Document history and version control

ickybiblegroveInternet and Web Development

Nov 3, 2013 (4 years and 4 days ago)

72 views


Guidance on the use of clo
ud computing

20120
611

Version: 0.2


Document history and version control



Existing published guidance version
number


(for use where guidance produced
under the 2011/2012
G
uidance
R
eview is being amended)


N/A




Name /
team

Version
Number

Date

Comments / outcome



Author


Simon
Rice



0.1


13
.0
4
.2012



Any cross


office
consultation


Simon
Rice




0.2


11.06.2012



Line
manager




0.3




Corporate
Affairs





0.4



Online Communications
Team




Name

Version
number

Status

Date

Comments
/ outcome


Final draft
of guidance
approve
d
by


Monthly
validation
meeting

or by xxxxx

(delete /
complete as
appropriate)



1
.0





Published



1
.0





Scheduled
review




(NB next
version will
be version

2.0
)








Guidance on the use of cloud computing

20120
611

Version: 0.
2

ICO lo


Guidance of the

Guidance o
n

the
use of cloud
computing



Data Prot
ection Act 1998



Contents


Overview

................................
................................
.................

3

Introduction

................................
................................
.............

3

What is cloud co
mputing?

................................
..........................

4

Definitions

................................
................................
............

4

Deployment models

................................
................................
..

5

Private cloud

................................
................................
.........

5

Community cloud
................................
................................
...

5

Public cloud

................................
................................
..........

5

Hybrid cloud

................................
................................
.........

5

Service models
................................
................................
.........

5

Infrastructure as a Service (IaaS)

................................
............

5

Platform as a Service (PaaS)

................................
...................

6

Software as a Service (SaaS)

................................
..................

6

Layered services

................................
................................
....

7

How does the

Data Protection Act apply to information processed in
the cloud?

................................
................................
...............

7

Identify the data controller

................................
........................

8

Data controller in a private
cloud

................................
.............

8

Data controller in a community cloud

................................
.......

9

Data controller in a public cloud

................................
..............

9

Responsibilities of the data controller

................................
........

10

Select which data to move to the cloud

................................
..

10

Assess the risks

................................
................................
...

11

Select which cloud service is right for your data

......................

11

Monitoring performance

................................
........................

12

Informing the cloud users

................................
.....................

12

Get a written contract

................................
..........................

12

Selecting a cloud provider

................................
.......................

13

Assessing the security of a cloud provider

...............................

13

Protecting your data

................................
............................

15

Access control

................................
................................
.....

16

Data retention and deletion
................................
...................

17

Provider access

................................
................................
...

17


Guidance on the use of clo
ud computing

20120
611

Version: 0.2

Operating international
ly

................................
......................

18

Multi
-
tenancy environment

................................
...................

22

Reliability and resilience

................................
.......................

22

Further processing

................................
...............................

22

Train your staff

................................
................................
...

23

Rights of the cloud users

................................
......................

23

Other considerations

................................
...............................

24

Connectivity to the cloud

................................
......................

24

Vendor lock
-
in

................................
................................
.....

24

Scalability

................................
................................
...........

25

Checklist

................................
................................
...............

26

More information

................................
................................
....

27


The Data Protection Act 1998 (DP
A) is based around eight
principles of ‘good information handling’. These give people
specific rights in relation to their personal information and place
certain obligations on those organisations that are responsible for
processing it.


An overview of the

main provisions of
the
DPA can be found
in
The Guide to Data Protection
.


This is part of a series of guidance
,

which goes into more detail
than the Guide,
to help
or
ganisations

to

fully
understand
their

obligations
,

as well as to promote

good practice
.


This guidance
explains
what you should consider
prior to a move
to
cloud computing for the processing of personal data.


Guidance on the use of clo
ud computing

20120
611

Version: 0.2

Ove
r
view


Cloud
computing

services
offer orga
nisations access to a range
of technologies and service models typically delivered over the
internet.


Organisations

which
maintain and manage their own computer
infrastructure may be considering a move to cloud computing to
take advantage of
a

range of b
enefits which may be achieved
such as increased security, reliability and resilience for a
potentially
lower cost.


In considering a move to cloud computing an organisation may
encounter
risks
to data protection
which
were not relevant to the
processing
t
hey
were undertaking.


This guidance offers a set of
questions and approaches an
organisation should consider
, in conjunction with a prospective
cloud provider, in order to ensure that
the

processing of personal
data in the cloud remains in compliance wit
h the
DPA
.


Introduction

1.

A shift towards a greater use of cloud computing is well
underway. Innovative products, mobile access to data and
affordable pricing structures are often cited as key drivers for an
organisation to consider a move to cloud comput
ing. Cloud
services also offer an affordable route for smaller organisations
(including start
-
up companies) to cope with rapid expansion. The
UK Government’s commitment to adopt

greater use of
cloud
services is
demonstrated in the G
-
Cloud programme

which h
as
put together a catalogue of information and communications
services available to the UK public sector
.



2.

