Security is one of the most important safeguards in preventing harm to individuals. The seventh principle says that you must take steps to prevent:
• Unauthorised access
• Accidental loss or damage.
These steps must be ‘technical and organisational’, and they must be ‘appropriate’ in terms of the technical options available, and also in terms of the harm that would result in the event of unauthorised access, or loss, or damage.
‘Organisational’ security measures should always include attention to human factors. In any security breach, at least part of the chain of causation is likely to be an individual taking, or failing to take, appropriate action. The Data Protection liability, however, rests with the organisation. Many of the Information Commissioner’s penalty notices highlight failures on the part of the organisation to provide sufficient guidance and training to the individual(s) who were the immediate or partial cause of the breach.
The requirements in the seventh principle to prevent unauthorised access, accidental loss or damage, closely mirror the three standard aims of information security: confidentiality, integrity and availability.
Confidentiality is concerned with setting limits on who may have access to specified information, based on their need to know. A key feature of confidentiality in UK law is that it applies to information ‘given in confidence’. The individual(s) who are given access to the information must be left in no doubt that it is confidential. Any breach of confidentiality in respect of personal data is likely to be ‘unauthorised access’ which the seventh principle aims to prevent.
In maintaining confidentiality, it is unwise to rely on the probity, conscientiousness or common sense of all those who may handle or have access to data, even if they know the confidentiality boundaries. Technical security measures to prevent unauthorised access should therefore be concerned not merely to prevent deliberate external intrusion. They should also aim to limit access by authorised users to just that information they ‘need to know’. Segmentation of data supported by a robust system of access credentials is one of the key controls in this respect.
Data integrity implies that once data has been entered into the system, it should not be modified in an unintended or unauthorised way. This is related to the seventh Principle’s requirement to prevent damage.
Availability relates to accidental loss. The concept, however, goes beyond the permanent non-availability that would result from loss of data, to include the requirement for the information to be available whenever it is needed.
Data ‘in transit’ is always more vulnerable than data ‘at rest’. It is inherent in cloud computing that data will spend more time in transit than it would if it were being processed on an in-house system. Processing personal data in the cloud therefore automatically exposes it to greater risks than it would face behind securely-run perimeter defences of an on-site installation.
That is not to say that the data faces no risks if held on site. It would still be vulnerable to misuse by authorised users, to loss or damage if the backup regime is inadequate, or to external intrusion. In some respects the cloud provider may actually offer greater protection against a backup failure or a poorly-implemented firewall.
However, a survey by BT in July 2014 found that a quarter of respondents that were using cloud services had suffered a data breach where the fault lay with the cloud provider.
There are also regular reports of large amounts of personal data being stolen from online locations. Websites are likely to be particularly vulnerable because, by their very nature, they are designed to have at least an element of public exposure. A website is often the gateway to a large online database of site users, and an integral part of an organisation’s relationship with its customers or service users.
Cloud applications that are not intended to be publicly accessible avoid one obvious avenue for compromise but are not immune from security risks. Intrusion is still a possibility. Technical problems could also cause a loss of integrity if the interruption occurs while data is in transit, and any loss or corruption of data is not detected and rectified.
Security has to run right the way through, from the device through which the user accesses the application, to the depths of the cloud provider’s system, and responsibility for security, end to end, lies with the Data Controller. Normally, as discussed above, the Data Controller is the customer, with the cloud provider acting as a Data Processor.
It is emphatically not enough for the Data Controller to make assumptions about the security measures that may, or may not, be taken by the cloud provider. One clear example of this is the case of the British Pregnancy Advisory Service (BPAS). In February 2014, BPAS was fined3 £200,000 by the Information Commissioner after its website was hacked into. Highly confidential messages from about 9,700 people, sent via the website to BPAS were stolen, a task made relatively easy by basic security weaknesses on the website. This exploit was intended to undermine BPAS, but could also have placed many of the individuals at considerable personal risk if, as was threatened, the messages had been made public by the hacker. In imposing the penalty, the Information Commissioner made it clear that it was the responsibility of BPAS to instruct the web designers and web hosts to implement adequate security, and check that they did so, not just to rely on the assumption that it would be done.
The full monetary penalty notice can be found on the enforcement pages of the Information Commissioner’s website.
Additional risks from ‘Bring Your Own Device’ – or ‘Bring Your Own Application’
One of the clear benefits of cloud computing is the possibility of easy (and cheap) access from wherever there is an internet connection. This is often an ideal solution for mobile workers, remote offices and home working. However, users may find reasons for wanting to gain access from personal devices rather than company ones, and the number of devices capable of gaining access has increased rapidly. Desktop computers, laptops, tablets and smartphones all bring their own risks.
This is not the place to give a full description of the issues that need to be addressed in a Bring Your Own Device (BYOD) policy, but those particularly relevant to cloud computing include:
• Controlling access to the device
• Users other than the owner
• Vulnerabilities introduced by other applications on the device
• Opportunities to download data onto the device
• Action to be taken in the event that the device is compromised
Action that can be taken to mitigate each of these risks is discussed in the following chapter.
Even where the Data Controller officially makes no use of cloud applications, a BYOD policy must address the issue of whether the device owner is permitted to use personal cloud-based accounts to transfer data to and from the device, or to work on material that is held on the device. Personal accounts, especially if they can be signed up to at no charge, may well not provide the same levels of security or service availability that business-oriented and paid-for accounts offer. Surveys regularly suggest that this type of ‘shadow’ cloud use is widespread. Where the Data Controller has corporate accounts with more secure applications, these should be used in preference.
The experience of Aberdeen City Council is instructive. A social worker was permitted to work from home. She had attended a case conference and was typing up the report on her home computer. Apparently she was unaware that the folder in which she stored the document on her computer was set up to synchronise automatically with a cloud-based location. A colleague who had attended the same case conference happened to search for his name on the Web, only to find that the document appeared. There was no security in place to prevent anyone accessing this highly confidential material. The council received a monetary penalty of £100,000, even though neither the computer nor the cloud service was directly under their control. When their employee was authorised to work on confidential material at home, the council should have ensured that appropriate security was in place.
3 This is a civil monetary penalty. The maximum that can be levied is £500,000 and the penalty can be appealed at tribunal.