Don't use cloud for sensitive data, EU warns members
ENISA report warns that complex data regulations mean that cloud computing services are unsuitable for government use
The European Union has warned that data handling regulations could be holding up governments' adoption of cloud computing.
A report published by the EU's European Network and Information Security Agency (ENISA) this week warns that, at present, government agencies in the EU bloc should only deploy cloud services for applications that do not process sensitive data.
Data handling legislation in some EU states prevent certain data types from being taken out of their respective national borders. This would cause problems in the case of public clouds, ENISA says, as providers' data centres may be elsewhere, such as in the US.
The ENISA document highlights further hurdles to adoption: "Cloud computing presents some additional challenges," it continues. "For example, understanding the shift in the balance of responsibility and accountability for key functions such as governance and control over data and IT operations, ensuring compliance with laws and regulations, and, in some instances, the poor quality of Internet connectivity in some areas of the EU."
The report suggests that state governments explore "whether current legal frameworks can be changed to facilitate the communication, treatment and storage of data outside national territory".
ENISA says that so-called private clouds are currently the most viable option for public sector bodies "since they offer the highest level of governance, control and visibility". Private clouds deliver services and infrastructure in highly virtualised form from an organisation's own data centre. This approach is exemplified by the UK government's proposed G-Cloud project, although the future of that initiative is uncertain following the departure of government CIO John Suffolk last month.
The European Union is currently reviewing its Data Protection Directive, which forms the basis of data protection law in member states, including the UK's Data Protection Act. In November 2010, it published a document of proposed amendments, and these included reviewing the way data exchange between countries is governed.
This week, the UK's former information commissioner Richard Thomas welcomed the EU's decision to review the directive, but remarked that "there is still a long way to go to draft balanced laws which will work in practice when so much personal information can flow so easily around cyber-space with no regard to national boundaries".