The ICO published the Personal Information Online Code of
Practice in July 2010. The code explains how the
DPA
applies to
the collection and use of

personal data online. It
provides good
practical

advice for organisations that do business or provide
services online.


3.

The Personal Information Online Code of Practice

briefly
discussed the use of cloud computing in relation to processing
personal data
online
. Given
the increased usage of this
technology
,
it is important to provide greater clarity and expand
on the specific data protection requirements which must be
considered in order to comply with the law.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2

4.

The
Personal Information Online Code of P
ractice

can be
accessed from the following
URL:



http://www.ico.gov.uk/for_organisations/data_protection/to
pic_guides/online.aspx


5.

This guidance

on the use o
f cloud computing
is primarily focused
towards organisations in the process of considering a move to
cloud service
s and what they should consider.


6.

Cloud providers should use this guidance
so that they are
aware
of the information
that
they should be prov
iding to their
current
and prospective cloud
customers.

What is cloud computing?

7.

Cloud computing is a term used to describe a wide range of
technologies so it is important to clearly define what is meant
by
its usage in this guidance.


8.

A broad definitio
n
of the term is being used
in this document in
order to encompass all implementations of cloud computing.

Definitions

9.

Cloud computing is defined as:



access to computing resources, on demand, via a network



10.

To
explore this definition in more detail:




c
omputing resources



This can include
, amongst others,
storage, processing
and s
oftware




on demand



The resources are

available on a scalable and
elastic basis which
typically involves
the

dynamic
provisioning
of virtualised resources. Users are often bi
lled for the level of
resource use
d.




via a network


The
transit of data between the cloud
provider and cloud customer and/or the cloud user. The
transit of dat
a may be over a
local or
private network

or
across the
internet


11.

For
further
clarity
three gro
ups of individuals will be defined
as
involved in the use
and delivery of cloud services.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2

12.

Cloud provider



The organisation that owns and operates a
cloud service

(Note: More than one cloud provider

may
be
involved in the supply ch
ain

of a single cloud s
ervice)


13.

Cloud customer



The organisation who commissions a
cloud service for a particular purpose


14.

Cloud user



The end user of a cloud service.

Deployment models

15.

Cloud computing can be deploye
d in a number of different
ways.


16.

P
rivate cloud



T
he

clou
d customer is the sole user of the
cloud service. The underlying hardware may be managed and
maintained by a cloud provider under an outsourcing contract.
Access to the cloud
service
may be restricted to a
local or wide
area
network



17.

C
ommunity cloud



A
g
roup of cloud customers access the
resources of the same cloud

service
. Typically the cloud
customers will share specific requirements such as
a need for
legal compliance or high security which the cloud
service
addresses. Access to the cloud
service
may b
e res
tricted to a
wide area network


18.

P
ublic cloud



The

infrastructure, platform or software is
managed by the cloud provider and made available to the
general public (cloud customers and
cloud
end
-
users).
Access to
the cloud

service is likely to be over t
he public internet.


19.

Hybrid cloud



De
scribes a combination of private,
community and public clouds. A cloud customer will segregate
data and services across different cloud services with access
between them restricted depending on the type of data they
co
ntain.

Service models

20.

Although the term cloud computing may be applied to a range
of technologies there are th
ree main types of cloud service.


21.

Infrastructure as a Service (IaaS)



A
n IaaS cloud offers
access to the raw computing resources of a cloud ser
vice. Rather
than purchasing hardware themselves a cloud customer can
purchase access to a cloud provider’s infrastructure according to
the amount required
.




Guidance on the use of clo
ud computing

20120
611

Version: 0.2


22.

Example

A software development company is building an application for a
client. They need to tes
t the application before transferring to
the live environment. By using
an
IaaS cloud service

they can
simulate an environment
which is
identical to the live server
(except for using dummy data)
without the need to purchase
additional hardware for the
rela
tively
short task.


At the end of the testing process all data can be deleted from the
cloud service and the application delivered to the client.


23.

Platform as a Service (PaaS)



A
PaaS cloud offers access
to a computing platform

which allows cloud custo
mers to write
applications to run within that platform, or another instance of it.
The platform
may
i
n turn be hosted on a cloud
IaaS
.



24.

Example


A social networking service offers a platform which allows
software developers to create third party applicat
ions which
leverage the existi
ng functionality of the site, e
g

functions to
access user data or the ability to post messages to other users.
The products developed by third parties will only operate within
the confines of the social network platform.


25.

So
ftware as a Service (SaaS)



A

SaaS cloud offers access
to a complete software application typically accessed by the
cloud

user through a web browser.
Accessing the software in this
manner eliminates the need to install software on the client
machine and a
llows the service to support a wider range of
devices.
The
software may in turn be hosted on a cloud platform
o
r

infrastructure.





Guidance on the use of clo
ud computing

20120
611

Version: 0.2


26.

Example

A start
-
up company

is rapidly expanding and wants to use
customer relationship management (CRM) software to keep tr
ack
of their customers and sales. They identify a cloud provider
offering CRM software accessed through a web browser

as most
appropriate for their needs
.


