Skip navigation.

ICT Management. > Legal Issues

Cloud Computing - Data Protection And Other Legal Issues

By Paul Ticher

< Previous | 1 | 2

Your organisation’s relationship with the cloud provider

Some of the legal complications arise from the approach in the Data Protection Act to the relationship between the organisation that carries the responsibility – the Data Controller – and any organisation to which work is outsourced – the Data Processor.

  • “Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.
  • “Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.

The Data Protection Act requires there to be a contract, ‘evidenced in writing’, between the Data Controller and the Data Processor, setting out the relationship and underpinning both parties’ security obligations. The Data Controller is also given a specific responsibility to assess the adequacy of the Data Processor’s security, and take steps to verify it.

The contract for cloud services is likely to be set out in non-negotiable terms and conditions. If the provider doesn’t provide checkable security undertakings in its terms and conditions, there is little you can do to get them added in.

Ideally a Data Processor contract should also provide indemnity for the Data Controller against any costs resulting from the Data Processor’s failure to deliver. This isn’t a legal requirement, but makes sound commercial sense. The standard terms and conditions for cloud services inevitably exclude any indemnity for a failure of the service, of course.

See this checklist for a fuller list of what should be in a Data Processor contract.

What else can go wrong?

Other risks from the use of cloud services include:

  • Loss of service –
    • at their end, if their system goes down, or if the company closes down
    • at your end, if your internet connection is impaired
  • Possible problems if you ever want to change provider, caused by your data being held in a proprietary format
  • Possible difficulty retrieving your data if the service ceases or you get into a dispute with the provider
  • Difficulty in making a back-up of the data away from the provider’s system, as additional security in case they have problems
  • Contract terms which make the supplier a Data Controller in their own right (e.g. if they reserve the right to make use of your data, or some of it, for their own purposes)
  • Unclear ownership/location of data and the equipment it is stored on. Many cloud providers sub-contract out parts of their service, often with several links in the chain. This makes it difficult to sort things out if any link is broken.
  • Unilateral changes in policy by the provider

And finally…

Most countries have laws allowing the authorities to access data, but the one which is most often talked about is the US Patriot Act. This is ostensibly anti-terrorist, but has also been used in non-terrorist cases. It requires any US-based company to provide any information it holds to the US government, on demand (even if the data is not in the US). Some suppliers undertake to inform their customers before passing on data, but they may not offer this and – in some cases – may not even be allowed to inform the customer of access.

Most organisations are probably reasonably sanguine about the remote possibility of their data becoming of interest to the authorities, but the possibility should still be included in your risk assessment.

So what do you need to do?

  • Check the cloud provider’s contract (or standard terms and conditions) very carefully, especially for:
    • security undertakings, and certified security standards
    • location of data, and whether you have any control over this
    • any mention of liability the provider accepts or excludes
    • any mention of whether the provider uses sub-contractors
    • arrangements for you to make your own back-ups in addition to those made automatically by the provider
    • how you obtain access to your data in the case of wanting to change provider
    • what happens to your data if the provider (or one of its sub-contractors) goes out of business or if you get into a dispute with the provider
    • any provision for the supplier to use your data for its own purposes
  • Look up the provider’s Safe Harbor entry, if it is a US company
  • Assess all these risks and write up a risk assessment so that the appropriate people in your organisation (possibly the board) can make an informed decision
  • Decide whether you need to tell your Data Subjects about their information going abroad, and if so make sure that it happens

Further information

The Information Commissioner has a substantial section on his website dealing with transfers abroad.

For the final word, see Cloud computing and the law, by Renzo Marchini.


About the author

Paul Ticher
Paul is an independent specialist. Drawing on 25 years' experience of Data Protection in the voluntary sector he can deliver training, carry out audits, help to write policies and procedures, or give guidance on specific problems or questions. He can be contacted via www.paulticher.com/ or 0116 273 8191.

Glossary

Cloud Computing, Internet, Processor, UPS, Website, Wiki

Related articles

Published: 8th August 2011 Reviewed: 31st July 2012

Copyright © 2011 Paul Ticher

< Previous | 1 | 2

User comments and discussion

If you have useful information to add to this article please Add a comment. Comments will appear after they have been moderated.

Discuss this topic in the Knowledgebase forums. This is a useful place to share knowledge, experiences, and ask questions.

Please sign in or register to be able to post a comment or discussion.

abamaison
3rd October 2012Information Commissioner also publishes guidance on the use of cloud computing http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/cloud_computing.aspx