Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.
Licensing Information: This work, with the exception of logos, and any other content marked with a separate copyright notice, is licensed under a Creative Commons Attribution 3.0 Unported Licence. Attribution should be “© JISC Legal - www.jisclegal.ac.uk - used under Creative Commons Attribution 3.0 Unported Licence” (with clickable URLs where possible). The use of logos in the work is licensed for use only on non-derivative copies. Further information is on Copyright Policy section of the JISC Legal website.
What’s in this Guide?
This is a practical guide to the legal issues which you might have as a student, member of staff or other authorised user at a college or university which has adopted a cloud computing based service, or is considering doing so. It will inform you of the various legal consequences which the institution will have considered, so that you can be confident in the use of cloud computing, and can ask informed questions if you need further reassurance.
This publication is part of JISC Legal’s Cloud Computing and the Law toolkit. Access the entire toolkit.
Access further information on JISC’s work on cloud computing.
Key Points
· Cloud computing involves few special legal considerations beyond those involved in traditional computing provision.
· Your institution will have already considered the relevant legal issues and will have adopted cloud computing services appropriate to the institution’s needs.
· Cloud computing may not be appropriate for all uses – particularly where security of data and personal data are involved. Inform yourself as to your institution’s policies relevant to the use of cloud computing services
Contents
1. Introduction
2. Information Ownership and Research
3. Privacy and Data Protection
4. Freedom of Information
5. Confidentiality
6. Unlawful Behaviour
7. Law Enforcement
8. Data Security and the US Patriot Act
9. Accessibility
10. Summary
11. Further information
1. Introduction
Cloud computing based services are relatively new, and you may have concerns or curiosity as to the legal issues which may have arisen in the adoption of such services by your institution, or which may arise through their operation. These might include questions about security of your personal data, the right of the cloud computing service provider to access and/or use your information, and questions about responsibility if anything goes wrong.
2. Information Ownership and Research
Who owns data stored in the cloud?
The mere fact of placing data in the cloud should not alter its ownership status. Intellectual Property Rights (IPR) in materials uploaded to the cloud will normally be retained by your institution in the case of works created by staff. It will also be retained by learners in the case of works created by them, unless in either case there is agreement otherwise.
However, the nature of the cloud means that information is constantly being added, removed or modified, and new information generated. While it will normally be possible to identify the creator and therefore the first IPR owner, it may be more difficult to identify where the material was created. What jurisdiction a new work is created in will have a bearing on how ownership is determined. It’s important for institutions to clarify and agree with cloud providers where ownership of this new data lies.
In contrast to concerns often expressed regarding cloud computing services, an analysis of cloud providers’ terms and conditions conducted by the Queen Mary University of London School of Law indicated that cloud providers do not assert ownership of the intellectual property rights in content and data uploaded by their users.
Cloud providers, although not asserting IP rights, frequently include a term in their contract terms and conditions stating that their customer (your institution) grants the provider a compulsory licence to republish some or all of the customer’s data for the purpose of provision of the service. Your institution will be responsible for ensuring that the extent of such licence is limited to what is necessary for the provision of the cloud service and is compatible with your institution’s obligations to third parties.
Where you have concerns regarding the ownership of data placed in the cloud, in particular the ownership status of research data (which may have been produced as a result of dealings with a commercial research collaborator), it is advisable to contact your institution for clarification of the terms and conditions agreed with the applicable cloud provider with respect to ownership of data.
For further information regarding information ownership in the cloud, please refer to: Information 'Ownership' in the Cloud - Queen Mary School of Law Legal Studies Research Paper No. 45/2010.
3. Privacy and Data Protection - Who is Responsible?
The privacy of individuals is often cited as a concern with cloud computing. The Data Protection Act 1998 (DPA), while not a privacy law, does govern how the personal data of individuals is processed. Institutions as data controllers are required to ensure that all processing of personal data that they are responsible for, including that of staff and learners, is fair and lawful. From your perspective, this means that the appropriate technical and organisational measures must be in place within your institution to ensure that there is no unauthorised or unlawful processing of personal data, as well as ensuring that personal data is not lost, damaged or destroyed.
Until now, control over where the data was and who had access to it was centrally managed. You may be concerned about the security of your personal data in an environment where data is stored off campus and transactions take place somewhere remotely beyond the IT director’s physical reach.
