We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

UK Information Commissioner issues cloud computing guidelines for business

04 October 2012
The UK's Information Commissioner's Office (ICO) has published guidelines to businesses about the data protection aspects of cloud computing services.  In particular, the guidelines seek to highlight that businesses remain responsible for how personal data is looked after, even if they pass it to cloud network providers.

While cloud computing solutions have been around for a while, the ICO appears to be concerned that many businesses do not realise that they remain legally responsible for how their data is looked after, even after passing it to the cloud network provider. The importance of doing so is highlighted by a recent case where the ICO used its powers to fine a Scottish council £250,000 for data protection breaches in relation to its engagement of a company to digitise its pension records.

The guidelines themselves explain the various cloud computing models, highlight all the key areas to consider, and include a checklist of points to consider. In particular, the ICO:

  • warns against 'take it or leave it' terms from cloud providers – a common feature of cloud computing offerings;
  • highlights the importance of assessing security, and the advantages (and risks) of using encryption technology;
  • flags the issues of access controls, and data retention and deletion by the cloud provider.

Overall, the guidelines provide a useful reference point for businesses using cloud computing services who fall within the ambit of UK data protection legislation.

Mark Taylor

Loading data