ICO to Businesses: You Are Responsible for Data Even If It’s Passed to the Cloud

The ICO has released a guide for companies that want to use cloud services

By on September 27th, 2012 20:41 GMT

A large number of businesses have started migrating their systems to the cloud to benefit from greater computing power and the other advantages it offers. However, the UK Information Commissioner’s Office (ICO) warns firms that they’re still responsible for safekeeping their customers’ details, even if the data is passed to the cloud.

In order to aid organizations in complying with current legislation, the ICO has released a guide which teaches companies how to safely store information in the cloud.

According to the guide, first of all, businesses should seek assurance from the cloud provider that the data stored on its systems will remain secure. The provider needs to have security mechanisms designed to stop hackers and other threats.

However, cyber security isn’t the only aspect. Customers of the cloud must ensure that the datacenters where all the information is stored benefit from proper physical security measures.

The ICO also recommends the signing of a contract which would prevent the cloud provider from changing the terms of service without the beneficiary’s consent.

Finally, one must consider the implications of international data transfers since many of the cloud storage facilities are located in other countries.

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility,” explained Dr. Simon Rice, ICO technology policy advisor and author of the guide.

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws.”

Comments