UK Information Commissioner issues cloud computing guidelines for business
While cloud computing solutions have been around for a while, the ICO appears to be concerned that many businesses do not realise that they remain legally responsible for how their data is looked after, even after passing it to the cloud network provider. The importance of doing so is highlighted by a recent case where the ICO used its powers to fine a Scottish council £250,000 for data protection breaches in relation to its engagement of a company to digitise its pension records.
The guidelines themselves explain the various cloud computing models, highlight all the key areas to consider, and include a checklist of points to consider. In particular, the ICO:
- warns against 'take it or leave it' terms from cloud providers – a common feature of cloud computing offerings;
- highlights the importance of assessing security, and the advantages (and risks) of using encryption technology;
- flags the issues of access controls, and data retention and deletion by the cloud provider.
Overall, the guidelines provide a useful reference point for businesses using cloud computing services who fall within the ambit of UK data protection legislation.