Speaking at the SC Magazine Data Protection Summit in London, Dr Simon Rice, group manager (technology) at the Information Commissioner's Office (ICO), said that when you use the cloud, your responsibilities as a data controller do not get outsourced "just because you outsourced".
He said: “This relates to the cloud as it does any other model, as it will operate and process your data as you instruct. You must undergo some due diligence on cloud providers, as a provider could process your data for their own purposes, such as social networks do for advertising, so you may be a joint controller, so you must be aware of what they are doing.”
Rice asked who can see your data and where it is, and that delegates should consider how secure it is. He said that security, outsourcing and overseas transfer rules are new in the data protection world, but there are "old established problems in the new risks".
“Who has access to your data and will you be told about that? One is the data centre and everyone using it, so whose data is next to yours? Does it matter if they are doing something illegal with the data? It all falls under regulatory compliance as well as the Data Protection Act,” Rice said.
He continued his talk by saying that there needs to be a relationship between data controllers, such as a written contract, which is "more than clicking a button, as terms of service cannot be changed".
“Also how do you protect against breaches, as moving to the cloud doesn't protect against these issues? Look at how data gets onto a device, if you transfer data onto a USB stick or CD, how do you control that data and who has access to it? The key question is on where it is in the world, and get answers to the questions before it is moved out there.”
Also speaking at the event, Cameron Craig, partner at law firm DLA Piper, said that if you feel that there is an exemption for cloud within the data protection law, then realise there is no exemption, as there is nothing special for cloud as it is standardised by the regulatory framework around it.
He said: “Understand the different layers where your data is going to be held and what type of cloud you are talking about. Private is no different from own environment; public is a little different. From a legal perspective, moving to a software-as-a-service (SaaS) model is more in the hand of the supplier, so there is more vulnerability and less control around what you want to put in. Don't just simply take what is offered to you.”