The Information Commissioner’s Office (ICO) has published guidance aimed at businesses about their data protection responsibilities when using a cloud solution to host information. The guidance underlines the fact that businesses are responsible for the security of any data they hold, even when this is being stored by a cloud provider.
Many businesses are unaware of the legal position in relation to data protection when using a third party to store information and will have assumed that liability automatically passes to the storage provider. Businesses should instead satisfy themselves that the data will be kept safe and that safeguards are in place to prevent against unauthorised access.
Using a reputable provider with a strong track record will go a long way towards satisfying this criteria, although there have been a number of high profile shortcomings by high profile providers, including Amazon, where access to data has been disrupted. The most important safeguard that businesses can have in place is a written contract with clear terms and conditions which set out the scope of the service to be provided by the cloud provider.
The ICO fined Scottish Borders Council £250,000 after it hired a company to digitise pension records. It later transpired that the Council did not carry out security checks into the company and did not have a written contract in place.
The biggest risk faced by businesses seeking to move to the cloud is the security and accessibility of their data. If this is compromised then the benefits of moving to a cloud storage solution will be undone. The ICO guidance comes as a recent survey showed that businesses who utilised cloud storage were the least likely to suffer from data loss.