Thursday, 10 November 2011

Clouds on the horizon

The Data Protection Act (DPA), in its current form, was made law in 1998. I didn't notice at the time. Well, that was the year The Good Will Out by Embrace was released, Peter Jackson was in charge of Town and I got my first email address, accessible through the green screen of, presumably, a UNIX operating system on a University network. Happy days.

Whilst I haven't listened to Embrace for ages, and even Peter Jackson's second stint as Town manager is years ago, the DPA is very much on my mind now. I like the DPA because, as one ICO rep said at a conference I went to, you can fit it on the back of a postcard. The EU may feel that the UK DPA is falling short, but I like the way the 8 prinicples can still ask tough questions of the current advances in technology.

With the advent of 'cloud computing', Data Protection is more relevant than ever. Though the way information is stored, shared and managed across the internet was unimaginable in 1998, I challenge anyone to argue that the first 7 of the 8 DP principles do not still apply to personal data held in the cloud. Whether my details are held by an organisation in a server room a mile away or a virtual server space on the other side of the world, I'd want them to be managed according to those 7 principles.

The 8th principle - Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data - is the crunch issue when it comes to cloud providers.

As information compliance officers we can often be cornered into a 'No, you can't do this' approach with DPA, when the Act should be an enabler - i.e. how to do it safely and properly - rather a barrier to technical change. With that in mind, I attended the 'Data Protection Jurisdiction in Cloud Computing and International Data Transfers' lecture at the Institute of Advanced Legal Studies last week. The QMUL 'Cloud Legal' project is looking in depth at the DP issues around cloud computing.

The main conclusions I drew from it were that EU Data Protection law provides no easy answers to the cloud at the moment. The predictable fact that law moves slower than technology, coupled with a range of DP attitudes to the cloud amongst member states, means that there is no definitive 'DPA stance' on cloud computing.

However, this does not stop the consideration of the first 7 principles with any moves we might make into the cloud. The lecturers stressed the importance of contractual negotiations with providers, transparency around what is to be done with data effectively.

The move from the macro-approach ('all cloud is good/bad') to the micro ('how can this cloud provider enhance our services whilst managing our data effectively and efficently') is crucial, especially as the instances of how cloud can work (user, integrator, solutions provider, provider, sub-provider, "lights out establishment") are so complex as to make any single position or stance problematic.

The US Patriot Act was mentioned, but whilst it is emblematic of EEA concerns around data, I think it is something of a red herring in this whole debate. After all, we'd be naive to assume that the exemptions Section 28 'National Security' and Section 29 'Crime and taxation' in the UK act did not implicitly enable the sharing of personal data with non-EEA states anyway. And have you seen The Bourne Ultimatum? I didn't see much consideration of DPA exemptions when they were hacking into CCTV and phone lines!

1998 was such a long time ago and whilst technology changes, principles often last. In terms of the cloud and DPA, let's not fixate on the eighth and lose sight of the other seven.