Each employee within the company is given a username and
password to access the software to enter n
ew data or to access
existing data. The software can be accessed by employees whilst
working away from the office.


Layered services

27.

As indicated in the description of service models
,
one cloud
service can be layered on top of another. The cloud provider

offering one part of the cloud service (eg the software) does not
have to be the same as the cloud provider operating another
component (eg the cloud platform or infrastructure).


28.

So
-
called ‘layered services’ mean that a confusing supply
chain of cloud p
roviders can result.



29.

Example

Company A pro
vides a calendar and scheduling software hosted
in the public cloud. The software allows cloud users to schedule
appointments and access the appointments of other users
(where they are authorised to do so).


Th
e cloud software is owned by Company A and offered as a
cloud computing SaaS product.


Company A host their software on the IaaS cloud which is owned
and operated by Company B.


How does the Data Protection Act apply to information
processed in the cloud
?

30.

The
DPA

applies to the processing of personal data.
Processing has a very broad definition and is likely to include
most types of processing that occurs to personal data in the
cloud.


31.

The DPA defines personal data as data which relate to a living
indiv
idual who can be identified from that data or from that data

Guidance on the use of clo
ud computing

20120
611

Version: 0.2

and other information which is in the possession of, or likely to
be in the possession of, the data controller.


32.

If you are a data controller for data you currently
process

this
will continue to

be the case if you move that
processing

to the
cloud.


33.

The definition of personal data includes information being
collected and analysed with the intention of distinguishing one
individual from another and to take a particular action in respect
of an ind
ividual. This can take place even if no obvious
identifiers, such as names or addresses, are held.


Identify the data controller

34.

The data controller has ultimate r
esponsibility for complying
with
the DPA.

The use of layered services mean that
it is possibl
e
that a number of data controllers

and

data processors working
on their behalf
could be acting
together to deliver content or
services

which involve the processing of personal data in the
cloud.


35.

In cloud computing it will be the cloud customer who will
be
regarded as the individual who determines the purposes for
which and the manner in which any personal data are being
processed.


36.

Therefore it is the cloud customer who will most likely be
regarded as the data controller.


37.

T
he precise role of the cloud

provider will have to be reviewed
in each case in order to assess whether or not they are
processing personal data and, if they are, if they are acting as a
data processor or a data controller in their own right.

Data controller in a private cloud

38.

Ident
ifying the data controller
in a private cloud
can be quite
straightforward in that the cloud customer will clearly dictate the
precise purposes of processing which will be undertaken within
the cloud

service.


39.

If a cloud provider is contracted to maintain

any underlying
infrastructure then they are likely to be a data processor if they
are processing the data on behalf of the data controller. This will
include tasks such as allocating computing resources, performing
and storing back
-
ups, providing support
etc.


Guidance on the use of clo
ud computing

20120
611

Version: 0.2

Data controller in a community cloud

40.

In a community cloud there is likely to be more than
one
individual data controller accessing the cloud service. If there is
no sharing of data between the organisations each will likely
remain as independent dat
a controllers.


41.

If one of the data controllers is also maintaining the cloud
infrastructure (ie acting as a cloud provider) they may now be
also assuming the role of a data processor with respect to each
of the other data controllers.


42.

If the cloud custo
mers intend to share data between
themselves they must take the time to clarify their
roles
. The
ICO has previously published the
D
ata
S
haring
Code of P
ractice
which will help in this regard.


43.

The Data Sharing
Code of Practice

can be accessed from the
fol
lowing URL:

http://www.ico.gov.uk/for_organisations/data_protection/topic
_guides/data_sharing.aspx

Data controller in a public cloud

44.

In a public cloud t
he Information Commissioner recognises
that a cloud customer may find it difficult to dictate the specifics
of data processing to a large (and perhaps global) cloud
provider. However, this cannot be an excuse for a data controller
not fulfilling their resp
onsibilities required by the DPA.


45.

There are a wide variety of cloud services available which will
enable the cloud customer to choose a cloud service which best
suits their specific needs. In selecting the most appropriate cloud
provider they will be dic
tating the manner in which any personal
data are being processed.


46.

Furthermore where cloud providers are tasked by the data
controller to determine specific technical or organisational means
to achieve the purposes of processing determined by the data
con
troller this is not sufficient for the cloud provider to be
classed as a data controller in their own right.


47.

W
here a cloud provider plays a role in defining the purposes
of processing (such as using the personal data for their own
purposes) then they w
ill also be acting a joint data controller.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2


48.

Example

An organisation w
ishes to expand their online presence to include
social media. The organisation develops a third
-
party application
to run within a social network
platform
.


The organisation will be a

data controller for any personal data
they process

through users choosing to use their application
integrated with the social network or for any other data collected
through usage of the application.


The social network
platform
will be acting as a data
controller for
any personal data processed by the
social network

which may
also include for advertising and marketing purposes.


Where the personal data is being used by both organisations
they shall be a joint
data
controller.


Responsibilities of the
data controller

49.

