Placing Data on “The Cloud”

17 December, 2012

Many organisations are either making use of, or are considering using, cloud computing. This is because cloud computing offers strong economic incentives for companies such as lower operating costs and greater reliability of service. However, organisations may be exposing themselves to more risks than they initially expect.

The Information Commissioner’s Office (ICO) has recently published guidelines to help organisations understand the issues surrounding cloud computing. The guidance emphasises that although businesses can outsource data through cloud computing they retain responsibility for how that data is used. Accordingly, cloud customers should retain sufficient control over the data to fulfill their data protection obligations.


The ICO Guidance

The ICO make a number of suggestions to help organisations ensure they continue to safeguard their data even once it has passed to a cloud network provider.

The ICO suggest companies consider whether all types of data they hold should be placed in the cloud at all. This might depend on what assurances were given when the data was collected. If data is transferred to the cloud, organisations should keep a clear record of which categories of data they transfer.

A written contract should be put in place between an organisation and the cloud provider. This contract should contain obligations restricting the cloud provider from changing the way it processes data without the customer’s knowledge. It should also help to clarify the expectations the customer has of the cloud provider in terms of the way in which the service is to be delivered.

A security assessment of the cloud provider should be carried out. This involves an organisation actively asking questions about how the data will be kept secure and, for example, what processes are in place to prevent hacking and accidental loss. It has been suggested that cloud providers could appoint a third party to carry out an independent security audit of its service and provide a report to potential cloud customers.

Organisations should also be aware that some cloud providers, in an attempt to increase reliability, have a number of data centres located abroad. If data is being processed abroad then the customer must comply with a number of other data protection obligations, such as obliging the cloud provider to ensure the host country has adequate level of protection in place when dealing with personal data.



The potential benefit to organisations of cloud computing are clear; what is less clear to many cloud customers is that they must be pro-active to ensure they still meet their data protection obligations. Ultimately, cloud customers may be held liable for breaches whether they were aware of their obligations or not. The ICO guidance offers a clear and informative report on the issue and gives some practical guidance on how to not fall foul of the rules governing this area.

A copy of the ICO guidance is available here.



Reviewed in 2015