Information Security and Data Protection for Financial Services - November 2014
Published 17 November 2014
As the days get more and more overcast and the nights draw in, what more fitting than another piece of "cloud" documentation to consider when engaging with a cloud services provider.
The autumn has seen the acknowledgment of a plethora of international standards on cloud computing. I say acknowledgment rather than launch as many were published back in August. However, there has been little if any fanfare over their launch by the International Standards Organisation and it has only come to the attention of the data protection community in the last few weeks.
ISO/IEC 17788 and 17789 provide standardized definitions of common cloud computing terms, such as Software as a Service, and of cloud deployment models such as "public" and "private" clouds and diagrams and descriptions of how the various aspects of cloud computing relate to one another. Of more interest to the data protection community is the new ISO27018:2014, not so catchily titled "Information technology – Security techniques – Code of the practice for protection of personally identifiable information (PII) in public clouds acting as PII processors."
Compliance with this standard should give cloud customers comfort towards ensuring their own compliance with data protection obligations. For example, the standard imposes the following requirements on the cloud provider:
- Only process personal data in accordance with the customer’s instructions;
- Assist the customer in cases of data subject access requests;
- Notify the customer in the event of data breach;
- Imposing adequate confidentially obligations on individuals accessing the personal data; and
- Flowing down technical and organisation measures to sub-processors.
This standard provides a useful tool for a customer to evaluate the cloud services and data handling practices of a potential cloud supplier, and will be a useful reference point to form part of a wider contractual framework to secure personal data. I would recommend clients start asking their cloud providers about their plans for ISO27018 compliance and it may become good industry practice to insist on such compliance going forward.