Cloud storage and the protection of personal information is a
vexed and difficult issue to deal with. Under the Australian
Privacy legislation a local entity that provides personal
information to a storage facility outside Australia may be exposed
to liability that arises if the external storage provider breaches
the Australian Privacy Principles.
In 2012, the European Cloud Computing Society identified the
absence of an internationally accepted and robust framework for the
processing of personal data by cloud service providers as a
material barrier for the more widespread adoption of cloud
computing. As a result of such concerns, the International
Organisation for Standardization and the International Electro
Technical Commission worked to create a cloud specific/privacy
related international standard that could be applied.
The result is ISO/IEC27018:2014 which
establishes commonly accepted objectives, controls and guidelines
for implementing measures to protect personally identifiable
information in accordance with privacy principles.
Amongst other things, a provider of cloud services who wishes to
be certified under ISO/IEC27018 must comply with
the following points but also must submit themselves to auditing by
an accredited certification body:
Personal information must only be dealt with in accordance with
the customer's instructions.
Redundancies must be built into their systems to ensure that
personal data is not processed otherwise than in accordance with
the customer's instructions.
If subcontractors are to be utilised, details of such
subcontractors must be provided and confirmation of the location of
the storage notified. Unauthorised access must be notified
Assistance must be given to customers in responding to access
Where personal data is available to law enforcement
authorities, it will be provided only when legally compelled to do
so and where legally permissible, customers must be notified in
advance of the disclosure.
Express consent is required for use of personal data for
marketing or advertising. Consent cannot be made a condition of
receiving the cloud services.
There must be a formal policy for return, transfer and deletion
of personal data.
Where public data networks are utilised, security measures
(predominantly encryption) must be implemented.
There are restrictions on the creation of hard copy materials
relating to personal data, maintenance of logs and data
Certification under the Standard is relatively new and it is not
clear how many cloud suppliers have sought or obtained
certification at this point.
Having said that, for the protection of personal information
when cloud facilities are to be utilised, looking for a certified
cloud supplier under ISO/IEC27018:2014 may be a step towards
ensuring greater protection of personal data.
In Australia, you should ensure that any party to whom you
release personal information has agreed, in writing, to comply with
the Australian Privacy Principles. Failure to obtain such agreement
could put your company at risk.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).