Safe cloud computing concept- Fotolia

ICO Warns Businesses Over Data Protection In The Cloud

Businesses are responsible for the security of their data, even when it is held on cloud providers’ infrastructure, says ICO

On by Thomas Brewster 2

The Information Commissioner’s Office (ICO) has issued guidance on cloud computing, warning that businesses need to remember that under British law they are responsible for whatever happens to their data.

The guidance includes advice on seeking assurances on data security in the cloud and assessing the physical security of cloud vendors’ data centres. It also recommends ensuring companies secure proper service level agreements (SLAs) from providers.

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility,” said Dr Simon Rice, ICO technology policy advisor.

Don’t be naïve

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws.

“Figures show that consumers are concerned about how secure their data is when they use cloud storage themselves. It takes little imagination to consider that businesses not reflecting those concerns will quickly find themselves losing customers’ good will.”

The ICO has severely punished a number of firms for not taking care of data when outsourcing operations. The Scottish Borders Council was handed a £250,000 fine after the ICO said it had failed to properly manage a company it had employed to digitise pension records. The council is considering an appeal, however.

The Brighton and Sussex University Hospitals NHS Trust is appealing a £325,000 penalty it was handed after an issue with an outsourcer. The Trust had employed an “experienced NHS IT service provider” – Sussex Health Informatics Service (HIS) – to dispose of a number of redundant hard drives, some of which were placed on eBay even though they had a significant amount of personal data on them.

Are you a security guru? Try our quiz!

Thomas Brewster
Author: Thomas Brewster
Security Correspondent, TechWeekEurope
Thomas Brewster Thomas Brewster Thomas Brewster
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment

2 replies to ICO Warns Businesses Over Data Protection In The Cloud

  • On October 3, 2012 at 11:16 pm by Ronald Duncan

    One advantage of using a proper cloud provider is that the clustered storage systems do not have any readable information on an individual disk because of the way the data is stripped across machines and disks.

    Which means that even if their accredited secure disposal fails to wipe disks properly. It will not be possible to recover the data with out the rest of the disk set which will be spread over multiple machines and arrays.

    PS This has happened a number of years ago on a much larger scale and the provider had to buy and trace all the disks through ebay to recover them.

    PSS Teh proverd in question now has a destruction process.

    • On October 3, 2012 at 11:16 pm by Ronald Duncan

      Last line was off the screen sorry about the typos.

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>