ICO: Cloud customers have responsibility for DP compliance in most cases

The ICO has published new guidance on cloud computing, which confirms that organisations remain, in most cases, responsible for how their personal data is handled, even if they pass it to cloud service providers.

The ICO stresses the importance of written contracts, stating that cloud customers should remember that a foreign law enforcement agency may gain access to personal data stored in the cloud. The ICO, however, reassures UK organisations: ‘If a cloud provider is required to comply with a request for information from a foreign law enforcement agency, and did comply, the ICO would be likely to take the view that, provided the cloud customer had taken appropriate steps to ensure that the use of the cloud services would ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud, regulatory action against the cloud customer (in respect of the disclosure of personal data to the foreign law enforcement agency) would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure.’

The ICO says that the most secure way to use a cloud storage service is to encrypt the files before using cloud services. Whilst this is a good approach for a storage or archive service, it will not be possible to share these files with anyone without also sharing the encryption key. But this procedure can be difficult to manage.

See the ICO’s guidance, published in September.