InfoLaw Update - October 2012
This month's issue of InfoLaw focuses on cloud computing, in particular how it compares to traditional outsourcing and the information law issues for organisations.
What is Cloud Computing?
At its most basic, cloud computing is the delivery of IT services over the internet. Organisations who use cloud services need neither to purchase nor to install their own software. They don’t need to run their own applications or data services and are able to access IT services provision at (usually) a dramatically reduced cost.
There are a number of cloud computing solutions available to organisations looking to outsource some or all of their IT. These solutions vary and all businesses will need to approach the purchase of cloud services with a clear view of what it is their particular organisation needs. The nature of the business in question will dictate particular issues which the cloud provider will need to deliver and, as with many other aspects of business in today’s information-centric world, data security is a key consideration.
Types of Cloud Computing
There are varying definitions for the cloud and for cloud computing, often depending upon which service provider is describing its offering. Despite the fact that an increasingly varied selection of solutions is available, it is generally accepted that “cloud computing” consists of the following services;
• software as a service (SaaS);
• platform as a service PS (PaaS); and
• infrastructure as a service (Iaas)
A SaaS cloud offers access to a complete software application (for example email, word processing, CRM, and spread sheets) which the cloud user accesses through a web browser or other software. Accessing the software in this manner eliminates or reduces the need to install software on the client machine and allows the service to support a wider range of devices. The software may in turn be hosted on a cloud platform or infrastructure. Some SaaS service providers offer customer-specific services but most offer a standard software product which is accessed by all purchasers of the service. Although this standard product is unlikely to be tailored to a specific client’s requirements, a degree of configuration might be available to suit the service to individual business needs. However, SaaS offerings are developing so that a combination of standard and bespoke services is available.
A PaaS cloud offers access to a computing platform which allows cloud customers to write applications to run within that platform. The platform may in turn be hosted on a cloud IaaS. PaaS are usually offered through larger, established businesses (for example Amazon, Google and Microsoft).
IaaS concerns the delivery of computing resources over the internet, such as servers, network equipment, memory, disc space and data-centre facilities. Rather than purchasing hardware itself, the cloud customer purchases access to the cloud provider’s hardware according to the capacity required.
It is possible that one cloud service can be “layered” on top of another so that a more complex supply chain of cloud providers might exist behind the relationship between one purchaser of cloud services (for example, the provider offering the software service, may not be the same as the provider operating another component, eg the cloud platform or infrastructure).
Oursourcing – a reminder of the data protection issues
The Data Protection Act 1998 is concerned with the way in which “personal data” are “processed” and seeks to protect the rights of individuals whose personal data is being processed mainly by placing duties on those who decide how and why such data is processed. A “data controller” is the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. “Personal Data” are data which relate to a living individual who can be identified either from those or from those data considered together with other information which is in the possession or control of the data controller. Almost everything which a data controller does with personal data is likely to fall within the definition of “processing” for the purposes of the Data Protection Act, which describes it as obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.
Any processing which is outsourced to another organisation must still be carried out in accordance with the requirements of the Data Protection Act and the data controller remains responsible for ensuring that it is. The particular focus of both the Data Protection Act, and of the enforcement action taken by the Information Commissioner, is the technical and organisational security measures governing the processing to be carried out by a data processor on behalf of the data controller tp prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Readers will remember that the Act requires a data controller to enter into a written contract with a data processor under which the data processor agrees to act only on the data controller’s instructions and comply with the obligations which the Data Protection Act imposes on a data controller with regard to technical and organisational security of the data in question).
A recent monetary penalty notice imposed by the Information Commissioner on the Scottish Borders Council reinforced the importance of ensuring that any outsourced activities are the subject of a written contract and are properly supervised by the data controller. Readers will recall that this case related to the digitisation and disposal of records carried out by a contractor on behalf of the Council. The Council did comply with the requirements of the Data Protection Act with the result that a significant breach occurred, for which the Council, as data controller, remained culpable.
Outsourcing – traditional and to the cloud
In a “traditional” outsourcing model, the data controller looking to outsource a particular function, (for example, payroll processing) will typically speak to a number of providers, look at the service which each offers, possibly take up references and finally enter into a written contract both to ensure protection of the data controller’s confidential business information and to ensure compliance with the Data Protection Act. In this example, the payroll service provider (the data processor) has full access to the relevant employee data which it will actively process in order to provide the payroll services on the data controller’s behalf. The nature of the service, the identity of the provider and the location of the data being processed are all clearly understood. There is a relationship between the businesses involved.
In the context of the purchase of cloud services, however, the traditional outsourcing model is not necessarily relevant and there is no “one size fits all” solution. The precise role of the provider of the cloud service will need to be agreed, but it is quite possible that there will be no relationship between the businesses, particularly where a “layered” service is provided. It may be clear to the purchasing business where the data will be stored, but not necessarily. There may or may not be any active processing of the data controller’s data but there may be more than one data processor of the data stored in the cloud if a “layered” service is purchased. However, appropriate technical and organisational measures will still need to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This will apply to the storage of the data in the cloud by each of the potential cloud service providers and will require some mechanism by which the data controller can satisfy itself of the cloud provider’s ongoing compliance with the requirements of the Act as to technical and organisational security.
Another key difference between traditional and cloud outsourcing is the whereabouts of the personal data in the cloud. Readers will know that the Act prohibits the transfer of personal data to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Whilst it is currently the case that no enforcement action has been taken in respect of the breach by data controllers of the prohibition on the transfer of personal data on EEA countries that do not offer adequate protection, this is nonetheless an issue of which purchasers of cloud suppliers should be mindful. Many cloud providers are US based – and many commit to safe harbour principles – but not all. Clearly there are contractual solutions to this requirement and a purchaser of cloud services (assuming it has sufficient negotiating power to do so) should demand, as a minimum, that the basic safe harbour principles are incorporated into the contract.
Cloud computing services are now widely used and constitute an undoubted benefit in many organisations for certain applications and parts of their IT infrastructure. It is inevitable, however, that data protection issues remain to be resolved and, in many areas, data protection regulation continues to lag behind reality. Clearly, an organisation needs to take into account the nature of its business, the type of data to be processed in the cloud, the sensitivity of that data and the business risk associated with any loss of data. The risk might be reputational and/or financial in the event of enforcement action being taken by regulators.
In the meantime, consider, as part of any cloud based solution;
• customer-managed security controls (such as encryption and identity management);
• contractually agreed standards, including the right to audit, the use of physical security, protected monitoring, data segregation controls and vulnerability management processes to secure data in the cloud; and
• the laws governing the interception and disclosure of data in respect of which you remain data controller for all jurisdictions in which it is to be stored or through which it is to be transmitted. Clearly this will require an element of due diligence in the process of selecting a cloud provider, more or less stringent in the context of the data concerned.