The US Patriot Act is intended to assist terrorism prevention in the US and permits access to data by the US intelligence services in certain circumstances, including, but not limited to, in the interests of national security.
The US Patriot Act would allow the US intelligence services to obtain data belonging to an institution in the UK where the data is stored in the servers of a US cloud computing service provider. Prior to outsourcing services to the US, an institution should take into account the potential impact of the US Patriot Act as part of its risk assessment.
The Information Commissioner’s Office advises that UK organisations outsourcing to the US should make sure they have procedures and measures in place to deal with any requests for information that may be received under the US Patriot Act. Such measures may include a requirement for the cloud computing service provider to report requests from US authorities to the institution. Access the ICO outsourcing guidance for further information.
Want to keep up-to-date with our latest FAQs? Subscribe to the free JISC Legal newsletter and follow us on Twitter.