ICO says companies are responsible for customer data in the cloud

Onus of responsibility falls on companies, not cloud network providers

Companies that pass customers' personal data to cloud network providers remain responsible for how that data is treated, the Information Commissioner's Office (ICO) has confirmed.

Cloud computing is becoming an increasingly attractive option for companies, thanks to the economies of scale it offers and the access it provides to a range of computer technologies and expertise that would be difficult to afford in-house.

However, the ICO has raised concern that many businesses do not realise they remain responsible for how data is looked after, even after passing it to the cloud network provider.

"The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility," said ICO technology policy advisor Dr Simon Rice.

"Figures show that consumers are concerned about how secure their data is when they use cloud storage themselves. It takes little imagination to consider that businesses not reflecting those concerns will quickly find themselves losing customers' good will."

The ICO has produced a guide to cloud computing, to help businesses comply with the law.

The guide offers tips on how to make sure data will be kept safe, and reminders to check the physical security of the cloud provider and have a written contract in place.

It also suggests putting a policy in place to make clear what is expected of the cloud provider, and provides legal information about transferring data internationally.

Commenting on the news, Paul Ayers, VP EMEA of data security expert Vormetric, said the guidelines serve as a timely reminder of the full extent of organisations' data protection responsibilities and the dangers that can ensue if they are not managed appropriately.

"Some 'wishful thinking' enterprises believe that leveraging the cloud allows them to wash their hands of the need to secure their data. That is not the case. Companies still need to be able to establish where their data is held and define what data protection policies are in place," he said.

The news comes as the European Commission announces a new strategy to speed up and increase the use of cloud computing, with the aim of creating 2.5 million new jobs and boosting GDP by 160 billion (£127bn) by 2020.

The EC believes that establishing common standards and clear contracts for the delivery of cloud services will boost the chances for European cloud providers to grow to achieve a competitive scale.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sophie Curtis

Latest Videos

More videos

Blog Posts