Privacy Advisor

UK—ICO releases practical cloud guidance

November 1, 2012

Davidson_BrianBy Brian Davidson

Following the recent Article 29 Working Party cloud computing opinion, it was the turn of the UK Information Commissioner's Office (ICO) to release “Guidance on the use of cloud computing” on 27 September.

The guidance provides a helpful introduction to the key cloud definitions and different deployment and service models before providing guidance on cloud customers' and service providers' data protection obligations.

According to the ICO, because of its responsibility for determining the purpose and manner in which any personal data may be processed, the cloud customer is most likely to be the data controller in a typical cloud scenario and therefore have the primary responsibility for ensuring data protection compliance. However, the ICO cautions that each case of cloud outsourcing will need to be assessed on its own merits and the controller/processor roles of each party determined accordingly.

The guidance sets out the steps that the ICO recommends potential cloud customers follow when procuring a cloud service, including carrying out a risk assessment for complex cloud processing operations, ongoing performance monitoring of the outsourced cloud operation and implementing written data processing contracts with the cloud service provider.

Brian Davidson is a privacy and information advisor in Field Fisher Waterhouse's Privacy & Information Law Group. He may be reached at brian.davidson@ffw.com.