Best practice for using cloud computing in Europe 2013 (Part 1)

by [Published on 19 Dec. 2012 / Last Updated on 19 Dec. 2012]

This article (part one) will focus on the first four principles of good information handling.

If you would like to be read the next part in this article series please go to Best practice for using cloud computing in Europe 2013 (Part 2).

Introduction

Organisations are now using the cloud for processing and storage; petabytes of data is being indiscriminately stored in the cloud without the appropriate protection.

This article (part one) will focus on the first four principles of good information handling. These principles will cover the obligations on organisations for processing and storing data. This is a two part article.

The eight data protection principles summarise the requirements which need to be achieved for good data handling to conform to the Data Protection Act. Although these principles are not specific to the cloud, any organisation using, processing or storing personal information in the cloud are required by European law to abide by these as well.

Information security in the cloud is an issue of public concern as well as technical compliance. If personal data in the cloud is not appropriately safeguarded, the organisations repute and success is at risk and numerous individuals’ safety could be compromised.

When cloud computing is utilised it involves three main groups, they are the cloud service provider, the cloud customer (the organisation opting to use the cloud service) and the cloud user (the end user of the service). It is important that both the cloud service provider as well as the cloud customer have a good knowledge of the eight principles of good data handling and conform to them.

The eight data protection principles for good data handling are:

  1. Processing personal data fairly and lawfully
  2. Processing personal data for specified purposes
  3. Information standards
  4. The rights of individuals
  5. Information security
  6. Sending personal data outside the European Economic Area
  7. The conditions for processing
  8. Exemptions

1. Processing personal data fairly and lawfully

The first of the principles relates to the processing of personal data. The law remains unchanged for processing in or out of the cloud. It’s the organisation's responsibility to ensure the law is upheld.

The law states that personal data shall be processed fairly and lawfully. It includes collecting, using, disclosing, retaining and disposing of data. Most of these operations occur in the cloud. The type of data being referred to is any data relating to an individual who can be identified from the data and/or other information which is in the possession of the data controller. This remains the same even when the data is in the cloud.

To ensure fairness when processing data, organisations need to be transparent. They should be open and honest with regards to how the data will be handled and ensure the data is used only in ways that it will have no negative affect on the individual.

Organisations can ensure they are conforming to the first principle of good data handling by achieving the following:

  • Be transparent regarding how the data will be used
  • Handle the data as the individual would anticipate you to
  • Don’t use the data unlawfully
  • Have valid grounds for processing the data

In cloud computing steps need to be taken to ensure this first principle is maintained. The structure of the cloud makes this quite challenging. Due to the layered service model of the cloud, with more than one cloud provider offering various services, the likelihood of having more than one individual responsible for the processing of the data is increased; there would be a number of data controllers and processers working collaboratively on behalf of an organisation.

2. Processing personal data for specified purposes

The next principle is based on the law which states that personal data shall be obtained for a specific purpose and shall not be processed further by any means dissimilar from the purpose specified. If your organisation is already complying with the other 8 principles the likelihood is that this principle will be covered as well.

Organisations can ensure they are conforming to this principle through:

  • Being transparent regarding the reasons for collecting the data and how the data will be used.
  • Ensuring that if you wish to use or process the data in a manner different from the specified means make sure that the new use or disclosure is fair and lawful.

A closer look at processing information in the cloud

The first step to good data handling in the cloud is to identify the organisations data controller. In cloud computing the data controller would be the cloud customer (organisation) who will determine the purposes for which and how the data is going to be processed. Thus the ultimate responsibility for the data will lie with the cloud customer, the organisation.

It is important that the role of the data controller remains clear, in some instances when using cloud computing it is possible that there could be more than one data controller. It’s essential that the organisation is clear about the role of the cloud provider, if the cloud provider is acting as a data processor on behalf of the organisation or whether it is a data controller in its own right.

The cloud customer will remain responsible for the data they process in the cloud, even though opting to use the services of a cloud provider to process their personal data in the cloud.

The data controller will differ from one cloud model to the next. Imagine the following cloud scenarios:

  • Private cloud: If the organisation is using a private cloud there can only be one data controller which is easily identified. The cloud customer, organisation, would take on this role as they have control over how the data is processed in the cloud.
  • Community cloud: The likelihood of more than one data controller accessing the cloud service is high. A community cloud model would involve the cloud provider as the data processor and more than one cloud customer/organisation sharing data through the cloud. In this circumstance the roles and shared responsibilities of data controller need to be clear.
  • Public cloud: In a public cloud the role of the data controller/organisation becomes more complicated as the organisation will have very little control over the operations of a substantial cloud provider. The organisation is still responsible for the data they choose to process in this way and remain the data controller.