In addition to the responsibilities relating to collection, storage
and retention of personal data outlined in the Personal
Information Online Code of Practice
,
the use of cloud computing
may introduce a set of compliance requirements which

a data
controller may not have previously encountered.


50.

Cloud computing is not a one
-
size
-
fits
-
all product and in many
cases can be tailored to fit the specific needs of
an

organisation.
Therefore the set of compliance requirements will also be specific
to the particular cloud service being considered.


51.

Any organisation considering a move to the cloud must have a
clear understanding of their needs and obligations in order to
ensure that their cloud provider is appropriate.

Select which data to move to
the cloud

52.

It is important to remember that
a data controller does
not
have to move all
their

data into the cloud or into the same cloud

service.


53.

Some types of personal data could have a greater privacy
impact potential tha
n

others. With this in mind
the

data
controller
should review the personal data
the
y

process
and
determine which may
or may not
be appropriate to process in
the cloud.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2

54.

The data controller
should also bear in mind that using cloud
services may give rise to more personal data being coll
ected. For
example, the usage statistics or transaction histories of the cloud
u
sers may start to be recorded
. This ‘metadata’ may also be
personal data in certain circumstances and
the data controller
should ensure that
they

know what is being collected,
whether it
is necessary and make sure the cloud users (as the data
subjects) are provided sufficient information.

As
s
ess the risks

55.

Before
considering
which cloud service or cloud provider is
right for
an organisation the data controller
must
also
consider

how
they
intend to process
personal data
in the cloud.


56.

Once
you are
clear which personal data
you

hold and how
you

intend to process it in the cloud
you

can then assess the risks
and take appropriate steps to mitigate those risks.



57.

Example

A school is

co
nsidering expanding their computer facilities by
converting two classrooms to computer rooms. Traditionally this
would require the appropriate software licences for each
computer. If they switch to a cloud
-
based SaaS model for some
software they expect
to have lower overall licensing and
maintenance costs.


An online productivity suite will allow students remote access to
their work and other educational resources. If personal data such
as student assessment, attainment or attendance data were
transferr
ed to the cloud service they would not be adequately
protected against unauthorised access.


With these risks in mind the school can now start to select a
cloud provider which will provide the best guarantees that this
type of breach cannot occur. This m
ay include aligning with staff
training and policy or limiting access to the cloud service by
location and retaining the existing network for staff to process
personal data of the students.


Select
the right c
loud service
and cloud provider

58.

A wide range

of cloud services exist, of which many could be
used to achieve a specific goal. However,
it may be more
appropriate to use a cloud service which was designed
specifically for the intended purpose rather than one which could

Guidance on the use of clo
ud computing

20120
611

Version: 0.2

be adapted as there is a risk
that these customisations may
unintentionally introduce a set of risks to the personal data.


59.

D
ifferent cloud
providers and cloud services
are at different
stages of maturity and some
services

may target particular
market segments. For example, some cloud
services may be
particularly focused towards the consumer whereas others will be
bespoke tools built for particular niche organisations.

Monitoring performance

60.

The obligations of the data controller will not end once a cloud
provider is chosen
.
A continua
l cycle of monitoring, review and
assessment will be required to ensure that the cloud service is
running in the manner expected and
as
the contractual
agreement stipulates.


61.

In the case of layered services the data controller must be
kept informed about

changes in any chain of sub
-
processors
which may take place during the course of providing a cloud
service.

Informing the cloud users

62.

It may also be necessary that the data controller will need to
take appropriate steps to inform the end users of the clo
ud
service of the arrangements in place.

Get a written contract

63.

The DPA requires the data controller to have a written
contract with the data processor which states

that
:


The data processor
is to act only on
instructions
from

the data
controller


The dat
a processor will comply with obligations equivalent to
those imposed on a data controller by the seventh principle
.



64.

The existence of

a written contract means that the cloud
provider will not be able to change the data processing
operations during the lif
etime of the contract without your
knowledge and agreement.



65.

In the

case of joint data controllers, each party should have a
clear understanding of their obligations. Joint data controllers
may find that a data sharing agreement will assist in this regard
.
The Data Sharing
Code of Practice

can be accessed from the
following URL:

Guidance on the use of clo
ud computing

20120
611

Version: 0.2


http://www.ico.gov.uk/for_organisations/data_protection/topic
_guides/data_shar
ing.aspx



66.

Example

An organisatio
n wants to add a forum to its website to allow
customers to interact and give feedback on its products and
services.


As
the
data controller, the
organisation

informed the cloud
provider that they should not further proce
ss the pers
onal data
of the forum users (e
g to use the email address for third
-
party
advertising).


At a later date, the cloud provider attempted to update the terms
and conditions in an effort to permit them to change the
conditions of processing.


The e
xistence of a written contract between the cloud customer
and cloud provider meant that this change of processing could
not take place and the personal data was protected

from such
further processing
.


Selecting a cloud provider

67.

An important part of sele
cting
the right
cloud provider will be
an assessment of the security that
the
cloud provider has in
place. It is important to remember that security is not the only
aspect of data protection which must be considered in assessing
if a cloud computing
provid
er
is appropriate.


