Skip to main content

Ten Questions to Ask Your Cloud Provider


The use of cloud computing is on an exponential rise, as it offers users almost unlimited storage of data, reduces the need for organisations to have physical servers and allows easy access to information from anywhere in the world. As such, many UK based organisations are now turning to cloud computing to satisfy their data storage needs.
But there is one issue which seeks to bring grey clouds over an otherwise silver lining and that is data security. By using the cloud instead of a physical storage device, organisations are obliged to hand over data to a third party cloud provider, some or all of which might be personal data within the meaning of the Data Protection Act. An organisation must therefore be sure, before it enters into a contract with a cloud provider, that its information will be kept securely and the provider’s handling of data will be compliant with the Act and any other applicable laws.
Before you embark upon acquiring a business which uses cloud computing or are thinking of purchasing software which is cloud based, below are ten questions your organisation should ask the provider:
1.         Where will the servers be based on which our data would be stored?
2.         Is there any possibility of it being transferred outside the EU (assuming the servers are EU-based)?
3.         Do you use any subcontractors for the storing of our data and if so, who are they and where are they based; if any are based in the US, are they a member of the US Safe Harbor Scheme?
4.         Are you ISO 27001 and/or 9001 and/or 27017/8 certified and/or certified by any other data security organisation?  Please supply a copy of any relevant certificates.
5.         What other information can you send me to allay any concerns about the security of your systems?
6.         Have you ever had a security breach and was any client data lost or accessed?
7.         What other organisations do you supply your hosted system to? Can we see a list and can you supply up to three names of any that we can contact for a reference
8.         Would your organisation be prepared to enter into a data processing agreement?
9.         Can you please send me your terms of business and any other terms which we would have to sign up to in order to receive the hosted service?
10.      What is the position and process regarding the return of our organisation’s data, in the event that the agreement was terminated, came to an end or your organisation ceased to trade?
Brian Miller is a solicitor and partner and Lauren Mitchum a trainee solicitor at Stone King LLP, providing specialist advice in the fields of intellectual property, IT, data protection and commercial law.
If you would like further information about the Regulations or if you have any concerns or queries in relation to them, please contact Brian.

Disclaimer: This article may not be reproduced without the prior written permission of the author. This article reflects the current law and practice. It is general in nature, and does not purport in any way to be comprehensive or a substitute for specialist legal advice in individual circumstances.
Labels:

Comments

Post a Comment

Popular posts from this blog

Cloud Service Providers Now Subject To Scrutiny Of Assurance Registry

After mounting concerns relating to the security of cloud computing, a new online platform is to enable users to assess the security features of registered cloud providers. The Security, Trust & Assurance Registry (STAR) hopes to encourage providers to improve their data protection security thanks to this increased transparency, as well as aid organisations using the providers to comply with data protection laws. The Working Party drew attention to firm’s lack of control over customer’s personal data when using cloud services. As cloud computing uses an internet based network in place of local computing resources, they stated that there is risk of "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures," by organisations using these providers.          Operated by not-for-profit body the Cloud Security Alliance (CSA), STAR hopes to limit such risks to data protection. The CSA’s members include Google, Microsoft and m
Post a Comment
Read more

Torbay Care Trust Fined For Data Protection Breaches

As a result of breaching data protection laws, the Torbay Care Trust has been fined £175,000 by the ICO. A spreadsheet containing "sensitive" information about the employees' religion and sexuality; as well as names, dates of birth and national insurance numbers was published on to their website. The ICO said that such information was likely to cause substantial damage and/or distress to those who had had their details exposed. What is more, head of enforcement with the ICO, Stephen Eckersley, highlighted that the release of such information put staff at risk of being victims of identity fraud. The breach only came to light when a member of the public reported it 19 weeks after it was posted, the ICO said. The Data Protection Act (DPA) requires organisations to exercise the appropriate organisational measures to eliminate the risk of such sensitive information being used without authorisation. This includes the need to have "effective policies and procedures
Post a Comment
Read more

ICO imposes fine of £250,000 for data protection breach by Scottish council

A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO).   Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public.   In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS.  GS would send to the council by standard post unencrypted discs containing the information.  It said that the council was unaware that GS was disposing of the paper records in recycling banks.   The ICO said in its civil monetary notice “ The Commissioner is satisfied that the contravention w
Post a Comment
Read more