Data Protection and the Cloud

Data Protection and the Cloud: Are the risks too great?

PAUL TICHER
Copyright Date: 2015
Published by: IT Governance Publishing
Pages: 83
https://www.jstor.org/stable/j.ctt155j47z
  • Cite this Item
  • Book Info
    Data Protection and the Cloud
    Book Description:

    Applying the Data Protection Act to the Cloud

    The UK's Data Protection Act 1998 (DPA) applies to the whole lifecycle of information, from its original collection to its final destruction. Failure to comply with the DPA's eight principles could lead to claims for compensation from affected individuals and financial penalties of up to £500,000 from the Information Commissioner's Office, not to mention negative publicity and reputational damage.

    An expert introduction

    More than 85% of businesses now take advantage of Cloud computing, but Cloud computing does not sit easily with the DPA. Data Protection and the Cloud addresses that issue, providing an expert introduction to the legal and practical data protection risks involved in using Cloud services. Data Protection and the Cloud highlights the risks an organisation's use of the Cloud might generate, and offers the kind of remedial measures that might be taken to mitigate those risks.

    Topics covered include:

    Protecting the confidentiality, integrity and accessibility of personal data

    Data protection responsibilities

    The data controller/data processor relationship

    How to choose Cloud providers

    Cloud security - including two-factor authentication, data classification and segmentation

    The increased vulnerability of data in transit

    The problem of BYOD (bring your own device)

    Data transfer abroad, US Safe Harbor and EU legislation

    Relevant legislation, frameworks and guidance, including:

    - the EU General Data Protection Regulation

    - Cloud computing standards

    - the international information security standard, ISO 27001

    - the UK Government's Cyber Essentials scheme and security framework

    - CESG's Cloud security management principles

    - guidance from the Information Commissioner's Office and the Open Web Application Security Project (OWASP)

    Mitigate the security risks

    Mitigating security risks requires a range of combined measures to be used to provide end-to-end security. Moving to the Cloud does not solve security problems, it just adds another element that must be addressed. Data Protection and the Cloud provides information on how to do so while meeting the DPA's eight principles.

    eISBN: 978-1-84928-713-5
    Subjects: Law, Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. PREFACE
    (pp. 5-7)
  3. ABOUT THE AUTHOR
    (pp. 8-8)
  4. ACKNOWLEDGEMENTS
    (pp. 9-9)
  5. Table of Contents
    (pp. 10-11)
  6. INTRODUCTION
    (pp. 12-13)

    This book is intended to be an introduction to the risks involved in cloud sourcing, and to enable managers to ask the right questions. Suggestions are offered for the kind of risks an organisation’s use of the cloud might generate, and the kind of remedial measures that might be taken. These are given as examples only and are not intended to be a substitute for qualified legal or technical advice. Other publications from ITGP, listed at the end of this book, address security in more detail.

    Cloud security has to be a joint effort between the provider and the customer....

  7. CHAPTER 1: BACKGROUND – THE DATA PROTECTION PRINCIPLES
    (pp. 14-20)

    As most readers probably know, the Data Protection Act is based on eight legally-binding principles. Being principles rather than precise stipulations, these describe the outcome that must be achieved, not the means of doing so. Every organisation has a significant degree of flexibility in deciding how to comply.

    The Act applies to the whole lifecycle of information, from its original collection to its final destruction. See the definition of ‘processing’ below.

    It is usually necessary to be able to demonstrate, through policies and procedures, staff training and other measures, how an organisation ensures that all of its actions comply with...

  8. CHAPTER 2: THE DATA CONTROLLER/DATA PROCESSOR RELATIONSHIP
    (pp. 21-26)

    Responsibility for compliance with the data protection principles and other aspects of the Act lies with the ‘Data Controller’.

    The Data Controller is defined in the Act as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed”. ‘Person’ in this context very rarely means an individual (or ‘natural person’). Instead, in most cases the Data Controller will be an organisation, although individuals who are in business on their own account can also be Data Controllers. It is important to note...

  9. CHAPTER 3: SECURITY (SEVENTH DATA PROTECTION PRINCIPLE)
    (pp. 27-33)

    Security is one of the most important safeguards in preventing harm to individuals. The seventh principle says that you must take steps to prevent:

    Unauthorised access

    Accidental loss or damage.

    These steps must be ‘technical and organisational’, and they must be ‘appropriate’ in terms of the technical options available, and also in terms of the harm that would result in the event of unauthorised access, or loss, or damage.

