The University has obligations to protect data under its control. This is especially, and legally, true for data that identifies and relates to living individuals.
The document provided in the toolkit, Cloud services and data protection law, outlines the University's legal obligations under the Data Protection Act if the data includes personal information about identifiable, living individuals. The key points from this document include:
The University remains the controller of, and therefore responsible for, personal data transferred to cloud service providers (which, in this context, are data processors).
The University as data controller must enter into a written contract with any cloud service provider. By contract the cloud service provider must agree to:
- act only on the instructions of the University in relation to personal data;
- to comply with obligations imposed on the University under the Data Protection Act to process personal data securely (seventh principle).
The cloud service provider must not transfer personal data outside the European Economic Area (EEA) without the express permission of the University (which will only be granted once certain conditions are met). The US “Safe Harbor” provisions have been invalidated and may not be used as the basis for compliant data transfers.
The cloud service provider must restrict access to the data and not disclose it to third parties, without the written permission of the University.
The University must be informed by the cloud service provider of any incidents that breach its contractual agreement with the University.
Given that a failure to comply with the data protection obligations could result in a large fine (up to £500,000) and compensatory damages being awarded to individuals affected, the University will seek an appropriate acknowledgement of liability and an indemnity from the cloud service provider.
The University has defined a standard data processing clause for inclusion within written contracts where the cloud provider is processing personal data on behalf of the University. A copy of the standard clause is included within the Toolkit.
- Cloud services and data protection law
- Data protection: when can the University share personal data with a third party contractor? (PDF) - A flowchart