JISC Legal

This is a practical guide to understanding the legal considerations which arise in relation to the decision to adopt a cloud computing service, and in the implementation of such as service.  It is designed to assist you in being confident of your institution’s legal position in relation to cloud computing, being able to identify potential issues and answer questions and concerns with regards to it.  This guide is part of the JISC Legal Cloud Computing toolkit.  Information on how to access the full toolkit is at the end.  Access the entire toolkit.

 Key Points

· Cloud computing introduces changes that necessitate a re-assessment of legal risks.

· The cloud provider contract on offer must be examined in detail and favourable and constructive terms negotiated with the provider to ensure that they are appropriate to the work that your institution carries out.

· Legal responsibility for technology use and for data, particularly personal data, remains with the institution despite using remote services such as cloud computing.

 

 

Although cloud-based services can help reduce software and other computing costs for FE and HE institutions, the notion of cloud computing instantly raises concerns about security and reliability.

 

The full legal implications too are unknown and this paper will focus on the legal risks relevant to IT directors as they consider cloud computing.

 

Senior IT staff will want to know how the changes will effect: 

 

· how information is retrieved

· how ownership of newly created information is determined

· how their obligations to police acceptable use is effected

· how unlawful behaviour is tackled

· how compliance with their law enforcement obligations is achieved 

· how control over security is managed

 

Whether data is ‘at rest’ within a cloud service or ‘in transmission’ to, from or within the cloud service, it is necessary to clarify: 

 

· who is legally responsible for compliance with the data protection obligations 

· who can access the information

· how security is dealt with

 

Risk with technology usage is not new but because cloud technology changes how data is managed and processed particular risks need to be clarified and re-assessed.  These include questions with regard to information ownership, responsibility for data protection compliance, what law applies when a dispute arises, as well as issues such as access and scrutiny in terms of law enforcement.  

 

Software as a Service (SaaS) provides complete applications hosted by a cloud provider and delivered over the internet.  Entire administrative, operational and research capabilities can be provided online.  Resources are shared but data and access capabilities are segregated within the application offering economies of scale.  For IT directors considering outsourcing software as a service from a legal point of view, ensuring that security is robust is probably the starting point.  Awareness raising for individual users is also a consideration as it is necessary to inform users by whom their data is being processed and for what purposes. 

 

Infrastructure as a Service (IaaS) is the delivery of computer hardware (servers, networking technology, storage and data centre space) as a service.  The service is typically paid for on a usage basis.  All cloud infrastructures depend on virtualisation.  This includes the aggregation and partitioning of computing resources across multiple data centres enabling cloud providers to manage their capacities more efficiently. This inevitably means that servers and software are processing data for many different data controllers simultaneously.  When  IT directors are considering using such services, an assessment of the risks should include how resilient the service is, for example, in terms of availability and response to demand and an examination of the cloud provider’s security measures.  

 

With Platform as a Service (PaaS) the cloud provider delivers more than infrastructure.  It delivers capabilities to manage all software development stages from planning and design to building and deployment to testing and maintenance.  Once again, concerns with regard to access and data security are inherent in the relationship and therefore need to be addressed in the service contract at the outset. 

 

The mere fact of placing data in the cloud should not alter its ownership status.  However ,the nature of the cloud means that information is constantly being added and removed or modified, and new information is being generated.  For institutions, it is important to clarify and agree with cloud providers where ownership of this new data lies. 

 

One main reason for using cloud computing is to enable the institution to use the cloud technology to process information and thus generate outputs.  In doing so the institution may also generate know how or trade secrets, which are not set out in any particular information output but reside in the data structures or processes which the institution establishes through its use of the cloud.  

 

The cloud provider too will be generating information of various different types.  Cloud providers will collect information about the operation of their systems and service for management purposes.  Much of this information will amount to know how or trade secrets belonging to the service provider. 

 

What jurisdiction new information is created in will have a bearing on how ownership of it is determined.  If an institution is conducting research on virtual computers it is advisable that the issue of ownership is clarified and detailed in the service contract before the work takes place.  Thus, in addition to discrete information outputs, it is necessary for the institution in the service contract to address and agree ownership of information which can be derived or deduced from how the cloud data is used.

