ICO: Service Providers, Not Cloud Providers Responsible for Data Security
UK Information Commissioner’s Office (ICO) has released updated guidelines for organizations that deliver their services to their customers via cloud technologies.
The published document underscores the importance for service providers to make sure that the data of their customers is kept safe.
According to the "Guidance on the use of cloud computing," choosing a cloud infrastructure provider does not free a service provider from the obligation to safeguard customer data. "Simply because an organization chooses to contract for cloud computing services on the basis of the cloud provider’s standard terms and conditions, does not mean that Guidance on the use of cloud computing the organization is no longer responsible for determining the purposes for which and manner in which the personal data is to be processed," the document states.
Enterprises should be aware that they are held accountable for an eventual data loss or breach under the terms of the 1998 Data Protection Act (DPA) and in the same way as if the data was lost or breached on their own servers:
"The cloud customer does not transfer data protection obligations to the cloud provider simply by choosing to use its services in order to process his personal data." However, if the cloud provider uses the data stored "for its own purposes", it also assumes the role of a data controller under the regulation of the DPA.
The ICO provides several recommendations for an educated approach to take advantage of cloud computing, including the fact that cloud computing may not be a fit for everyone, that not all services need to be moved to the cloud, that records about data moved to the cloud need to be maintained and that security risks should be assessed before the transition.
Wolfgang Gruener is a contributor to Tom's IT Pro. He is currently principal analyst at Ndicio Research, a market analysis firm that focuses on cloud computing and disruptive technologies, and maintains the conceivablytech.com blog. An 18-year veteran in IT journalism and market research, he previously published TG Daily and was managing editor of Tom's Hardware news, which he grew from a link collection in the early 2000s into one of the most comprehensive and trusted technology news sources.
See here for all of Wolfgang's Tom's IT Pro articles.