68.

This section aims to highlight a number of important aspects
to consider and a range of questions
you

should
ask
a

cloud
provider if they have not provided
you with
this information
already.

Assessing the security of a cloud provider

69.

As a data controller, the DPA requires that:



appropriate technical and organisational measures are taken
against the unauthorised or unlawful processing of personal data
and against accidental loss or destruction of, or damage to,
personal data
.”


70.

Furt
hermore, when the processing is undertaken by a data
processor, the data controller must:



Guidance on the use of clo
ud computing

20120
611

Version: 0.2

“(a) choose a processor providing sufficient guarantees in
respect of the technical and organisational security measures
governing the processing to be carri
ed

out,

and

(b) take reasonable steps to ensure compliance with those
measures.”


71.

One of the most effective ways to assess the security
measures of a data processor would be to inspect their premises.
The Information Commissioner recognises that, particularly in
the case of the public cloud, this is unlikely to be practicable as
the disclosure of the precise location of the data centre could
compromise the security of the cloud service itself. Furthermore
,
a cloud provider would be unable to permit access to each
of its
prospective

and current
customers individually for the purposes
of an audit.


72.

Therefore, the cloud provider should arrange for an
independent third

party to conduct a detailed security audit of
the service and be able to provide a copy of this asse
ssment to
prospective cloud customers. The assessment must be
sufficiently detaile
d to allow the cloud customers
to be able to
fulfil their obligations
as data controllers
to assess the security
measures in place.


73.

The assessment should include the physic
al, technical and
organisational
security
measures in place

and be appropriate for
the particular cloud service.


74.

In the case of layered
cloud
services, this assessment should
include appropriate assurances that the security of each sub
-
processor likely t
o

be

involved in the processing of the data
controller’s data will comply with security requirements set out
by the cloud provider.


75.

T
he
cloud provider should also be able to provide the
data
controller
with regular updates

to ensure that appropriate
sec
urity measures continue to be in place.


76.

To assist data controllers in assessing the secur
ity offered by
a cloud provider,
the Information Commissioner supports the
creation of an industry recognised standard or kitemark. Such a
scheme would ensure that d
ata controllers can compare between
cloud providers and be confident that the provided assessment
was sufficiently thorough.

Data controllers must however
recognise that the existence of a kitemark or other industry
standard can only assist in the assessme
nt of suitability of a
cloud provider and lessen the obligations under the DPA such as

Guidance on the use of clo
ud computing

20120
611

Version: 0.2

the need for a written contract and the ongoing monitoring of
performance.

Protecting your data

77.

Encryption is a technology which allows a data controller to
ensure that

the
ir

data can
only
be accessed by authorised
individuals who have the correct key.


78.

D
ata “in transit” between
cloud users
and the cloud
service
must be s
ecure and
unable to
be intercepted. This can be
achieved by using an encrypted protocol. The encrypt
ion
algorithm
used shou
ld be a recognised industry standard.


79.

The
cloud provider must also be able to give assurances that
data in transit within the cloud
service

is also appropriately
secured. This will include data transferred between data centres

whic
h may be separated geographically
.


80.

The data controller
should also consider if it is appropriate to
use encryption on data “at rest” (ie when stored

within
the cloud
service). This will depend on the type of processing
being
u
ndertak
en

in the cloud.


81.

F
or example, in a data storage scenario,
data could be
encrypt
ed
before it leaves
the cloud user’s device
. In
a
SaaS

cloud
, it is more difficult to insist upon encryption because the
cloud provider
may

need access to
the

data in order to perform
the necessa
ry processing.


82.

If
encryption is used as
a technical measure

to secure data it
is also important to consider the security of the
key
.
A robust key
management solution is crucial to maintain the level of
protection encryption can offer.


83.

It is also import
ant to note

that a lost encryption key
could

render the data useless and could be considered as accidental
loss or damage to personal data
,
which is also a breach of the
DPA.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2


84.

Example

An organisatio
n
performs weekly back
-
ups

on a manual basis
which are s
tored on external drives. The drives are stored in a
locked cabinet when not in use.


Moving to a cloud
-
based backup solution has a number of
benefits including
:

automating the process;
the
ability to run
nightly back
-
ups; storing back
-
ups off
-
site
; and
r
educed
risk

of
theft.


The organisation opts for a
cloud
-
based
backup solution which
encrypts files before being transmitted over a secure connection
to the cloud provider. The key is kept in the secure possession of
the data controller.


The cloud provi
der is therefore unable to view or otherwise
further process the data

other than to maintain access to and
availability of the data.


The organisation test the back
-
up service by attempting to
restore files held in the cloud
,
on a regular basis.


Acces
s control

85.

One of the benefits of using a cloud service is the ability to
access a
single repository
of the data from any location. This
means that cloud users can access the same data from the office
or home and from a range of different devices. However,
if
users

can access
the

data from a range of different locations
the data
controller
must consider
which

controls are stopping
unauthorised individuals
from
accessing
the

data.


86.

If
a cloud service offers an authentication process
(eg using a
username and
password system) then each cloud user must
have their own account.