 

Source - Information 'Ownership' in the Cloud - Queen Mary School of Law Legal Studies Research Paper No. 45/2010 

 

The privacy of individuals is often cited as a concern with cloud computing.  The Data Protection Act 1998 (DPA), while not a privacy law, does govern how the personal data of individuals is processed.  Institutions as data controllers are required to ensure that all processing of personal data that they are responsible for is fair and lawful.  Effectively, from an IT director’s perspective this means that an institution must have the appropriate technical and organisational measures in place to ensure that there is no unauthorised or unlawful processing of personal data, as well as ensuring that personal data is not lost, damaged or destroyed. 

 

Until now, control over where data was and who had access to it could be centrally managed.  The security hierarchy was certain and provided safeguards that essentially fulfilled the institution’s obligations to keep personal data secure and private.  In an environment where data is stored off campus and transactions take place somewhere remotely beyond the IT director’s physical reach, it needs to be established how oversight can be achieved. 
 

One issue to be examined, for example, is the matter of retention schedules.  The institution is likely to have in place practices and procedures for records handling to enable disposal and retention as required by various legal obligations.  How these retention schedules are complied with when the data is hosted remotely needs to be clarified.  

 

Cloud providers are likely to store and move data around multiple servers sited in a number of jurisdictions which may very likely be outside the EEA.  This may breach the DPA unless there are adequate security measures in place for personal data.  Compliance may be achieved through using EU approved contract terms with a provider.  Alternatively, using a provider in the US who has signed up to the Safe Harbour provisions will be necessary.  Further details of the “Safe Harbor” scheme is available on the Information Commissioner’s Office website.

 

The Freedom of Information (FOI) legislation gives individuals a right of access to information held by 'public authorities' including information held by FE and HE institutions.  The legislation covers all records and information held by an institution whether digital or print, current or archived.  For IT directors considering introducing cloud services, it is important therefore to address this issue with any cloud provider and ensure that specific data can be retrieved within twenty working days.

 

Even though the information is stored in the cloud, an institution will still be deemed to be holding it for the purposes of FOI.  This converts into a legal requirement to ensure that access is possible and that incidents such as outages and failures at the cloud provider’s end do not prevent the institution fulfilling its legal obligations to respond with information requested.

 

In practice, an institution must have appropriate security to prevent the personal data that is held being accidentally or deliberately compromised.  Information security usually means security in terms of confidentiality, integrity and availability, although clearly accountability is also a core security requirement.  

 

IT directors will already be very familiar with the requirements to: 

 

· design and organise security to fit the nature of the personal data that is held and the harm that may result from a security breach

· be clear about who in the institution is responsible for ensuring information security

· make sure that the institution has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff

· be ready to respond to any breach of security swiftly and effectively

 

Identifying vulnerabilities and threats to the information processes is especially important when delegating responsibility for critical data to an external service provider.  Deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information, is part of the appraisal process that should take place in advance of any sign up to a cloud service. 

The legal obligations fall on the institution to make sure that any cloud provider that is processing its personal data has the appropriate security practices and procedures in place.  For IT directors considering outsourcing data processing or data hosting to the cloud where personal data is involved, this translates into a legal requirement to take reasonable steps to ensure that the cloud provider is complying with the guarantees it makes.  Such diligence could include inspections of the security of the provider’s facilities for the processing of personal data and audits of the provider’s processing activities to ensure compliance. 

 

There are many occasions when information is required to be kept confidential by administrative staff or researchers at an institution.  This will include personal health data, some employment related data or data that is sensitive commercially.  Before entering into a cloud service agreement the IT director should test the proposed systems to ensure that confidential data can be processed without being compromised.

 

 

1. What security and architecture and policy does the provider operate?

2. Does the cloud provider use third parties to evaluate its own security risks?

3. What identity and access management architecture is in place?

4. How will the provider accommodate the obligations that the institution has with regard to data protection and data retention schedules?

