The privacy of individuals is often cited as a concern with cloud computing. The Data Protection Act 1998 (DPA) while not a privacy law does govern how the personal data of individuals is processed.
Institutions as data controllers are required to ensure that all processing of personal data that they are responsible for is fair and lawful. Effectively from a senior manager’s perspective what this means is that the appropriate technical and organisational measures must be in place to ensure that there is no unauthorised or unlawful processing of personal data as well as ensuring that personal data is not lost, damaged or destroyed.
Until now control over where data was and who had access to it could be centrally managed. The security hierarchy was certain and provided safeguards that essentially fulfilled the institution’s obligations to keep personal data secure and private. In an environment where data is stored off campus and transactions take place somewhere remotely beyond the IT Director’s physical reach how oversight can be achieved to the required legal level needs to be established.
The DPA applies to personal data which is defined as data relating to a living individual from which the individual can be identified or which if combined with other data may identify the individual.
As data controllers, those in senior management positions at the institution are responsible for compliance with the DPA legal obligations. When using a cloud provider, the institution will continue to be the data controller and the cloud provider will be the data processor. The cloud provider should be required to act in accordance with agreed terms between the institution and the cloud provider in order to ensure compliance with the DPA.
One issue to be re-examined, for example, is the matter of retention schedules. Your institution is likely to have committed to and have in place practices and procedures for records handling to enable disposal and retention as required by various legal obligations. How these retention schedules are complied with when the data is hosted and processed remotely needs to be clarified.
Cloud providers are likely to store and move data around multiple servers situated in a number of jurisdictions which may very likely be outside the European Economic Area (EEA). This can be a breach of the Data Protection Act 1998 by the institution unless there are adequate security measures in place for personal data. Compliance may be achieved if EU approved contract terms are used with a cloud provider.
Alternatively, if using a US based cloud provider, ensuring that they are signed up to the Safe Harbor provisions will be necessary. You can check this on the
USA Trade Information Center - Export.gov website.
The probability of the occurrence of serious data loss may not be very high but should a loss occur the impact on the institution is likely to be significant. Dealing with the regulatory authorities is one aspect in addition to restoring the confidence of staff and learners in the ability of the institution to managing the privacy and security of personal information.
One main reason for using cloud computing is to enable the institution to use the cloud technology to process information and thus generate outputs. In doing so the institution may also generate know how or trade secrets, which are not set out in any particular information output but reside in the data structures or processes which the institution establishes through its use of the cloud.
The cloud provider too, will be generating information of various different types. Cloud providers will collect information about the operation of their systems and service for management purposes. Some of this information will consist of know how or trade secrets belonging to the service provider.
What jurisdiction new information is created in will have a bearing on how ownership of it is determined and if an institution is conducting research on virtual computers it is advisable that the issue of ownership is clarified and detailed in the service contract before the work takes place. Thus in addition to discrete information outputs, it is necessary for the institution in the service contract to address and agree ownership of information which can be derived or deduced from how the cloud data is used.
The nature of the cloud means that information is constantly being added and removed and modified, and new information is being generated. For you as a decision maker it is important to have clarified and agreed with cloud providers where responsibility for this data lies.
As a manager in an FE or HE institution you will know that the Freedom of Information (FOI) legislation gives individuals a right of access to information held by the institution. The legislation covers all records and information held whether digital or print, current or archived. For senior decision makers considering introducing cloud services it is important therefore to address this issue with any cloud provider and ensure that specific data, if requested, can be retrieved within twenty working days.
Even though, the information is stored in the cloud, an institution will still be deemed to be holding it for the purposes of FOI. This converts into a legal requirement to ensure that access is possible and that such incidents as outages and failures at the cloud provider’s end do not prevent the institution fulfilling its legal obligations to respond with information as requested.
IT security is fundamental when an institution commits its computer services to a cloud provider. If the cloud provider has not done or does not continue to do a good job securing its own IT environment then the institution will be in trouble. IT security can be difficult to monitor and problems may not be apparent until something goes wrong. Measuring the quality of a cloud provider’s approach to security is not easy because many cloud providers will be unwilling to expose their infrastructure to inspection. It is recommended that such scrutiny should be part of the service negotiation with a cloud provider.
As a senior manager you will already be familiar with the requirements to:
· design and organise security to fit the nature of the personal data that is held and the harm that may result from a security breach;
· be clear about who in the institution is responsible for ensuring information security;
· make sure that the institution has the right physical and technical security backed up by robust policies and procedures and reliable, well-trained staff; and
· be ready to respond to any breach of security swiftly and effectively.
The cloud provider contract on offer must be examined in detail and favourable and constructive terms negotiated with the cloud provider to ensure that they are appropriate to the work that your institution carries out.
Cloud providers are likely to offer the same (standard) service to multiple users so your institution may have to change its applications and processes to match what is offered.
