Chapter 2: The Data Controller/Data Processor Relationship – Data Protection and the Cloud: Are the risks too great?

CHAPTER 2: THE DATA CONTROLLER/DATA PROCESSOR RELATIONSHIP

Responsibility for compliance with the data protection principles and other aspects of the Act lies with the ‘Data Controller’.

The Data Controller is defined in the Act as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed”. ‘Person’ in this context very rarely means an individual (or ‘natural person’). Instead, in most cases the Data Controller will be an organisation, although individuals who are in business on their own account can also be Data Controllers. It is important to note that group-level responsibility for data protection compliance is not an option. Each legal entity – company, public body, institution, partnership, or even an unincorporated charity – carries its own separate responsibility.

The cloud provider in many cases will be a Data Processor. A Data Processor is defined as “any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller”. Bear in mind the definition of ‘processing’ discussed above, and it will be clear that almost every cloud provider could indeed be processing personal data in some way or another on behalf of the customer, and would therefore be a Data Processor.

Guidance2 issued by the Information Commissioner in May 2014, however, suggests that in some cases the cloud provider might exercise sufficient control over the ‘manner’ in which data is processed to become a Data Controller in its own right, and may even determine to some extent the ‘purposes’. One example in the guidance is where the cloud provider is processing payments on behalf of an online retailer. The Information Commissioner finds that in the example given, the payment company is a Data Controller because it (quoting from the guidance):

• “decides which information it needs from customers in order to process their payments correctly;

• exercises control over the other purposes the customer’s data is used for, for example direct marketing;

• has legal requirements of its own to meet, for example relating to the use and retention of payment card data; and

• has its own terms and conditions that apply directly to the retailer’s customers.”

Although it would ultimately be for the courts to determine whether a cloud provider was a Data Controller or a Data Processor, it is always useful to establish a common view between the customer and the cloud provider on what the relationship appears to be, as a basis for clarifying their respective responsibilities.

Where a Data Controller employs the services of a Data Processor, full responsibility for data protection compliance remains with the Data Controller. If data is lost in the cloud, or if security is breached, the Data Controller is responsible for any harm caused to the individuals whose data it caused to be placed in the cloud, and could be the subject of enforcement action taken by the Information Commissioner.

Data Controller/Data Processor contracts

The Act is quite specific in its approach to the relationship between the organisation that carries the responsibility – the Data Controller – and any organisation to which work is outsourced – the Data Processor.

The Act requires there to be a contract, ‘evidenced in writing’, between the Data Controller and the Data Processor, setting out the relationship and imposing security obligations on the Data Processor. The Data Controller is also given a specific responsibility to assess the adequacy of the Data Processor’s security, and take steps to verify it.

If there is any possibility, therefore, that the cloud provider is a Data Processor, it would be very unwise for the customer to proceed without a written contract that meets at least the minimum provisions in the Data Protection Act.

Where cloud services are provided on a bespoke basis, they may be the subject of contractual negotiations between the Data Controller and Data Processor. In such instances a contract can be drawn up that unequivocally meets the requirements of the Act.

However, in many cases – even for quite large business deals – the contract for cloud services is set out in non-negotiable terms and conditions, or with very little scope for variation. If the cloud provider doesn’t offer terms and conditions that meet the Act’s requirements, there is little that can be done to get them added in.

Ideally, a Data Processor contract should also provide indemnity for the Data Controller against any costs resulting from the Data Processor’s failure to deliver. This isn’t a legal requirement, but makes sound commercial sense. The standard terms and conditions for cloud services almost inevitably exclude any indemnity for a failure of the service, of course.

This does not mean, however, that the Data Controller should accept the Data Processor’s terms uncritically. They should be examined carefully to ensure that no unacceptable risks are being taken. If there are gaps, it may be necessary to consider additional measures that should be taken on the customer side to compensate for any deficiencies in the terms and conditions on offer from the supplier.

One particular concern should be the likelihood that the cloud provider will subcontract delivery of parts of its service. The customer must be able to rely on the whole chain providing the necessary quality of service. Some of these links may be outside the UK or, more pertinently, outside the European Economic Area, which brings additional data protection considerations.

The following provides a quick checklist for issues that a Data Processor contract (or terms and conditions) with a cloud provider should, ideally, address if the application makes, or could make, any use of personal data. Please note that the list is not intended to be a complete or accurate description of the provisions that should be in a contract between a Data Controller and a cloud-based Data Processor, and some of the points may not be relevant in every case.

 

1) Is it clear that the customer is a Data Controller and the cloud provider is a Data Processor?

2) Is it clear what processing the cloud provider is expected, or entitled, to carry out on the Data Controller’s data?

3) Is it explicit that all the customer’s data supplied is confidential (unless it is legitimately in the public domain), and that the cloud provider is not to misuse the data or disclose it without the Data Controller’s consent, or retain it after the contract ends or the Data Controller stops using the service?

4) Does the cloud provider have effective security (including technical measures, and measures to underwrite the probity of staff), and can the Data Controller audit this effectively?

7) Is there a requirement for the cloud provider to inform the Data Controller immediately of any security breach they become aware of (whether they caused it or not)?

8) Does the cloud provider indemnify the Data Controller for any costs incurred in putting right breaches of data protection brought about deliberately or negligently by the cloud provider (ideally including costs of reassuring affecting individuals, even if this is not legally required)?

9) Is the cloud provider required not to do anything that would put the Data Controller in breach of the Data Protection Act 1998?

10) Is the cloud provider required to promptly forward to the Data Controller all subject access requests and complaints about any of the processing that they may receive in error?

11) Is the cloud provider required not to process the data, or allow it to be processed, outside the European Economic Area (alternatively not to do so without the Data Controller’s prior consent)?

12) Is the cloud provider required not to subcontract any processing (alternatively not to do so without the Data Controller’s prior consent)?

 

2 Data controllers and data processors: what the difference is and what the governance implications are, available on the Information Commissioner’s website.