Cloud services and the Personal Data Act
Increasing numbers of municipalities, authorities and businesses are considering the use of so-called cloud services. Cloud services involve, for example, processing, processor power, storage and functions being provided by providers as services over the Internet.
Whoever makes use of a cloud service for the storage of personal data, for example in a wages register, loses the actual control over the personal data that is stored. Added to this is the fact that cloud providers often make use of standard agreements, i.e. pre-determined user conditions, and appoint sub-contractors. It is therefore important that anyone considering the use of a cloud service in their activity is aware of the requirements imposed under the Personal Data Act.
Whoever appoints a cloud provider is always the controller of personal data
Whoever makes use of a cloud service for processing of personal data is the controller of personal data, even if the processing is carried out by a cloud service provider or its sub-contractors. The provider of the cloud service, and all of its sub-contractors hired for the processing, is the controller's data processors. It is the controller of personal data that must ensure that the processing of personal data is in compliance with the Personal Data Act and other legislation, such as government agency-specific records statutes and the Public Access to Information and Secrecy Act.
This is what the controller of personal data must do
Before a cloud service is brought into use the controller of personal data must assess if the processing of personal data that the cloud service provider is to carry out, will be permitted under the Personal Data Act.
According to the Personal Data Act, personal data processors are only allowed to process personal data in accordance with instructions from the controller. Normally the controller of personal data will himself draw up the instructions. When you appoint a cloud service provider, however, you are often referred to the conditions that apply in accordance with the provider's standard agreement. In such a case the controller of personal data must examine the agreement conditions and guidelines offered by the cloud service provider and make an assessment based on these. The assessment must be made in view of the provisions in the Personal Data Act and the conclusions from the controller's own risk and impact assessment. The controller of personal data must, for example:
- adopt a position regarding whether there is a risk that personal data may be processed for purposes other than the original ones
- adopt a position regarding whether the cloud service provider may disclose personal data to a so-called third country, i.e. a country outside the EU/EEA and whether, in such a case, the transfer is supported by the Personal Data Act.
- assess what security measures that have to be taken in order to protect the personal data that is processed
- ensure that a processor agreement is drawn up with the cloud provider, and also
- consider other legislation, such as confidentiality legislation.
Risk and impact assessment
The controller of personal data must carry out a risk and impact assessment in order to assess if it is possible to appoint the cloud service supplier for processing of the envisaged personal data, what security level that is appropriate and what measures that have to be taken. The greater the integrity risks a certain personal data processing involves, the greater the requirements for security measures. The integrity risks involved with regard to a certain processing depend – for example – on the number of persons to whom the processed data relates, the volume of information processed about each person and the sensitivity of the processed personal data. Also the possibility of structuring personal data is of importance in this context. Measures shall be considered with regard to, for example, authentication and access control, authorisation, communication security, routines for handling back-up copies and the secure deletion of data as well as protection against unauthorised access and malicious software.
When processing sensitive personal data (for example, information about health), information about legal offenses and secrecy-protected information, the Swedish Data Inspection Board requires, for example, that there shall be strong authentication when transferring data in an open network and that the data shall be protected by encryption. When such information is processed the requirement for access checks often means that the controller of personal data shall not only carry out checks for particular reasons but also regularly and systematically follow up who has had access to which information.
There are several established methods of risk and impact assessments. One is to use checklists such as, for example, the one produced by the EUs' network and information security bureau ENISA; Cloud Computing, Information Assurance Framework. The disadvantages of using a checklist are that it is not always suited to the cloud service that you intend to use and that there is a risk that you work mechanically by the list and therefore fail to think for yourself as well as really analyse the result.
Processor agreements with the cloud provider
The controller of personal data must, as a rule, ensure that there is a personal data processor agreement that meets the requirements of the Personal Data Act.
Processor agreements are drawn up either through the signing of an agreement with each company that deals with personal data on behalf of the data controller, or by giving a company a mandate through an agreement to conclude agreements with sub-contractors. If you give such a mandate then it must be stated in the agreement that each sub-contractor has the same obligations as the processor with which the controller of personal data has concluded an agreement.
The conditions in the processor agreement shall be discernible from other conditions that apply between the parties and it shall not be possible for the processor to change these unilaterally. The requirement for processor agreements may also imply the following:
The processor agreement shall
- prescribe that the processor is obliged to apply Swedish legislation with regard to the processing of personal data
- prescribe that the processor is obliged to take appropriate security measures in accordance with section 31 of the Personal Data Act
- prescribe that the processor may only process personal data in accordance with the instructions of the controller of personal data and thereby ensure that the processor does not process personal data for purposes other than those for which the processor has been appointed
- ensure that the controller has knowledge of which other processors may come to process the personal data of the controller
- ensure that the controller of personal data has, in an appropriate manner, the opportunity to follow up that the processor meets the requirements of the controller of personal data with regard to the personal data processing and actually takes appropriate security measures
- ensure that there are technical and practical solutions for investigating suspicions that someone working for the controller of personal data or for a personal data processor, has had unauthorised access to personal data, and also
- ensure that the parties know what measures are to be taken upon the termination of the agreement so that the personal data processor does not have access to the personal data thereafter.
There can be exceptions from the requirement of a processor agreement when such an agreement does not provide any additional value in respect of privacy. One example is when the processor only stores material that is identical to such as is lawfully published on the Internet.
Checking the processor
The controller of personal data must be able to assure himself that all personal data processors actually take the security measures that are required. The more sensitive information that is processed, the greater the need to check the processors. In a cloud service data is often processed by several processors that also process personal data on behalf of many other controllers of personal data. Cloud providers can also transfer information not only among different sub-providers but also among different countries. It can therefore be difficult to meet the requirements imposed with regard to checking processors when processing sensitive personal data.
If personal data comes to be processed by processors in a country outside the EU/EEA, the controller of personal data must ensure that one of the exemptions from the prohibition on transfer to a third country can be applied, for example consent, standard contractual clauses or self-certification under the Privacy Shield framework.
This information is available as a PDF document.