The key to the negotiation at this point is to ensure that enough control is maintained in house in order to minimise the legal risks while still taking advantage of the opportunities that cloud computing can bring.
· What “Information Security Standards” does the provider adhere to?
· Does the cloud provider use third parties to evaluate its own security risks?
· What identity and access management architecture is in place?
· How will the cloud provider accommodate the obligations that the institution has with regard to data protection and data retention schedules?
· Are there clear penalties in the contract for data loss or breach of security and privacy?
· Can the cloud provider give assurances that information can be taken down without delay from websites or other accessible locations on the instruction of the IT director?
· What planned responses are in place should a service failure occur?
· Can the cloud provider’s facilities be inspected by the institution’s IT director?
· Is data portability part of the service that is provided?
· Where encryption of data is required is the cloud provider able to facilitate this requirement?
There are many occasions when information is required to be kept confidential by administrative staff or researchers at an institution. This will include handling personal health data, some types of employment related data and management related data that may be sensitive commercially. Before entering into a cloud service agreement you as a senior manager will want the proposed systems tested to ensure that confidential data can be processed without being compromised.
An institution will be keen not to be involved in legal disputes. This is especially the case if the dispute involves having to enforce contractual terms in an overseas jurisdiction or having to defend an action in an overseas jurisdiction. The nature of the cloud is that it is likely that more than one legal jurisdiction will be involved in a particular cloud deployment. It is in the institution’s interest to make sure that the service contract provides for legal resolution of the dispute in the UK. Clarifying whether or not the cloud provider has a legal presence in the UK is therefore essential.
The law requires certainty and although cloud providers usually present comprehensive contract terms of service many terms and conditions include wide-ranging disclaimers of liability. Also they may not provide a warranty that the service will operate as described, or indeed at all.
It is likely that as the cloud market expands and matures terms of service will evolve to more closely represent what institutions require and how the law operates in the UK. In the meantime the following points may be useful to bear in mind when examining cloud computing terms and conditions.
· Many cloud services are offered under the laws of US states and subject to terms that purport to restrict legal disputes to the courts of those states. Clearly entering into a contract that is governed by the relevant UK legal system will simplify obtaining advice and provide for more local resolution of disputes.
· When planning to use a cloud-based solution for backup of important data then in particular note should be taken of terms by which a cloud provider advises or requires customers separately to back up data placed on their cloud service (in other words, where the proposed backup solution itself disclaims responsibility for being a reliable backup).
· Most cloud providers will seek to exclude, as far as possible under the legal system applying to the contract, any warranty of service or acceptance of liability. Such liability as cannot be disclaimed altogether will typically be strictly limited.
· Where the institution has contractually committed to safeguard licensed educational resources, for example, it will be necessary to obtain warranties from cloud providers that host these resources on their behalf. The cloud provider should provide assurances that best efforts will be made to prevent access by unlicensed users and to prevent any unauthorised usage of the licensed resources.
�
The responsibility to bind users to acceptable use remains for institutions even when learners are not using the institution’s infrastructure to interact and to publish information. Responsibilities such as the prevention of bullying by means of the institution’s technology systems will continue to be addressed with terms of acceptable use for users. In many cases the cloud infrastructure will be invisible to learners and where learners sign up to external cloud providers on the instruction of the institution it will be necessary to ensure that they agree to use the service responsibly with the sanction that service can be withdrawn by the institution. As a JANET “User Organisation” the institution is bound by the JANET Acceptable Use Policy which defines acceptable and unacceptable use. The agreement requires the “User Organisation” to bind users to acceptable use by means of terms and conditions.
Even in a post personal computer world, while users may increasingly be using computing infrastructure that is cloud based, it is apparent that acceptable use of institution provided facilities must still be regulated by means of terms and conditions that bind the user.
Senior managers are responsible for discharging legal obligations in terms of law enforcement. There are three distinct types of information which law enforcement agencies may require a further or higher education institution to disclose:
· Communications data - information associated with but not including the actual content of a communication. Includes email addresses and telephone numbers (sender and recipient). An itemised telephone bill is a good example;
· Keys to access protected or encrypted information - most likely information recovered by an interception but which is encoded;
· Content - e.g. the actual content of a message sent by email, or a telephone conversation.
These obligations will remain for FE and HE institutions irrespective of the type of infrastructure being used cloud or otherwise. It is necessary therefore to bear in mind these obligations when designing and implementing computing solutions that involve partners such as cloud providers.
By far the most common request made by the police is to identify an individual user or to provide information about their online activity. Information about communications and the individuals who made them (e.g. the identity of users of a particular email or IP address, when they logged in and to whom they sent e-mails), but not including the content of any files or communications, is covered by the Regulation of Investigatory Powers Act 2000 (RIPA), where it is referred to as "communications data".
