Experts have warned organisations looking to move to the cloud not to rely solely on information published by service providers to ensure they remain within UK data protection laws. This follows advice from the Information Commissioner’s Office (ICO), published on Out-Law.com, that cloud users cannot rely on external certification.
Richard Pharro, CEO of accreditation body APM Group, told Cloud Pro: “The ICO is right to advise caution on the half of end users when transitioning to the cloud. Although certification schemes are of key importance to the market today, they are no panacea. Cloud users will still need to exercise caution and do their due diligence – in heavily regulated industries this may involve seeking legal advice to ensure that they are compliant.”
Frank Jennings, partner at DMH Stallard, said: “The Act places the primary duty of compliance and protection of personal data on the "data controller" - that is, the business looking to use the cloud service to process and store this data.
Schemes which promote the protection of personal data -- including those through [the Cloud Security Alliance]'s STAR initiative or compliance with Cloud Industry Forum's Code of Practice -- are beneficial to the industry. However, this doesn't switch responsibility onto the service provider,” he said.
While broadly agreeing with the points made by Pharro and Jennings, Conor Ward, partner at Hogan Lovells and chair of the Cloud Industry Legal Forum was keen to emphasise that industry level certification are still useful: “It should also be pointed out that the area of standards and certification is in the course of developing and developing rapidly. The Commission has recognised the value of certification schemes in the draft Data Protection Regulation published in January this year.
“Under the current proposals, the Commission would be granted the power to specify the criteria and requirements for the data protection certification mechanisms but it is likely that organisations such as CIF and other reputable certification bodies will be instrumental in defining the criteria and requirements based on work they have done (and will continue to do) to define best practice."