5. Are there clear penalties for data loss or breach of security and privacy? 

6. Can the provider give assurances that information can be taken down without delay from websites or other accessible locations on the instruction of the IT director?

7. Can the provider’s facilities be inspected by the institution’s IT director?

8. Is data portability part of the service that is provided?

9. Where encryption of data is required is the provider able to facilitate this requirement?

 

The law requires certainty and although cloud providers usually present comprehensive contract terms of service, many terms and conditions include wide-ranging disclaimers of liability.  Also, they may not provide a warranty that the service will operate as described, or indeed at all.  It is likely that as the cloud market expands and matures, terms of service will evolve to more closely represent what institutions require and how the law operates in the UK.  In the mean time, the following points may be useful to bear in mind when examining cloud computing terms and conditions:

 

· Many cloud services are offered under the laws of US states and subject to terms that purport to restrict legal disputes to the courts of those states.  Clearly entering into a contract that is governed by the relevant UK legal system will simplify obtaining advice and provide for more local resolution of disputes.

· When planning to use a cloud-based solution for backup of important data, particular note should be taken of terms by which a cloud provider advises or requires customers separately to backup data placed on their cloud service (in other words, where the proposed backup solution itself disclaims responsibility for being a reliable backup).

· Many cloud providers will seek to exclude, as far as possible under the legal system applying to the contract, any warranty of service or acceptance of liability.  Such liability as cannot be disclaimed altogether will typically be strictly limited.  

· Where the institution has contractually committed to safeguard licensed educational resources, for example, it will be necessary to obtain warranties from cloud providers that host these resources on their behalf.  The service provider should provide assurances that best efforts will be made to prevent access by unlicensed users and to prevent any unauthorised usage of the licensed resources.

 

Source - Terms of Service Analysis for Cloud Providers - Queen Mary School of Law Legal Studies Research Paper No. 63/2010.

 

The responsibility to bind users to acceptable use remains for IT directors even when learners are not strictly using the institution’s infrastructure to interact and to publish information.  Responsibilities such as the prevention of bullying by means of the institution’s technology systems will continue to be addressed with terms of acceptable use for users.  In many cases, the cloud infrastructure will be invisible to learners and where learners sign up to external cloud providers on the instruction of the institution, it will be necessary to ensure that they agree to use the service responsibility with the sanction that service can be withdrawn by the institution.  As a JANET “User Organisation” the institution is bound by the JANET Acceptable Use Policy which defines acceptable and unacceptable use.  The agreement requires the “User Organisation” to bind users to acceptable use by means of terms and conditions.  While users may increasingly be using computing infrastructure that is cloud based, it is apparent that acceptable use of institution provided facilities must still be regulated by means of terms and conditions that bind the user. 

 

The Computer Misuse Act 1990 (CMA) criminalises unauthorised access to any program or data held on a computer.  Clearly this extends to unauthorised access to information that a cloud provider hosts on behalf of the institution.  For IT professionals the security hierarchy has to be extended to embrace cloud based activities as well as interaction with cloud hosted data.  At the operational level, what is ‘acceptable use’ should be strictly enforced and a culture of legal use predominant.

 

There are three distinct types of information which law enforcement agencies may require an FE or HE institution to disclose:

 

• Communications data - information associated with but not including the actual content of a communication.  Includes email addresses and telephone numbers (sender and recipient).  An itemised telephone bill is a good example

• Keys to access protected or encrypted information - most likely information recovered by an interception but which is encoded

• Content - e.g. the actual content of a message sent by email, or a telephone conversation

 

These obligations remain for FE and HE institutions irrespective of the type of infrastructure being used, cloud or otherwise.

 

By far the most common request made by the police is to identify an individual user or to provide information about their online activity.  Information about communications and the individuals who made them (e.g. the identity of users of a particular email or IP address, when they logged in and to whom they sent e-mails), but not including the content of any files or communications, is covered by the Regulation of Investigatory Powers Act 2000 (RIPA), where it is referred to as "communications data".  