87.

There must also be

a system in place to create, update,
suspend and delete user accounts
to

remove access from
employees when they leave
the

organisation or
to
reset forgotten

or lost and

stolen

credentials
.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2


88.

Example

An organisat
ion has implemented a cloud
-
based email service for
its employees. Employees can acce
ss this account from the
office,
personal
computers at
home and mobile devices

such as
smartphones and tablets.


An employee a
ccessed the email service from a personal
computer at home. The
PC

had no security protection
in place
and was infected with key
-
logging malware. The employee’s
username and password were captured and transmitted to the
malware author who then was able to
gain unauthorised access
to

the email account
, the contents of which contained personal
data of the organisation’s clients.



This breach of personal data occurred because the
data controller
did not adequately protect against unauthorised access

to the
cloud service
.


Data retention and deletion

89.

When data
are

deleted
they are

rarely removed entirely from
the underlying storage media
unless some
additional
steps are
taken
. In addition

to this
,
a cloud provider is likely have multiple
copies of data stor
ed in multiple locations

to provide resilience
and redundancy
.
This may include back
-
up tapes or other media
not directly connected to the cloud. Copies of
personal
data
stored in a cloud service
may also be included in other forms
such as index structures

which also
need to be considered.


90.

The data controller must
ensure that the cloud provider can
provide assurances that they can delete all copies of
personal
data within a timescale that is appropriate to
the
needs

of the
data controller
.


91.

These assuran
ces should include details on what will happen
to
personal data
if
an organisation
decide

to
withdraw from the
cloud service in the future.


Provider access

92.

If the cloud provider is mana
ging the computing resources on
behalf

of the data controller

it is li
kely that they would be able to
access copies of
the

data.
Access may be authorised
for actions
such as
the provision of support services
.

However, access may
also
be unauthorised and lead to
a disclosure,
deletion or
modification of personal data.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2

93.

There

must be clear policies in place to specify u
nder what
circumstances the cloud provider will access
personal
data
processed in the cloud including a description of the
audit
processes in place
such that, the data controller

will

be alerted if
unauthorised
access, deletion or modification occurs.

O
perating

internationally

94.

The computing resources managed by a cloud provider may
be located outside the UK. A large cloud provider may also have
a number of data centres, each of which could be located in a
differ
ent country. This distributed architecture improves
redundancy and resilience but also means that is can be difficult
to know
precisely
where data
are

located.


95.

The DPA requires that:


“personal data shall not be transferred to any country or
territory ou
tside the European Economic Area unless that
country or territory ensures an adequate le
v
el of protection
for the rights and freedoms of data subjects in relation to the
processing of personal data.”


96.

As data controller, you

should

also be aware of other
legislation in countries where the cloud provider (or any parent
company) is established and in any
country

where your data may
reside.
This may also include applicable local laws such as
those

arising from a particular state or province.


97.

Specific risks
in this regard include a copy of the data being
disclosed

or
a
disruption
in

availability of the

cloud service
,
in
response to a request from a foreign law enforcement power.


98.

You s
hould
ask
a
cloud provider for a list of countries where
data
are likely t
o be processed and
for information relating to the
safeguards in place at these locations.
The cloud provider
should
also
be able to provide information
regarding

under
which
circumstances data may be transferred to these locations.


99.

In the case of layere
d cloud services, information relating to
the location of each sub
-
processor likely to be involved in the
processing of
your

data
should

also be provided by the cloud
provider

with

details of the security arrangements in place
.


100.

If a
cloud provider
is
un
a
ble to provide appropriate assurances
that personal
data
will
remain within the EEA

then the data
controller must make sure that there is adequate protection
in
the country where that data is to be transferred
.


Guidance on the use of clo
ud computing

20120
611

Version: 0.2


101.

The data controller’s
first stage of assess
ing adequacy is to
conduct a risk assessment.
An important component of this risk
assessment is to ensure appropriate technical and organisational
security measures, especially where the cloud provider is acting
as a data processor
,
acting on your instruct
ions under contract
.


102.

A data controller may wish to use EU model clauses in a
contract with a data processor to provide an adequate level of
protection.
If you use these model clauses in their entirety in
your contract you will not have to make your own a
ssessment of
adequacy

but you must make sure that they are appropriate for
the type of transfer you intend to undertake.


103.

More information for data controllers
who want to send
personal data outside the
EEA can be found at the following URL:



http://www.ico.gov.uk/for_organisations/data_protection/th
e_guide/principle_8.aspx



Guidance on the use of clo
ud computing

20120
611

Version: 0.2


104.

Example

An IaaS cloud pr
ovider operates six data centres
:

two in the
EEA; two in
North America;

and

two in Asia.


The technical implementation of the cloud service means that the
cloud provider is able to provide sufficient assurances that all
data will be stored in
a

geographical area which the data
controller specifies
.
The cloud pr
ovider has also provided a
location for each of the data centres.


The cloud customer selects that his data
will
only
be
processed
within
the
EEA. This
specification

is included within the written
contact with the cloud provider and assured

as part of
a re
gular
independent security assessment.


