Cloud computing has revolutionised the way in which businesses store and process data.
More and more businesses are turning away from the traditional IT model of owning and maintaining hardware and software in favour of utilising on-demand IT facilities and services offered remotely, or "in the Cloud", from third party vendors. Given the potential cost benefits and the service and functionality advantages cloud computing can offer, this technology is likely to be a key element of any financial services IT infrastructure.
Moving to the cloud does not alter the legal obligations imposed on those who hold and process personal information and the risks and liabilities they face if they misuse or fail to adequately protect that data. This has been highlighted by the Data Protection Commissioner, with the publication of new guidance in this area this month. Some of the key areas of concern for businesses utilising cloud computing services for storing personal data are discussed below. These areas of concern are particularly pertinent to those operating or conducting business in regulated markets, such as financial services; it is vital to be aware of the risks and to then take steps to address those risks.
Security and integrity of data
Any business entrusting its data to a third party needs to ensure that it receives sufficient assurances in respect of the technical security and organisational measures governing the processing of the data. This should be a particularly acute concern for financial services businesses where the data held is primarily of a financial or sensitive nature and data security breaches can be disastrous, from both regulatory and PR perspectives.
In practical terms this means ensuring, prior to the handover of data, that the service provider has sufficient disaster recovery and back-up processes, adequate encryption procedures for when data is "in transit", appropriate employee access controls, appropriate authentication procedures and audit trails of access. It is important to bear in mind that in the event of a data security breach it will be the data controller (and not the third party) that will be the subject of the Data Protection Commissioner's investigations and the target of client/customer/consumer complaints. Service providers' contracts should reflect this risk and consideration should be given to the Data Protection Commissioner's guidance on these areas.
Jurisdictional issues and transfer of data
It is generally prohibited to transfer personal data outside of Ireland to any non-EEA jurisdiction that does not have an adequate level of protection, subject to certain exceptions. Businesses outsourcing to the cloud must therefore be certain as to where within the cloud the data could be stored, or agree with the service provider as to the specific jurisdictions in which the data can be processed, if it is to comply with its obligations. This can be difficult in practice given that many service providers process data across multiple jurisdictions through federated clouds. If such certainty cannot be guaranteed, businesses may need to explore alternative means of complying with its obligations, such as utilising the EU-approved Model Contracts as the basis for the agreement, or else the US "Safe Harbor" arrangement.
The contract: control, risk and flexibility
Any business looking to outsource the processing of personal data is obliged to put in place a formal written contract with the service provider. Frequently, the standardised contracts offered by the larger service providers can impose unreasonable terms and conditions absolving the service provider of even the most reasonable liability and allowing for unilateral termination of the contract in short periods.
Businesses must ensure any agreements entered into:
- provide the necessary assurances that the service provider will comply with applicable data protection legislation and with its instructions;
- sufficiently limit their exposure in the event of a data security breach on the part of the service provider;
- guarantee minimum service levels and standards on the part of the service provider (and prescribe appropriate remedies for failure to do so); and
- provide for appropriate termination triggers in the event of repeated, unreasonable downtime or significant system failures.
If you are currently utilising cloud computing services, or are contemplating making the transition from conventional IT systems to the cloud, you should consider carefully your extensive obligations under data protection law and the areas of exposure identified above. Add this item to the agenda when reviewing your existing contracts or before entering into any new agreement. In particular, given the heightened focus on data security in the financial services industry recently, and the premium placed on maintaining privacy and confidentiality, it is critical that you ensure service providers can offer the service levels and assurances of security that are expected by both customers and regulators.
Should you require any assistance in understanding and complying with your obligations under data protection legislation, or in negotiating terms of an agreement with a service provider, please feel free to contact Deirdre Kilroy or Brian Johnston, of the Intellectual Property and Technology Unit.
Glossary and additional information
Personal data is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
Data controllers are persons who, either alone or with others, control the contents and use of personal data. Usually, this will be the business that collects the information from the employee or the customer and makes use of the data.
The Data Protection Acts 1988 and 2003, as amended (the Data Protection Acts), govern the way in which businesses can hold, use and store personal data.
Click here - New Guidance from the Data Protection Commissioner
Deirdre Kilroy is head of the Intellectual Property and Technology Unit and is a partner in the Business Department. She advises clients on IT contracts, data protection matters, advertising laws and ecommerce arrangements.
T +353 16385866 E email@example.com.
Brian Johnston is a member of the Intellectual Property and Technology Unit and the Business Department. Prior to joining the firm, Brian worked in the Office of the Data Protection Commissioner.
T +353 16371573 E firstname.lastname@example.org.