Is my institution liable if it loses my personal user data stored using a cloud computing service?
The seventh data protection principle in the Data Protection Act 1998 (DPA) requires an institution to ensure that personal data relating to its staff, learners and others remains secure, including protecting such data from accidental loss. The DPA provides that where an institution uses a third party, in this case a cloud provider, to process personal data on their behalf, they will be responsible for what the third party does with the data. This means that an institution could incur liability where it loses data stored using a cloud computing service.
Your institution has an obligation to ensure that its cloud provider has adequate measures in place to protect personal data securely against unauthorised or unlawful processing and against accidental loss, destruction and damage. Your institution should carry out due diligence prior to agreeing to a contract with a cloud provider to establish how the cloud provider handles personal data, in particular security of data, and use of security measures. Your institution should assess whether the security level offered meets both its requirements and that of the DPA and ensure that the terms of the contract with the cloud provider reflect these requirements.
Beyond the requirements of the DPA, it is possible for an institution to be liable to staff, learners and other authorised users under contract law in the case where it has agreed, in a contract with such staff, learners or authorised users, to ensure the security of data and fails to do so. It could alsobe liable in negligence where it fails to take the precautions reasonably expected and staff or learners or authorised users suffer loss as a result.
If my institution contracts with a cloud provider to store information does it matter where the data is?
Cloud providers are likely to store and move data around multiple servers situated in a number of jurisdictions which may very likely be outside the European Economic Area (EEA). The Data Protection Act 1998 (DPA) restricts the transfer of personal data to countries within the EEA (the eighth data protection principle) unless the country is considered to have an adequate level of protection for the individual in relation to the processing of personal data.
You may be concerned about the security of personal data stored by a cloud provider outside the EEA. An institution as data controller will remain responsible for the adequate protection of the personal data of their staff, learners and others and will need to find out where the cloud provider is processing data in order to assess how to proceed.
To maintain compliance with the DPA, your institution may consider using a cloud provider in a country already assessed by the European Commission as having adequate protection, or a US provider who has signed up to the Safe Harbour Regulations (this can be checked on the US Trade Information Center - Export.gov website: safeharbor.export.gov/list.aspx, or use European Commission approved contract terms with its provider. Further information regarding transfer of data abroad can be found on the ICO website.
I am unhappy about my personal data being stored with a cloud provider what can I do?
You have a limited right under the DPA to tell your institution to stop processing information about you if it is causing you unwarranted and substantial damage or distress. Substantial damage would usually be financial loss or physical harm and substantial distress must be a level of upset more than annoyance, irritation or strong dislike. You must make clear in writing to your institution:
· who you are,
· what the processing is that you object to - this could relate to the information being released to a cloud provider, how it is being processed by the cloud provider or the use that is being made by the cloud provider of the information.
· Why this processing is causing you unwarranted and substantial damage or distress or if the processing has not yet begun, why it will be likely to do this.
There are a number of circumstances outlined in the DPA where the right to object to processing of your information does not apply. For example you will not be able to object where you have consented to the processing or in the case where your institution can show that the processing is necessary for the performance of a contract that you have entered into, such as a contract of employment (in the case of staff) or a learning agreement (in the case of learners).Your institution should reply in 21 days to a written objection and explain what, if anything, they are going to do in response and give their reasons if they think your demand is not justified. If you are not satisfied with the response you can apply to a court and the court will decide whether, or how far, your request should be met.
4. Freedom of Information
Freedom of Information (FOI) legislation gives individuals a right of access to information held by your institution. The legislation covers all records and information held whether digital or print, current or archived. Even though the information is stored in the cloud, an institution may still be deemed to be holding it for the purposes of FOI. This converts into a legal requirement to ensure that access is possible and that incidents like outages and failures at the cloud provider’s end do not prevent your institution from fulfilling its legal obligations to respond with information as requested. You retain the right to request data and your institution is obliged to respond to the request within twenty working days.
5. Confidentiality
There are many occasions when information is required to be kept confidential by administrative staff or researchers at an institution. This will include handling personal health data, some types of employment related data and management related data that may be commercially sensitive. Prior to entering into a cloud agreement, senior managers at your institution will want the proposed systems tested to ensure that confidential data can be processed without being compromised. They will also want to assess whether the cloud is an appropriate place to store and work with certain information where confidentiality is critical. From your perspective , any contractual obligations with respect to maintaining confidentiality of information will continue to apply when information is stored in the cloud.
