ICO Warns Businesses Over Data Protection In The Cloud

Businesses are responsible for the security of their data, even when it is held on cloud providers’ infrastructure, says ICO

The Information Commissioner’s Office (ICO) has issued guidance on cloud computing, warning that businesses need to remember that under British law they are responsible for whatever happens to their data.

The guidance includes advice on seeking assurances on data security in the cloud and assessing the physical security of cloud vendors’ data centres. It also recommends ensuring companies secure proper service level agreements (SLAs) from providers.

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility,” said Dr Simon Rice, ICO technology policy advisor.

Don’t be naïve

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws.

“Figures show that consumers are concerned about how secure their data is when they use cloud storage themselves. It takes little imagination to consider that businesses not reflecting those concerns will quickly find themselves losing customers’ good will.”

The ICO has severely punished a number of firms for not taking care of data when outsourcing operations. The Scottish Borders Council was handed a £250,000 fine after the ICO said it had failed to properly manage a company it had employed to digitise pension records. The council is considering an appeal, however.

The Brighton and Sussex University Hospitals NHS Trust is appealing a £325,000 penalty it was handed after an issue with an outsourcer. The Trust had employed an “experienced NHS IT service provider” – Sussex Health Informatics Service (HIS) – to dispose of a number of redundant hard drives, some of which were placed on eBay even though they had a significant amount of personal data on them.

Are you a security guru? Try our quiz!