The cloud provider also has a support centre which is located in
the USA. In the event of

the
cloud
customer

requiring technical
support this may constitute an overseas transfer of personal
data.


For the purposes
of this processing
,
adequate protection may be
assured
for the
transfer to the support centre through
appropriate
technical and organisational
security mechanisms
which may include limiting the personal data involved and
ensuring that data is deleted withi
n a short timescale. There
must also be a contract governing how the information will be
used.




Guidance on the use of clo
ud computing

20120
611

Version: 0.2


105.

Example

An IaaS cloud provider operates six data centres
:

two in the
EEA; two in No
rth America;
and
two in Asia.


The technical implementation of the cloud

service means that
data may be distributed across a
ny one of the six data centres.
The cloud provider is able to provide appropriate assurances that
no single
data centre is likely to contain a complete and
intelligible copy of the cloud customer’s data.

The cloud provider
has also provided a location for each of the data centres.


The data will remain within the cloud provider’s own network of
data centres of which the security is assured through a regular
independent assessment.



For the purposes of thi
s processing
it is likely that adequate
protection exists if the locations of the data centres are not in
unstable countries and that the level of security offered by the
service is appropriate for the nature of the information and the
circumstances of the

transfer. There must also be a contract
governing how the information will be used.



106.

If a cloud provider was required to comply with a request for
information from a foreign law enforcement agency, and did so,
the Information Commissioner would take the

view that the
cloud provider will be the data controller in respect of that
disclosure rather than
the

cloud customer. This is because the
cloud provider made the decision to disclose based on a legal
obligation it was under
,
regardless of the cloud custo
mer’s
wishes.


107.

Regulatory action against the cloud customer would be
unlikely so long as they made a proper assessment taking into
account the powers of law enforcement agencies and others to
access the data in the jurisdictions where the cloud provider i
n
located. If the powers of the law enforcement agencies or others
are comparable to those of similar organisations in the EEA then
they are unlikely to render the level of protection inadequate.



108.

Regulatory action against a cloud provider, in its role
as a
data controller, is unlikely
provided
it is responding to a request
it is legally obliged to comply with
.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2

Multi
-
tenancy environment

109.

A single cloud provider
will
be acting as a data processor for
many data controllers and
,
in turn
,
supporti
ng what co
uld be a
very large number of
cloud users. This efficient use of computing
resource
s

gives rise to many of the cost savings which cloud
computing can deliver. However, the result is that cloud
customers will find that their data is
being processed along
sid
e
that of
the
other
cloud provider’s customers.


110.

The cloud provider must have a
robust

set of safeguards in
place
that
protect

against
the
chan
c
e of o
ne cloud client
eavesdropping on the activities of another but also the cloud
provider will need to be abl
e to ensure that the activities of one
client will not impact on that of another.

Reliability and resilience

111.

Using a dedicated computing provider can help safeguard
against outages by providing a more reliable and resilient
service. However, the
data cont
roller
must also consider the
consequences if
a

cloud provider was to suffer a major fault
which took them offline.


112.

It might be appropriate for a data controller to

consider
storing a copy of
their
data in an alternative location

in the event
of an outag
e

or
retain the ability to
switch to a
n alternative

system.


113.

The
cloud provider
must also be able to demonstrate that they
can reliably store and maintain access to data
processed in the
cloud service
without unintentional alteration.

Further processing

114.

A

cloud provider
may want to process the personal data
processed in the cloud service or collected
about
the
cloud users
for additional services or to share some data with other third
parties.


115.

It is important to remember that a

number of SaaS
products
ar
e supported by advertising

which

requires
processing

the
personal data of the cloud users.


116.

The data controller must be aware of the types of further
processing which may be undertaken by the cloud provider and
determine the most appropriate method to ens
ure that the cloud
users are adequately informed about such processing.



Guidance on the use of clo
ud computing

20120
611

Version: 0.2

117.

Th
e cloud provider must not process the cloud customer
’s

or
cloud user’s personal data without the
agreement

of the data
controller.

Train your staff

118.

The
data controller

must also r
ecognise that
a switch to cloud
computing can introduce a different set of data protection risks
of
which
the cloud users
may not be aware.


119.

The
cloud provider
might also have implemented controls
which enable the data controller

to
configure the
securit
y
settings of
the

cloud service.
In this case, the data controller
must ensure that there
is
appropriate
training and procedures in
place to make sure
that the security of the data remains intact.


120.

Procedures and policies in place must a
lso have an audit

function
in place to ensure that the policies
which are
in place
are being
adhered to
.



121.

Example

A training organisation emails documents (training packs, copies
of presentati
ons, etc) to course delegates. They also email the
names and contact details of
delegates to the course tutor. This
puts a substantial load on the email server and the organisation
decides to switch to a cloud
-
based file sharing service rather
than upgrade the email server.


The training packs do not contain personal data but the
del
egate
list
does. For this reason, the organisation decides to continue to
email the
delegate list
to the course tutor.


