Although the seventh and eighth data protection principles are those with the greatest relevance to cloud computing, it is worth looking briefly at the other six.
This principle, as well as making a general requirement of fairness, specifies that Data Subjects must have ready access to information about who is using their data and what for – the Transparency requirement – and that they must, in some cases, give consent for this.
There is also a requirement to indicate who – either in general or specifically – the data may be disclosed to or shared with. Transferring data to a cloud provider does not count as a disclosure, since the Data Controller takes full responsibility for restricting what the Data Processor may do with the data and for security. There is therefore no obligation to inform the Data Subject when a Data Processor is used.
The situation is different, however, in cases where the cloud provider is a Data Controller in their own right. This might occur, for example, where the cloud provider is dealing directly with the Data Subject through an ancillary activity – such as the situation with a payment processor described on page 22. In some cases the cloud provider may even reserve the right to use data about their customer’s Data Subjects for the cloud provider’s own purposes. In both these cases the Data Subject must be informed that their data will be shared with the secondary Data Controller.
In addition to providing information, the Data Controller must consider whether Data Subjects should be given a choice over the use of their data. In many cases choice is not appropriate, because of the sixth Schedule 2 Condition, ‘legitimate interests’ (see page 19). Where a choice is offered, it should be a genuine choice; there is rarely much benefit in placing mandatory consent – for example for a transfer abroad – deep in the terms and conditions to which a Data Subject has to agree. It is far better to provide the information clearly and indicate that the transfer will take place if the Data Subject goes ahead with whatever transaction is being provided.
This Principle has no specific implications for cloud computing.
The main concern with this Principle would be if a cloud application is designed in such a way that it requires the collection of more data than is required for the purpose, or does not permit the collection of sufficient data.
Where the Data Controller has complete control over the design of the application this should not arise, but there may be cases where, for cost reasons, an off-the-shelf application is preferred. It would not be acceptable from a data protection point of view to make use of a cloud application that was not flexible enough to match the data collected to the purpose of the application.
Again, the main concern with this Principle is likely to be the flexibility of the application. To take a simple and perhaps rare example, if an application were designed, or set up, to use only the American format for short dates (MM/DD/YY) instead of the European format (DD/MM/YY) it would be more than likely that a significant proportion of users from the UK would enter dates incorrectly.
It is increasingly difficult to ensure that data is erased entirely once there is no longer any necessity to retain it. Backup and archive copies may well exist, even when the live version of the data is deleted – especially when a cloud provider takes responsibility for backing up, and may also keep data at multiple locations to improve resilience. One of the drawbacks of cloud computing is that the Data Controller may often be unaware of where the data is physically held, or by whom. It is, nevertheless, the Data Controller’s responsibility to ensure that data is not retained longer than necessary, in relation to the purpose for which it is held.
Concerns about the proliferation and persistence of personal data are growing. The European Court of Justice (ECJ) ruling in May 2014 on what is erroneously referred to as the ‘right to be forgotten’, is just one indication of this development.
It is worth clarifying that the ECJ ruling did not create a right to be forgotten. It required Google to remove its links to data that was inaccurate, inadequate, irrelevant or excessive for the purposes for which Googleitself was processing the data. (The third and fourth data protection principles can be clearly recognised in that list.) The information being linked to could remain on the public record where it had always been.
The proposed new European Regulation (see below) includes a version of the ‘right to be forgotten’ – the final extent of which remains to be seen. However, the immediate impact on most Data Controllers will be minimal.The only really surprising thing about the ECJ ruling is how emphatically it brings search engines within the rules of data protection.The rest of the decision was based firmly on Principles that had already been in force for nearly 15 years.
The key Data Subject rights protected by the sixth principle are:
• The right to prevent their data being used for direct marketing of any kind.
• The right of Subject Access.
• The right to have incorrect data corrected and excessive data removed.
It is worth looking briefly at the cloud computing implications of these rights.
When data on the same person is held in more than one place, synchronisation becomes an issue. A ‘no marketing’ flag in one system may not be implemented across the board. For example, individuals’ details may be held on a CRM system which is used for occasional mailings and for recording transactions, while email marketing is carried out through a cloud application. If someone uses the automatic ‘unsubscribe’ option in an email they may expect to receive no more contact from the organisation, only to find that some marketing is also being sent from the CRM system. Standalone cloud applications therefore pose the same issues as standalone systems on site, but the options for integration between systems may be limited, and may have to be carried out manually.
Data held in multiple systems also makes responding properly to a Subject Access Request more onerous. Unless the Data Subject explicitly limits their request, the Data Controller is obliged to provide a copy of all the data held on that individual (apart from any that may legitimately be redacted to protect third parties), regardless of where it is held.