    ‘Organisational’ security measures should always include attention to human factors. In any security breach, at least part of the chain of causation is likely to be an individual taking, or failing...

  10. CHAPTER 4: MITIGATING SECURITY RISKS IN THE CLOUD
    (pp. 34-49)

    Mitigating security risks requires a range of measures to be used in combination, in order to provide the end-to-end security discussed above. This publication is not intended to give a detailed description of the technical measures available, and readers with more technical expertise may well be aware of other measures that are appropriate in their particular situation.

    Security – like other aspects of data protection – is not something that should be added on as an afterthought. Security should be built into an organisation’s infrastructure and become part of how the organisation does business in every respect. Moving to the cloud does...

  11. CHAPTER 5: TRANSFERS ABROAD (EIGHTH DATA PROTECTION PRINCIPLE)
    (pp. 50-56)

    If personal data is transferred outside certain European countries, the provisions of the eighth Principle come into play. Storing data on a cloud provider’s system abroad counts as a transfer, even if the data is not intended to be used anywhere outside the UK.

    As discussed above, it is quite common for a cloud application to be provided by a chain of subcontractors. It is necessary to examine the entire chain in order to assess whether the eighth Principle is engaged.

    The eighth Principle aims to achieve an equivalent level of protection for data transferred abroad to that it would...

  12. CHAPTER 6: OTHER DATA PROTECTION PRINCIPLES
    (pp. 57-62)

    Although the seventh and eighth data protection principles are those with the greatest relevance to cloud computing, it is worth looking briefly at the other six.

    This principle, as well as making a general requirement of fairness, specifies that Data Subjects must have ready access to information about who is using their data and what for – the Transparency requirement – and that they must, in some cases, give consent for this.

    There is also a requirement to indicate who – either in general or specifically – the data may be disclosed to or shared with. Transferring data to a cloud provider does not...

  13. CHAPTER 7: OTHER LEGAL AND TECHNICAL IMPLICATIONS FOR CLOUD CONTRACTS
    (pp. 63-67)

    The requirements for a contract between a Data Controller and a Data Processor have been discussed on page 23, while the contractual implications when cloud processors are based outside the EEA are discussed on page 52 onwards.

    This chapter looks briefly at other legal and technical issues with data protection implications.

    A major consideration is the requirement in the seventh data protection principle to take appropriate steps against accidental loss or damage to data, and the wider question of the data being available when required. Problems could arise from:

    Loss of service

    at the provider’s end, if their system goes...

  14. CHAPTER 8: ENFORCEMENT
    (pp. 68-70)

    The potential costs of a data protection breach are incalculable, although many breaches do not in fact lead to seriously adverse outcomes. The three main risks are:

    A fine (civil monetary penalty) from the Information Commissioner.

    Compensation to affected individuals for damage and associated distress.

    Reputational damage to the Data Controller responsible.

    The maximum fine is £500,000 (but see following chapter). The Information Commissioner’s strategy is to identify particularly serious breaches and impose sufficiently large penalties as to attract attention and encourage others to take steps to avoid ending up in the same situation. Research carried out for the Commissioner...

  15. CHAPTER 9: THE PROPOSED NEW EU REGULATION AND OTHER MEASURES
    (pp. 71-74)

    The EU Directive (95/46/EC) on which the Data Protection Act 1998 is based, was first mooted in 1993 and agreed in 1995. The intervening 20 years have seen dramatic technical changes which could not have been foreseen at the time. Cloud computing is one of these.

    Many would say that the Directive has actually coped quite well with these changes, as it was couched largely in terms of general principles and could therefore be seen as technologically neutral. Cloud computing and other developments have, however, started to raise issues that the existing data protection regime does not really have answers...

  16. CHAPTER 10: CHECKLIST
    (pp. 75-77)

    Throughout this publication various recommendations have been made. They are summarised here for convenience.

    Before embarking on a cloud computing development ensure that your organisation’s information (and especially IT) security framework is sound, and that responsibility for information security is clearly allocated.

    Ensure that your organisation’s approach to data protection compliance is well thought out, and that responsibility is clearly allocated.

    Before selecting a cloud provider, consider whether your data needs to be retained in the European Economic Area, and if so, make this a key selection criterion.

    For all cloud providers under consideration, check the contract (or standard terms...

  17. REFERENCES
    (pp. 78-78)
  18. ITG RESOURCES
    (pp. 79-83)