A member of staff is uploading the course packs but instead of
emailing the

delegate
list
to the course tutor also
uploads
this

to
the
file sharing website. The

delegate

list is now publically
available.


This breach of personal data occurred because the member of
staff was not aware that the file sharing website was a public
website where anyone could access the data

so unaware of the
co
nsequence of their actions.


Rights of the cloud users

122.

The
data controller must also consider the impact that a move
to a cloud service will have on the data subjects. This is
particularly important in terms of the rights of the data subject

Guidance on the use of clo
ud computing

20120
611

Version: 0.2

such as acce
ss and the right to object to processing of their
personal data.


123.

A new cloud

service has the opportunity to be
developed
in a
user
-
centric manner whereby the cloud users can view, edit and
delete personal data about themselves.
If
t
his is the case,
effec
tive identity assurance mechanisms must be in place to
protect against unauthorised disclosures.

Other considerations

124.

There are a number of other considerations which a data
controller sho
uld
take into account when
considering
a mo
v
e to
the cloud. Whilst
these may not be directly concerned with data
protection requirements
, the
effects may impact upon the service
delivered to the cloud users.

Connectivity to the cloud

125.

Connecting
to a public cloud provider or using a remote
connection to
a

private cloud
me
ans
your connection will
typically be over the internet.


126.

The cloud customer should c
onsider the costs and means of
connecting to the service but also the impact of any downtime on
the cloud users.


127.

For example, will
the

current internet connection cope
with
the additional traffic or are there usage limits imposed
by the
internet service provider?


128.

When considering the reliability and resilience of a cloud
service the
cloud customer
should also consider the reliability
and resilience of the connectivity
provider

(eg the internet
service provider or other telecommunications provider)
.

Vendor lock
-
in

129.

Moving data to the cloud
could involve a significant
investment especially if this involves transferring existing data
into a new system.


130.

The
cloud customer

should ensure that
they
can withdraw
from a cloud service and obtain a copy of your data in a
standardised format
to
transfer to a new provider

and without
prohibitive financial penalties.


Guidance on the use of clo
ud computing

20120
611

Version: 0.2

Scalability

131.

One of the benefits of cloud computing is the abilit
y to scale
up

and down the level of computing resource

available in
response to peaks and troughs in demand.


132.

A
contract
in place between the cloud provider and cloud
customer should not impinge o
n this. For example, a SaaS
provider may allow
a cloud cust
omer
to increase the number of
user accounts immediately but

require
each account
to
be kept
open for a minimum of six months.


Guidance on the use of clo
ud computing

20120
611

Version: 0.2

Checklist

133.

Have you considered the following?


R
isks

Make a list of the personal data you hold and how you intend to process it

in
the cloud
.

Confidentiality

Can your cloud provider provide a
n appropriate
third
-
party security
assessment?

Does this comply with an
appropriate
industry code of practice or other quality
standard?


How quickly will the cloud provider react if a s
ecurity vulnerability was
identified in their product
.

What are the timescales and costs for creating, suspending and deleting
accounts
?

Is all communication in transit encrypted? Is it appropriate to encrypt your
data at rest? What is the key manageme
nt in place?

What are the data deletion and retention timescales? Does this include end
-
of
-
life destruction?

Will the cloud provider will securely delete all of your data if you decide
withdraw from the cloud in the future?

Integrity

What audit trai
ls are in place so you can monitor who is accessing which data

Make sure that
the

cloud provider allows you to get a copy of your data, at
your request, in a usable format.

How quickly could the cloud provider restore your data (without alteration)
fro
m a back
-
up if they suffered a major data loss?

Availability

Does the cloud provider have sufficient capacity to cope with a high demand
from a small number of other cloud customers?

How could the actions of other cloud customers or their cloud users
impact on
your quality of service?

Can you guarantee that you will be able to access the data or services when
you need them?

Find out if your data, or data about your cloud users will be shared with third
parties or shared across other services the
cloud provider may offer.

How will you cover the hardware and connection costs of cloud users accessing
the cloud service when away from the office?

If there was a major outage at the cloud provider how would this impact on
your business?

Legal

Make

sure you have a written contract in pl
ace with your cloud provider


t
his
may the
need appropriate clauses to provide adequacy for
international

transfers.

How will the cloud provider communicate changes to the cloud service which
may impact on your agr
eement?

Which countries will your cloud provider process your data in and what
information is available relating to the safeguar
ds in place at these locations?

You should ask your cloud provider which of your data and under what
circumstances these ma
y be transferred to other countries.

Can your cloud provider limit the transfer of your d
ata to countries you do not
consider appropriate in which to process your data?


Guidance on the use of clo
ud computing

20120
611

Version: 0.2

More information


134.

This guidance will

be reviewed and considered from time to
time in

line with new decisions of the Information Commissioner,
Tribunal
s

and courts
.



135.

It is a guide to our general recommended approach, although
individual cases will always be decided on the basis of their
particular circumstances.


136.

If you need any more info
rmation about this or any other
aspe
ct of
data protection, please
Contact us: see our website
www.ico.gov.uk
.