Data Protection Commissioner Looks To The Clouds

Author:Mr John O'Connor, Yvonne Cunnane and Andreas Carney
Profession:Matheson Ormsby Prentice

The Irish Data Protection Commissioner recently issued guidance in relation to data protection issues to be considered when contracting for cloud computing services. The primary focus of the Commissioner is on the security of data processed in the cloud. The Commissioner references the recently published opinion of the Article 29 Working Party in relation to cloud computing (Opinion 05/2012) which also provides useful guidance on this topic. Cloud Security Ultimately responsibility for security of personal data rests with the data controller under Irish data protection legislation. The data controller is obliged to ensure that it meets the security requirements set out in the legislation in the event that responsibility for data processing is outsourced to any service provider, including a cloud provider. The guidance from the Commissioner states that security standards of a "very high level" must be in place where personal data is being processed by a cloud provider. As the legislation is drafted in a technology neutral manner, there is no specificity provided in the legislation, or in the Commissioner's guidance, in relation to the type of security measures required to meet this high standard. In line with the recommendation of the Article 29 Working Party opinion, the guidance recommends that when engaging a cloud service provider assurances must be obtained in relation to issues such maintaining the integrity of the data (including back-up and disaster recovery mechanisms), prevention of unauthorised access to data, adequate oversight of any sub-processors used, procedures in the event of a data breach and the right of the data controller to remove, erase or transfer data. The Commissioner and the Article 29 Working Party both recognise that auditing a cloud provider may not always be the most practical option for a data controller. The Commissioner advises that where there is a multi-tenanted cloud structure, a third-party certification to approved international standards may be more appropriate than a direct right to audit. The Article 29 Working Party also advises that, in certain circumstances, individual audits of cloud providers may be impractical and independent verification or certification by a reputable third party can be a credible means for cloud providers to demonstrate compliance with their obligations. Cloud Location Transfers of personal data are permitted within the EEA on the basis that personal data...

To continue reading