Many organisations that have previously managed their own computer infrastructure have moved or are considering a move to cloud computing (ie access to a range of technologies and service models usually delivered over the internet) to take advantage of a range of benefits that may be achieved such as increased security, reliability and resilience for a potentially lower cost.
With this development in mind, the UK’s Information Commissioner issued, in December 2012, its “Guidance on the use of cloud computing”. This guidance provides a timely reminder of the obligations of cloud customers when entering into such arrangements. It is important not only in terms of compliance with the Isle of Man’s Data Protection Act 2002 (DPA) but particularly for Manx entities which also carry on business in UK, given the willingness of the UK Information Commissioner to impose substantial fines to “name and shame” organisations which fail to comply with their data protection obligations and the General Data Protection Regulation which the EU is planning to introduce next year.
In most cases, it will be the cloud customer who will most likely be the data controller and therefore will have overall responsibility for complying with the DPA, and the cloud provider will be a data processor. Accordingly, in case of a breach by the cloud provider involving personal data controlled by the cloud customer, it will be the cloud customer who will be primarily liable and who, therefore, should consider at least the following compliance requirements in addition to its normal responsibilities relating to collection, storage and retention of personal data.
Selecting which data to move to the cloud
The cloud customer should:
● Check if there is any data that should not be put into the cloud eg because specific assurances were given when the personal data was collected.
● Keep a clear record about the categories of data it intends to move to the cloud eg for certain types of customer or data relating to certain types of transaction.
Read the full article here: Cloud computing and data protection