In the guidance, the ICO warns that using the cloud to provide services to customers could lead to the collection of more information about those customers than businesses expect; for example, it may involve collecting usage statistics or transaction histories for those customers, which may be personal data in certain circumstances. That means that those businesses must know what personal data is being collected and whether that collection of personal data is legally compliant including providing the customers with a form of privacy policy setting out information about the collection of personal data.
The ICO makes clear in the guidance that businesses making use of the cloud are still responsible for the data stored in the cloud, even if the cloud service provider processes that data. Businesses should therefore make sure that the cloud service provider is secure and complies with data protection laws, with a written contract covering that. The ICO also suggests that businesses should not simply “accept” standard terms and conditions of cloud services providers without checking that those terms are legally compliant and adequately cover the businesses’ legal responsibilities. Businesses should conduct audits of the cloud service providers as well as sub-processors where relevant.
The ICO would support an industry recognised standard or kitemark to indicate the security that cloud service providers have, so that business customers could have confidence of security from an independent assessment. The regulator’s advice contained further help, with details of how to encrypt personal data in the cloud.