Cloud computing – new ICO guidance

Cloud computing is becoming an ever more pervasive feature of the technological world. Whether one is dabbling in social networking or purchasing goods online, the truth is that we all, to a greater or lesser extent, now have our heads in the virtual clouds. However, the use of cloud computing inevitably raises important information law issues, particularly in terms of the impact on privacy rights and also under the Data Protection Act 1998. So far as the DPA is concerned, issues which fall to be considered include:

  • who actually controls the data which is being processed via the cloud (i.e. who is liable under the DPA if things go wrong in data protection terms)


  • what steps a data controller may be required to take to safeguard against misuses of personal data within the cloud


  • the security implications of processing personal data through cloud computing and, in particular, whether the processing of data via the cloud is compliant with the seventh data protection principle


  • the legality of using clouds which operate transnationally and, hence, which may bring into play the application of the eighth data protection principle on cross-border data transfers

Importantly, the Information Commissioner has today issued guidance which is designed to help organisations navigate their way through the potentially complex DPA issues which may arise in the context of cloud computing. You can find the guidance here.

Particular points to note about the guidance include the following:

  • the Commissioner has (unsurprisingly) confirmed that the DPA applies to any processing of personal data which takes place in the cloud


  • the guidance suggests that, when it comes to determining who is the ‘data controller’ in respect of data which is processed via the cloud, one should generally look to the purchaser of the particular cloud services (i.e. the cloud service customer). This is because it is typically the cloud customer who will determine the purposes for which and the manner in which the data is being processed (see further the definition of ‘data controller’ in s. 1(1) DPA). However, that is not to say that there will not be cases where the cloud provider itself has sufficient control over the data such that it can properly be designated as a ‘data controller’ under the Act


  • if two or more data controllers within a ‘community cloud’ intend to share data they should take time to clarify their roles and decide who is the controller in respect of which data


  • a data controller cannot simply assume that, because a cloud provider has a set of standard terms and conditions, those terms and conditions afford sufficient safeguards to guarantee compliance with the DPA. The data controller must itself take steps to ensure that the safeguards deployed by the particular cloud provider are fit for purpose, having regard not least to the sort of data in issue and how it is to be processed. This may well entail the data controller looking for cloud providers which can tailor their services to accommodate the data controller’s specific requirements


  • data controllers should ensure that they are only putting data into the cloud which actually needs to be there. Thus, data controllers should effectively ensure that they are sieving their data before putting it on the cloud and should create clear records of the sort of data they intend to move to the cloud


  • insofar as the particular cloud service results in the collection of meta-data about the data subject (e.g. information revealing transaction histories), data controllers should be aware that this may also constitute personal data to which the data protection principles apply


  • cloud customers should adopt strategies to limit the chances that the use of cloud computing will breach the data protection principles, such strategies should include:


  • conducting risk assessments


  • ensuring that appropriate written contracts are in place with the cloud provider


  • reviewing the quality and depth of the security arrangements offered by the cloud provider


  • ensuring that adequate security measures are applied to the data (e.g. via encryption, use of password access etc)


  • ensuring that the cloud provider has in place a suitable retention and deletion policy and querying what happens to any data on the cloud in the event that the cloud customer withdraws from the cloud


  • ensuring that the cloud provider’s own access to the data is suitably controlled and limited


  • taking measures to ensure that the cloud provider is not itself in a position to start adapting the purposes for which the data is being processed without the cloud customer’s authorisation


  • exploring with the cloud provider the extent to which the data may be transferred abroad (e.g. because the cloud straddles a variety of different jurisdictions) and, further, the quality of any data protection regime applicable in any foreign jurisdiction to which the data may be transferred


  • having policies in place which ensure that data subjects are properly informed about how their data is being processed


  •  monitoring data compliance once the cloud services have been obtained

All organisations which use or provide cloud services should, as a matter of urgency, familiarise themselves with this policy or else risk developing a stormy relationship with the Commissioner in future.

Anya Proops