via a network) are fast being adopted as the norm for IT infrastructures. If your organisation currently maintains and manages its own computer infrastructure you may also be considering a move to cloud computing in order to take advantage of a range of perceived benefits such as increased security, reliability and resilience at potentially reduced cost.
However, whilst the benefits may be clear there are also potential pitfalls that need to be avoided, especially as IT infrastructures are so fundamental to the smooth-running of a business. Therefore, any organisation considering a move to the cloud needs to have a clear understanding of its needs and obligations in order to ensure that it uses an appropriate cloud provider.
One such key obligation is that imposed by the Data Protection Act 1998. The Data Protection Act applies to personal data that is “processed”. Processing has a very broad definition and includes most of the operations that are likely to occur in a cloud, including simply storage of data. By processing data in a cloud an organisation may encounter risks to data protection that they were previously unaware of. It is important that any “data controller” (which will usually be your organisation) takes time to understand the data protection risks that cloud computing presents.
To try and help organisations recognise and manage these risks, the Information Commissioners Office has complied the following checklist of considerations to bear in mind when signing up to a new cloud service provider:
Cloud Computing Contract Checklist
- Make a list of the personal data you hold and how it will be processed in the cloud.
- Can your cloud provider provide an appropriate third party security assessment?
- Does this comply with an appropriate industry code of practice or other quality standard?
- How quickly will the cloud provider react if a security vulnerability is identified in their product?
- What are the timescales and costs for creating, suspending and deleting accounts?
- Is all communication in transit encrypted? Is it appropriate to encrypt your data at rest? What key management is in place?
- What are the data deletion and retention timescales? Does this include end of life destruction?
- Will the cloud provider delete all of your data securely if you decide to withdraw from the cloud in the future?
- Find out if your data, or data about your cloud users will be shared with third parties or shared across other services the cloud provider may offer.
- What audit trails are in place so you can monitor who is accessing which data?
- Make sure that the cloud provider allows you to get a copy of your data, at your request, in a usable format.
- How quickly could the cloud provider restore your data (without alteration) from a back up if it suffered a major data loss?
- Does the cloud provider have sufficient capacity to cope with a high demand from a small number of other cloud customers?
- How could the actions of other cloud customers or their cloud users impact on your quality of service?
- Can you guarantee that you will be able to access the data or services when you need them?
- How will you cover the hardware and connection costs of cloud users accessing the cloud service when away from the office?
- If there was a major outage at the cloud provider how would this impact on your business?
- Make sure you have a written contract in place with your cloud provider.
- How will the cloud provider communicate changes to the cloud service which may impact on your agreement?
- Which countries will your cloud provider process your data in and what information is available relating to the safeguards in place at these locations?
- Can you ensure the rights and freedoms of the data subjects are protected?
- Ask your cloud provider about the circumstances in which your data may be transferred to other countries.
- Can your cloud provider limit the transfer of your data to countries that you consider appropriate?
So as you can see from the list above, signing up to Cloud Computing is unfortunately not quite as simple as it may first appear or as the service provider may have you believe!
If you have any queries about the issues raised in this article or want help negotiating a service agreement with your cloud service provider or to ensure that the Cloud Computing practices you are currently utilising are legally compliant, then please contact us at Moore Law.
Credit: This article contains materials provided by the Information Commissioner’s Office.