DATA PROTECTION “IN THE CLOUD”
Data Protection Commissioner Ireland
Brian Murphy – Waterford Technologies
What is “the Cloud”?
People often mean different things when they talk about processing data “in the cloud”. For an organisation processing personal data – a “data controller” under our data protection laws – it usually involves using an external service provider (a “data processor“) doing some or all of the processing in a data centre under that provider’s control.
There are different versions of “the Cloud”. In its most advanced form, the cloud provider takes care of all aspects of the processing of the data on behalf of the client, apart from the raw data in-putted by individual users. The cloud organisation thus provides the physical infrastructure in a data centre; the operating system to run the necessary software; and the software needed to process the data itself.
Breakdown of Cloud Archiving
A client may also choose to avail of only part of the service available from a cloud provider – for example, server space only (sometimes referred to as “Infrastructure as a Service”) or server space plus operating system (sometimes referred to as “Platform as a Service”).
A further distinction that is often made is between a “private cloud” – where the provider dedicates resources to a specific client – and a “public cloud” – where the client is not provided with any dedicated resources, other than a separate account. There can also be hybrid versions.
What are the Data Protection Issues?
The data protection issues are the same, whatever version of the cloud a data controller wishes to us. The key issue is the security of the data. The second issue is the location of the data – a particular aspect of data security. A related issue is the requirement for a written contract.
The Data Protection Acts (Section 2C (3)) place responsibility for data security squarely on the data controller who is accountable to the individual data subject for the safeguarding of their personal information. A data controller must therefore be satisfied that personal data will be secure if it is outsourced to a cloud provider.
Security in this context has two main aspects.
First, the data controller must be satisfied that the data processor (the cloud provider) will only process the data in accordance with the data controller’s instructions.
Second, the data controller must be satisfied that the cloud provider has taken “…appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of the data?”
The types of basic security measures that anyone having custody of personal data are expected to put in place are described in our general guidance on security. A data controller, before considering entrusting personal data to a cloud provider, would need to be satisfied that security standards of a very high level were in place. The cloud provider should be in a position to give assurances on key issues such as:
- Continued access to data by the data controller (backup and disaster recovery measures)
- Prevention of unauthorised access to data (covers both protection against external “hacking” attacks and access by the cloud provider’s personnel or by other users of the datacentre)
- Adequate oversight including by means of contract of any sub-processors used
- Procedures in the event of a data breach (so that the data controller can take necessary measures – see our data breach guidance)
- Right to remove or transfer data (if the data controller wishes either to move the data back under its own direct control or move it to another cloud provider)
A cloud client must seek to assure themselves on the above matters both in advance of retaining a particular cloud provider and throughout any contractual arrangement entered into. This would typically be achieved by way of a detailed technical analysis incorporating an audit of the cloud provider. As indicated in our general guidance on security, 3rd party certification to approved international standards, rather than a direct right of audit, will often be the most appropriate solution in a multi-tenanted cloud arrangement. A cloud client should examine the 3rd party report itself as well as the certification.
Personal data that is held within the European Economic Area (EU Member States plus Iceland , Liechtenstein and Norway ) benefits from a common standard of protection laid down at EU level. When data is transferred outside of the EEA, special measures must be taken to ensure that it continues to benefit from adequate protection. The range of options is set out in our guidance note on transfers abroad. In practice, where a cloud provider is processing personal data outside of the EEA, the options available are:
(i) the country where the data is located has been deemed by the EU Commission to have an “adequate” level of data protection( including via “Safe Harbor ” for US companies)
(ii) the data is protected contractually (through use of EU-approved “model contracts” or “Binding Corporate Rules”).
Where “model contracts” or “Binding Corporate Rules” are used, it is important that the protections afforded by these mechanisms also extend to any sub-processors that may be used by the cloud provider.
Our data protection law requires that there be a written contract with the cloud provider and any sub-processors to underpin the obligations as set out above. The contract should be clear on the key points outlined above: that the cloud provider – and any sub-processors used by the provider – will only process the data as instructed by the data controller; and that the contract includes detailed assurance by the cloud provider on security measures – including the additional measures that need to be taken to guarantee the security of personal data that is processed outside of the European Economic Area.
The technology surrounding cloud computing is constantly evolving. The guidance offered above is of necessity general. Further sources of guidance include:
The National Standards Authority of Ireland (NSAI), in conjunction with the Irish Internet Association (IIA) has published “Adopting the Cloud – Decision Support for Cloud Computing” (April 2012). It provides useful information on the different models of cloud computing and the issues (including data protection and security) that need to be addressed by any organisation considering using a cloud provider. It is available from the NSAI (www.nsai.ie) and here from the IIA.
The European Network and Information Security Agency (ENISA) has provided extensive guidance, written from a European perspective, on the issues involved in moving to the cloud and the expectations of cloud providers serving the European market.