Companies that use cloud computing services need to ensure that their cloud providers are compliant with data protection laws, the Irish Data Protection Commissioner has said in guidance for Irish companies, launched yesterday.
"A data controller," wrote commissioner Billy Hawkes, "would need to be satisfied that security standards of a very high level were in place before considering entrusting personal data to a cloud provider."
The guidance lists a number of important features for that buyers should look for in their cloud providers. As well as offering continued access to data and preventing unauthorised attacks, cloud providers should also ensure good oversight over their subcontractors.
Cloud providers ought also give customers the right to remove or transfer data out of their systems, the commissioner wrote.
The commissioner also addressed data location, pointing out that when data is transferred outside Europe, "special measures must be taken to ensure that it continues to benefit from adequate protection".
‘Model contracts’ are one way to do this, where data is protected contractually as it leaves the EU. Cloud providers may also process data in countries which have been "deemed by the EU Commission to have an “adequate” level of data protection", such as via the EU/US Safe Harbour Agreement.
Finally, Irish data protection law requires that cloud providers have a written contract with any subcontractors to underpin these principals.
The guidance comes as the EU Working Party for Cloud Computing published a 27 page guidance document applicable to the use of cloud computing throughout the EU.
An ICO spokesperson said its guidance is currently in development and would be published in the next few weeks.