ICO issues data protection guide for cloud users

Cloud storage bookcase

The Information Commissioner's Office (ICO) has reminded business leaders of their responsibilities when it comes to safeguarding personal data in the cloud.

The data protection watchdog claims many end users do not realise that the onus is on them to ensure the data they store in the cloud is handled responsibly.

To this end, the ICO has issued guidance, setting out the precautions businesses should take with their data before handing it over to a cloud provider.

Demanding a written contract from Google or Microsoft is unlikely to prove fruitful.

For example, the guidance advises readers to seek assurances from prospective cloud providers about the digital and physical security methods they use to lockdown users data.

It also advises them to have a written contract in place with their chosen provider, which will prevent them from changing the terms of their partnership without prior agreement.

Speaking to IT Pro, Dr Simon Rice, the ICO's technology advisor, said the guidance was produced to help ease some of the concerns data controllers have about embracing cloud.

"Over the last six months or so...we've been receiving enquiries from data controllers in the SMB, enterprise and public sector about cloud," said Rice.

"This was our chance to document all the issues that a data controller need to think about before they can move to the cloud," he added.

The ICO regularly fields questions from concerned end users about whether or not they should entrust their data to overseas cloud providers, revealed Rice, which the guidance hopes to address.

"We get a lot of the same questions coming along about security and international transfers," he said. "But we also get more general enquiries from people wanting to know, if we use this system from a cloud provider, what kind of things do I need to take into account?"

Ian Moyse, sales director at cloud-based CRM provider Workbooks.com, welcomed the ICO's attempts to educate users, claiming it should encourage more of them to adopt cloud.

However, the ICO's recommendation that users should obtain a written contract from their chosen cloud provider could prove difficult for many end users to follow through.

"You rarely have this with a software license provider and cloud is seeing rapid and wide customer engagement, which could make this administratively prohibitive," he told IT Pro.

"Demanding a written contract from Google or Microsoft is unlikely to prove fruitful."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.