The police must always use RIPA s.22, and not any other process, to obtain communications data. As a senior manager in an FE or HE institution receiving the appropriate notice you must comply with it by arranging for the disclosure of the information specified in the notice. If data is processed and hosted in the cloud it is necessary to have appropriate procedures in place to enable speedy access and retrieval of communications data.
Under s.49 RIPA properly authorised persons (such as members of the law enforcement, security and intelligence agencies) may serve a notice on a senior manager at an institution requiring the disclosure of protected (e.g. encrypted) information which they lawfully hold, or are likely to, in an intelligible form.
S.49 limits the information to which the right to serve such a notice applies but an example could be material seized by police under a judicial warrant or a RIPA authorised interception warrant.
A senior office holder at an FE or HE institution receiving the appropriate notice must comply with it by disclosing the information specified in the notice in an intelligible form or by disclosing any key to the information which is in their possession. It is necessary therefore for senior managers to ensure that appropriate procedures are in place with the cloud provider to comply with such notices should encrypted data hosted in the cloud be seized by police.
Information that is not communications data, and therefore not covered by the Regulation of Investigatory Powers Act 2000, includes the content of emails and files. Two different processes (one mandatory, one not) cover the disclosure of this type of information.
1. A court may make an order that a senior office holder at the institution must disclose specified information to the court, usually for use as evidence. A senior office holder that receives such an order must comply with it, generally by disclosing the required information to a police constable. For senior managers it is necessary therefore to ensure that such an order can be complied with where it is stored with a cloud provider.
2. Sections 28 and 29 of the Data Protection Act 1998 allow an institution that holds personal data (including the content of emails and files) to choose to disclose data if it is persuaded that the disclosure is both necessary and proportionate in the interests of national security (s.28) or of the detection, investigation or prevention of crime (s.29). In both cases it is the responsibility of the institution that has the data to ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.
Agencies responsible for crime and national security can therefore ask senior office holders at an institution if they are willing to disclose information under either of these sections. There is no legal requirement to comply with such a request.
The Information Commissioner has
guidance on deciding whether or not to disclose.
Standard forms have been designed on which the agency can make the case for disclosure. These are available on the Home Office website.
Senior managers that are persuaded that a request is necessary and proportionate and decide to disclose information on that basis are strongly recommended to keep a copy of the request, together with a record of the process by which the institution reached the decision to disclose. These will be required as evidence if the institution is subsequently sued for having breached its obligation under the Data Protection Act to keep personal data secure.
Senior office holders of colleges and universities in England, Wales and Northern Ireland have a statutory duty to protect free speech by their members under section 43 of the Education (No.2) Act 1986 (similar provisions also apply to colleges and universities in Scotland). However where information published by a college or university, or one of its members, breaks the criminal or civil law this duty may be overridden and the publication may be altered or removed.
The normal situation under UK law is contained within the Electronic Communications (EC Directive) Regulations 2002. This protects institutions that provide services such as web hosting from liability so long as they act promptly when informed of a particular publication that may be unlawful. If the publication continues after a complaint, the institution will be held to have approved the content of the publication and may be liable if the publication is later found to break the law. A complaint does not have to take any particular form, but it must give specific information that allows the publication to be identified. Institutions should therefore have efficient processes to receive and consider complaints of unlawful material on their websites and to remove or alter any material that they would not be prepared to defend in court. Note that the institution should not disclose the identity of the person responsible for the publication except according to one of the processes described above.
The drive towards the adoption of cloud services is strong and there are compelling financial and efficiency reasons to consider implementing such services. The challenge for senior decision makers in FE and HE is to be able to maintain enough control to keep risks at a minimum while still taking advantage of the opportunities that cloud computing can bring. The legal risks of such a strategy need to be assessed and sufficient safeguards in terms of security will need to be in place to maintain oversight of existing information and data handling procedures.
IT security is fundamental when an institution commits its computer services to a cloud provider. Institutions have spent many years constructing security measures, safe practices and procedures in order to safeguard the in house technology infrastructure and the individuals and their data. This level of commitment must be contractually required from a cloud provider in order for the institution to fulfill its own legal obligations.
The Data Protection Act 1998 governs how the personal data of individuals is processed. Institutions, as data controllers, are required to ensure that all processing of personal data for which they are responsible is fair and lawful, even where the data processing is carried out by a cloud provider. The legal obligations fall on the senior office holders at the institution to make sure that any cloud provider that is processing its personal data has appropriate security practices and procedures in place.
You need to examine the details of the terms and conditions of the service provider contract in order to assess their relevance to the work of your institution. Many cloud services are offered under the law of US states and subject to terms that purport to restrict legal disputes to the courts of those states, for example. Establishing agreement that the contract is to be governed by the relevant UK legal system will simplify obtaining advice and provide for more straightforward resolution of disputes.