6. Unlawful Behaviour
The responsibility to bind users to acceptable use remains for institutions even where learners or staff are not using your institution’s infrastructure to interact and to publish information. Responsibilities such as the prevention of bullying will continue to be addressed with terms of acceptable use for users. In many cases, the cloud infrastructure will be invisible to learners. Where learners sign up to external cloud services on the instruction of your institution, it will be necessary to ensure that they agree to use the service responsibly with the sanction that the service can be withdrawn by your institution. As a JANET “User Organisation”, your institution is bound by the JANET Acceptable Use Policy (AUP) which defines acceptable and unacceptable use. The agreement requires the “User Organisation” to bind users to acceptable use by means of terms and conditions. In a post personal computer world, while you may increasingly be using computing infrastructure that is cloud based, it is apparent that you will continue to be bound by terms and conditions regulating acceptable use of institution provided facilities. Details of the JANET AUP are available on the JANET website.
7. Law Enforcement and Loss of Control
The Regulation of Investigatory Powers Act 2000 (RIPA) governs disclosure of information by your institution to law enforcement agencies. These obligations will remain for FE and HE institutions irrespective of the type of infrastructure being used, cloud or otherwise. Your institution will have to ensure compliance in its contract with the cloud provider.
From the perspective of staff, learners and other authorised users, under the Regulation of Investigatory Powers Act (RIPA), an institution may disclose to the police information regarding communications and who made them. Information they may disclose includes the identity of the user of a particular email or IP address, the time when they logged in, and the receiver of the email, however, it does not cover disclosure of the content of emails. Disclosure of the content of emails and files require a court order or a request under Sections 28 and 29 of the Data Protection Act. Sections 28 and 29 of the DPA allow an institution that holds personal data (including the content of emails and files) to choose to disclose data if it is persuaded that the disclosure is both necessary and proportionate in the interests of national security (s.28) or of the detection, investigation or prevention of crime (s.29). In both cases, it is the responsibility of your institution that has the data to ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.
8. Data Security and the US Patriot Act
The US Patriot Act is intended to assist terrorism prevention in the US and permits access to data by the US intelligence services in certain circumstances, including, but not limited to, in the interests of national security.
The US Patriot Act would allow the US intelligence services to obtain data belonging to an institution in the UK where the data is stored in the servers of a US cloud provider. Prior to outsourcing services to the US, your institution should take into account the potential impact of the US Patriot Act as part of its risk assessment.
The Information Commissioner’s Office advises that UK organisations outsourcing to the US should make sure they have procedures and measures in place to deal with any requests for information that may be received under the US Patriot Act. Such measures may include a requirement for the cloud provider to report requests from US authorities to your institution. Access the ICO outsourcing guidance for further information.
9. Accessibility
The Equality Act 2010 places a legal obligation on institutions to not discriminate against learners with disabilities in their service provision (including resources and delivery of teaching). This obligation remains unchanged whether an institution is using a cloud provider or a location specific provider.
Prior to using a cloud provider, your institution should check that the means of service provision will not adversely impact accessibility. Further information on the obligations under the Equality Act is available from the Equality Challenge Unit and the Accessibility section of the JISC Legal website.
10. Summary
Users of ICT within your institution may have concerns regarding the legal implications of using cloud computing services, in particular, with respect to the security of the personal data stored in the cloud.
Your institution will continue to have legal obligations with respect to data stored in the cloud. It will also have responsibility for formalising in the contract with the cloud provider such terms as will enable your institution to fulfil its legal obligations, including those under data protection, freedom of information and equality legislation.
With respect to personal data under the Data Protection Act 1998, institutions, as data controllers, are required to ensure that all processing of the personal data they are responsible for is fair and lawful. This is the case even where the data processing is carried out by a cloud provider and regardless of the jurisdiction in which the cloud provider is located. The legal obligations fall on your institution to make sure that any cloud organisation that is processing the personal data has appropriate security practices and procedures in place.
11. Further information
We have a range of cloud computing resources available to you. If you need one-to-one guidance, please contact our helpdesk.
ctical Guide: Cloud Computing
and the Law for Users