The responsibilities of the organisation (Data Controller) when using cloud computing

The data controller/organisation is responsible for the collection, storage and the retention of the personal data. They are responsible for the security of this data.

Steps that should be taken by the organisation to assist in achieving the principles of good data handling:

  • Assess the data and make an informed selection of the data that you choose to move to the cloud.
    Not all data needs to be in the cloud. Data should be assessed and categorised according type as well as data protection risk linked to the specific data. A clear record should be kept of the data categories in the cloud as well as the data not in the cloud.
  • Ensure that the cloud users (individuals to whom the data relates) are given sufficient information regarding their data being processed. Keep them up to date with any processing changes. Be honest and transparent.
  • Have a good understanding of what you as an organisation require from a cloud provider when choosing one. Cloud providers all differ in the services they offer, its best to choose one that caters to your specific needs.
  • Depending on the type of cloud the organisation chooses to use, the organisation would benefit in some instances from undertaking a privacy assessment. If the organisation is choosing to use a public cloud for example it would be necessary assess any privacy issues that may be present. This should be done prior to moving to the cloud.
  • Monitoring and managing.
    It’s important to continually monitor, review and assess the performance of the cloud service provider you have chosen. It is the responsibility of the organisation to ensure that the service is running as expected.
  • Written contract
    It’s a requirement for a contract to be in place between the organisation and the cloud provider stipulating that the cloud provider/data processor will only act on instruction from the data controller/organisation regarding the processing of the data. The terms of data processing should be clearly laid out in the contract. The organisation should ensure that all the areas that they are obligated by law to address are covered in the contract, i.e.) the eight principles of good information handling.

3. Information standards

The information standards relate to the information that you process.

The standards that personal data must meet are:

  • The data must be accurate
  • The data must be kept up to date
  • The data must be relevant and necessary
  • The data must be kept no longer than necessary

Steps and organisation can take to assist in meeting the criteria above:

  • Set up a system or policy to regularly review the data that you process, use or store and delete the data you no longer require
  • Review data on regular intervals to keep it accurate and up to date
  • Store data appropriately, data that is not often accessed but is still required should be securely archived
  • Set up data retention policies and ensure they are monitored and put into practice
  • Categorise the data and establish retention periods based on the categories thus maintaining control over data retention
  • Undertake regular audits to ensure the data retention policy is being maintained

As an organisation one needs to ensure that all these criteria are met and maintained before using or processing the data. By making sure the organisation is meeting these criteria the areas for mistake surrounding securing the data can be minimised. If data is accurate and up to date you are unlikely to use the data incorrectly causing harm. If the information is removed when no longer required, it is easier to maintain accuracy of data. Organisations must remember that even when the data they store is no longer required that they remain responsible for keeping it secure even in the cloud.

Data Retention and deletion in the cloud

The reliability of cloud computing is often enabled through the storage of multiple copies of the data in many locations. This complicates things when it comes to deleting data once the retention period has expired. Cloud providers must ensure that they have the means to destroy all the copies of the personal data when necessary.

4. The rights of individuals

Any organisation, when using or processing personal data, needs to do so in accordance with the following rights laid out in the Data Protection Act:

  • Individuals are entitled to a copy of the information being used, processed or stored.
  • The right to decline processing that could cause the individual damage.
  • The right to claim for damages caused by a breach of the act.
  • The right to ensure information being processed or stored is accurate.
  • The right to request information is removed or destroyed.
  • The right to prevent processing for marketing purposes.

When an organisation chooses to move to cloud computing they need to be certain that the change or move will not have a negative affect on the rights of the data subjects (individuals). The rights of individuals remain unchanged even when data is being processed in the cloud.

Conclusion

Many organisations have chosen to move to cloud computing for various reasons. The cloud offers organisations an array of services at a lower cost than if it were to be achieved in-house. However by processing and storing information in the cloud, organisations may encounter risks regarding data protection that they were previously unaware of.

This article covered the first four principles of data management in the cloud, look out for the next article in the series that will cover the remaining four focus areas that your organisation should be considering and strongly evaluating.

 

If you would like to be read the next part in this article series please go to Best practice for using cloud computing in Europe 2013 (Part 2).

The Author — Ricky M. Magalhaes

Ricky M. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Ricky has over 16 years of experience in the security arena covering all ten domains including best practice and compliance. Ricky is a strategist on security and innovating creative ways to achieve compliance and mitigate risk, to many blue chip entities and forms part of the advisory boards to many organisations worldwide.

Latest Contributions

Advertisement

Featured Links