Chapter 1: Background – The Data Protection Principles – Data Protection and the Cloud: Are the risks too great?

CHAPTER 1: BACKGROUND – THE DATA
PROTECTION PRINCIPLES

As most readers probably know, the Data Protection Act is based on eight legally-binding principles. Being principles rather than precise stipulations, these describe the outcome that must be achieved, not the means of doing so. Every organisation has a significant degree of flexibility in deciding how to comply.

The Act applies to the whole lifecycle of information, from its original collection to its final destruction. See the definition of ‘processing’ below.

It is usually necessary to be able to demonstrate, through policies and procedures, staff training and other measures, how an organisation ensures that all of its actions comply with the principles. A failure to comply with the principles is a breach of the Act. Any harm suffered by individuals as a result of a breach could lead to a claim for compensation and the Information Commissioner has powers to impose a financial penalty of up to £500,000 or to take other enforcement action in respect of serious breaches of the Act.

Familiarity with the principles is therefore an essential element in assessing the risks that might be posed by the use of cloud services and the mitigating actions that might be necessary.

Data protection principles

These are quoted from the Data Protection Act 1998, Schedule 1, Part I.

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

a) at least one of the conditions in Schedule 2 [see below] is met

and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. [Schedule 3, as subsequently amended by Statutory Instrument, contains around 20 conditions, more restrictive than those in Schedule 2. For the purposes of this publication it is sufficient to assume that particularly great care should be taken with records that include ‘sensitive personal data’ – defined below.]

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Implications of the data protection principles for cloud computing

All the data protection principles are aimed firstly at preventing harm to individuals, and secondly at ensuring that they are treated fairly whenever their data is used.

Two of the principles are particularly relevant to cloud computing:

• Principle 7, which says you must have appropriate security, and

• Principle 8, which controls the transfer of data abroad.

Subsequent chapters look at all of the principles in the context of cloud computing. The table below indicates their relative risk profile in relation to cloud computing. This does not imply that these risks would have the same ranking in other contexts. Principles 7 and 8 are considered first and in detail; the remaining principles are discussed in Chapter 6.

Principle

Risk rank

Comment

1. Fairness

2. Limited purposes

Low (Medium)

No different from in-house considerations unless cloud provider also captures personal data for own purposes

3. Adequacy

4. Accuracy

Medium

Minor implications if the design of the cloud application does not support good data quality

5. Retention

Low

No different from in-house considerations

6. Data subject rights

Medium

Possible minor implications for subject access

7. Security

Very high

Significant additional risks from cloud computing

8. Transfers abroad

High

Cloud applications may (without making this obvious) locate data outside ‘safe’ jurisdictions

Other relevant definitions

This publication is not a treatise on the Act as a whole. It may, however, be useful to clarify a few other relevant definitions from the Act.

Processing: This is defined very broadly, to include effectively any activity involving personal data. The Act defines processing as ‘obtaining, recording or holding’ the data, or ‘carrying out any operation [on it]’ including (but not limited to) ‘organisation’, ‘alteration’, ‘retrieval’, ‘consultation’, ‘use’, ‘disclosure’, ‘erasure’ and ‘destruction’. It is hard to see how a cloud application could operate without ‘processing’ data within the terms of the Act.

Personal data: Information in electronic form that relates in some way to a living individual who can be identified from the data (plus, if relevant, any other available information), falls clearly within the definition of personal data. Non-electronic data is obviously outside the scope of this publication.

Data subject: The individual about whom personal data is held, wherever they are located.

Sensitive personal data: Information about an individual’s racial or ethnic origin, political beliefs, religious beliefs, trade union membership, mental or physical health, sex life (including sexuality), offences, alleged offences and court appearances. This information requires special treatment – and often consent for its use. In terms of cloud computing, the loss or compromise of sensitive personal data would be a very serious matter.

Schedule 2 Conditions (at least one of which must be met)

1. The data subject has given his consent to the processing.

2. The processing is necessary –

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4. The processing is necessary in order to protect the vital interests of the data subject.

5. The processing is necessary –

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under any enactment,

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.