 

The police must always use RIPA s.22, and not any other process, to obtain communications data.  An FE or HE institution receiving the appropriate notice must comply with it by disclosing the information specified in the notice.  Having appropriate procedures in place to carry this out should data be hosted in the cloud is now necessary.

Under s.49 RIPA, properly authorised persons (such as members of the law enforcement, security and intelligence agencies) may serve notice on an institution requiring the disclosure of protected (e.g. encrypted) information which they lawfully hold, or are likely to, in an intelligible form.  S.49 limits the information to which the right to serve such a notice applies but an example could be material seized by police under a judicial warrant or intercepted under a warrant authorised in accordance with Chapter I, Part I of RIPA.

 

An FE or HE institution receiving the appropriate notice must comply with it by disclosing the information specified in the notice in an intelligible form or by disclosing any key to the information which is in their possession.  It is now necessary to have appropriate procedures in place to carry this out should data be hosted in the cloud.

 

Information that is not communications data, and therefore not covered by the Regulation of Investigatory Powers Act 2000, includes the content of emails and files.  Two different processes (one mandatory, one not) cover the disclosure of this type of information:

 

1. A court may make an order that an institution must disclose specified information to the court, usually for use as evidence.  An institution that receives such an order must comply with it, generally by disclosing the required information to a police constable.  For IT directors it is necessary therefore to ensure that such an order can be complied with where it is stored with a cloud provider.

 

2. Sections 28 and 29 of the Data Protection Act 1998 allow an institution that holds personal data (including the content of emails and files) to choose to disclose data if it is persuaded that the disclosure is both necessary and proportionate in the interests of national security (s.28) or of the detection, investigation or prevention of crime (s.29).  In both cases, it is the responsibility of the institution that has the data to ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.  

 

Source - JANET - Working with Law Enforcement.

 

Institutions respect the right to free speech but where information published by a university or college, or one of its members, breaks the criminal or civil law (these are generally also breaches of the JANET Acceptable Use Policy) the publication may be altered or removed.

 

The normal situation under UK law is contained within the Electronic Communications (EC Directive) Regulations 2002.  This protects those that provide services such as web hosting from liability so long as they act promptly when informed of a particular publication that may be unlawful.  If the publication continues after a complaint, the institution may be held to have approved the content of the publication and may be liable if the publication is later found to break the law.  Institutions should therefore have efficient processes to receive and consider complaints of unlawful material where material is published, including on their websites, and to remove or alter any material that they would not be prepared to defend in court.  

 

Source - JANET - Working with Law Enforcement.

 

The overall benefits of cloud computing for FE and HE institutions are potentially greater efficiency of service and reduction in costs.  The main challenge from a legal perspective is some loss of control as with the outsourcing of any core organisational function.  This can impact on information governance and compliance obligations with UK legislation.  

 

The service contract is central to enabling the institution to confirm its essential requirements.  Negotiating favourable and constructive terms within this contract is essential.  The key is to maintain enough control to minimise the legal risks while still taking advantage of the opportunities that cloud computing can bring.

 

IT security is fundamental in that the institution is entrusting its security to the cloud provider.  If they have not done or do not continue to do a good job securing their own environment then the institution will be in trouble.  IT security can be difficult to monitor and problems may not be apparent until something goes wrong.  Measuring the quality of a cloud provider’s approach to security is difficult because many cloud providers would be unwilling to expose their infrastructure to inspection by the institution.  It is recommended that such scrutiny should be part of the service negotiation with a cloud provider. 

 

• Security Measures - Information Commissioner’s Office.

• Cloud Computing - Queen Mary, University of London Research papers.

• Law Enforcement Access in a Cloud Environment - Queen Mary, University of London.

• Data protection, the Law and You - The cloud of unknowing, and the "personal data" problem - Computer World UK.

• Working With Law Enforcement - JANET.

• Monitoring and Encryption - The Powers of Law Enforcement Agencies - JISC Legal.

We have a range of cloud computing resources available to you.  If you need one-to-one guidance, please contact our helpdesk.