Many businesses do not realise that they are still legally responsible for personal data hosted on cloud computing services, according to the Information Commissioner’s Office.
The data protection watchdog “is concerned that many businesses do not realise they remain responsible for how the data is looked after, even after passing it to the cloud network provider,” the ICO said.
“As a business, you are responsible for keeping your data safe,” said the ICO’s technology policy advisor Simon rice. “You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.
“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws,” Rice said.
The ICO made the remarks as it launched a new guide for businesses using cloud services to store customer or employee personal data.
Tips include seeking assurances on how data will be kept safe in the cloud; thinking about the physical security of cloud providers; and having a written contract in place with cloud providers meaning they would not be able to change the terms of services without consent.
In addition, businesses should put a policy in place to make clear the expectations they have of their cloud provider, the ICO said, and also reminded them that transferring data internationally brings a number of obligations including cloud storage based abroad.
The ICO recently fined Scottish Borders Council £250,000 after it failed to properly manage a company that it had employed to digitise pension records.
An online YouGov survey, commissioned by the ICO, found that 46% of UK adults online who use cloud storage are concerned about the security of their information in cloud storage.