Protecting personal data in the cloud banner

Protecting personal data in the cloud

Home / News / Protecting personal data in the cloud

Protecting personal data in the cloud

Source Kennedys Law LLP
We have highlighted in our previous article Legal issues in cloud computing, several serious concerns which companies should take into account when opting for cloud computing services. In this article we examine in greater detail what is likely to be the most important of these issues - data privacy.

If your cloud computing provider hosts personal data, then the safety of data privacy is a major consideration.

And while a cloud computing provider may or may not be subject to privacy laws, it is still possible for their actions to put their customers in breach of the Data Protection Principles. It is therefore particularly important when engaging a provider to take steps to minimise this risk, both in selecting the provider and negotiating a contract.

The main difference between cloud computing and traditional computing is that the customer’s data is hosted on a remote server. The server may be operated by the cloud computing provider or by a third party, may be located in Hong Kong or overseas and may be exclusive to one customer or shared between many.

If a cloud computing provider is based in Hong Kong, you might expect that it is subject to the Personal Data (Privacy) Ordinance (the Ordinance). However, this is not necessarily the case.

A cloud computing provider is not considered to be a "data user" for the purposes of the Ordinance if it holds, processes or uses personal data solely on behalf of its customers, and not for its own purposes. (Although a cloud computing provider who collects personal data directly from individuals will be a "data user", even if it only does so on behalf of its customers.) If a cloud computing provider is not a data user, it is not required to comply with the requirements of the Ordinance.

If a cloud computing provider is based outside Hong Kong, then it may or may not be subject to privacy laws similar to those of the territory. Many such providers are based in countries which do not have privacy laws at all.

Pre-contractual measures

There are several measures you can take in selecting a provider to reduce privacy risks.

1) Privacy Impact Assessment

As part of assessing the feasibility of adopting a cloud computing service, businesses should conduct a Privacy Impact Assessment. This is a risk assessment and mitigation process that helps to evaluate the potential impact of a cloud computing solution on the privacy of personal data. Conducting a Privacy Impact Assessment involves:

  • Identifying what personal data is collected and how that personal data will be collected, used, disclosed and stored
  • Analysing the possible privacy impacts of the cloud computing solution
  • Identifying and recommending options for managing, minimising or eradicating these impacts

 

The Privacy Commissioner has published guidance on conducting Privacy Impact Assessments.

2) Selection criteria

As part of the process for selecting a cloud computing provider, candidates should be required to demonstrate that:

  • They have an established privacy policy regarding hosted data and applications which complies with the requirements of the Data Privacy Principles
  • Their infrastructure is appropriately secure
  • They have processes in place to support appropriate action in the event of an incident that affects personal data
  • They conduct regular internal audits to ensure those practices are being complied with
  • They have measures in place or are ready to adopt measures required by the customer, to minimise the impact on privacy of personal data

 

Ideally, privacy protection should be "built in" to the design and operation of the provider’s services, rather than tacked on as an afterthought. This approach, called "Privacy by Design", was developed by Dr Ann Cavoukian, Information and Privacy Commissioner of Ontario, Canada.

3) Contractual measures

Your contract with the cloud computing provider should include provisions which ensure adequate protection of personal data transferred to the provider. This is particularly important if the provider is based in a country which does not have similar privacy laws to those of Hong Kong. In particular, the contract should provide that:

  • Where the provider is collecting data directly from individuals, the provider must collect the personal data lawfully and fairly and after giving prominent notice to the individual of the details required by Data Protection Principle 1(3).
  • Personal data only be used and disclosed as necessary for the purpose of providing the cloud computing services.
  • Where it is necessary to disclose personal data to third parties, those third parties should be made aware of the cloud computing provider’s obligations in relation to the personal data and required to comply with those undertakings.
  • The provider must keep personal data adequately secure against unauthorised access and conduct (or allow the customer to conduct) regular assessments to ensure adequate security measures are in place.
  • In the event of a privacy or security breach, the provider will notify the customer of the details of the breach and comply with the reasonable directions of the customer in remedying the breach.
  • After the cloud computing services are completed, the provider must provide the customer with a full copy of the personal data in a non-proprietary format and delete (and certify the deletion of) the personal data from its own servers.

 

4) Transferring personal data to an overseas cloud computing provider

The Ordinance currently places no restrictions on the transfer of personal data out of Hong Kong. However, the Ordinance does contain a provision which is not yet in operation - section 33 - which would, if enacted, prohibit the transfer of personal data outside of Hong Kong except in certain circumstances. There have been a number of recent comments and updates by the Privacy Commissioner in relation to section 33 which suggest that the section could be brought into operation soon.

Therefore, if using a cloud computing provider which is located outside Hong Kong or which uses servers located outside Hong Kong, businesses should consider whether they need to take any measures to avoid interruption when and if section 33 comes into force. The requirements of section 33 are discussed in our recent article Transferring personal data between Hong Kong and the PRC.

Conclusion

Customers should be aware that their cloud computing providers may not be subject to any privacy laws, even if based in Hong Kong. However, it is still possible for their actions to put their customers in breach of the Data Protection Principles. It is therefore particularly important when engaging a cloud computing provider to take steps to minimise this risk, both in selecting a provider and negotiating a contract.