Privacy watchdog says companies forget their legal responsibility for the security of any data they outsource
Companies that use cloud storage services will be fined if they don't ensure the data is kept secure, the Information Commissioner's Office (ICO) has warned.
The UK's privacy watchdog said it didn't matter if a company contracted storage of the data out to a third party such as a cloud network provider, and it would not release them from their obligations under the Data Protection Act (DPA).
However the ICO is concerned that as more businesses use third-party cloud computing services they appear to wash their hands of ensuring the security of the sensitive personal information they entrust to the provider.
Dr Simon Rice, ICO technology policy advisor, said: "The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility."
The ICO has published new guidelines to businesses today to underline this message and help them comply with the law.
Tips included in the guide tell companies to seek assurances on how data will be kept safe, check to see how secure the cloud network is including knowing what systems the provider has in place to stop someone hacking in or disrupting access to the data.
The ICO also said that companies should consider the physical security put in place by the cloud provider and remember any obligations they may have if transferring data internationally.
Have a written contract in place with the cloud provider. It also pointed out that it is a legal requirement to have a written contract with the cloud network provider.
Dr Rice warned: "It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don't meet data protection laws."
Updating your subscription status