If you are collecting, storing, processing or hosting data you must comply with the Data Protection Act 1998 (DPA). If you are collecting personal data or instructing a third party to process data on your behalf you are a data controller. If you are processing or storing data on behalf of a data controller, you are a data processor
Appropriate Technical and Organisational Measures
Under the DPA a data controller is required to take “appropriate technical and organisational measures” to prevent the unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. The data controller is required to include such obligations in a written agreement with the data processor.
For example you are providing a client with SaaS software which sends marketing emails to individuals on behalf of your client. You, the SaaS supplier, are a data processor and your client, the SaaS customer, is the data controller.
You must have a written contract with your client which states that:
- you may only process data in accordance with the client’s instructions; and
- that you undertake to comply with the “technical and organisational measures” requirements of the DPA.
This written obligation can be included in the terms of the SaaS agreement, the service level agreement (SLA) or a separate data processing agreement.
In addition, last year the Information Commissioner’s Office (ICO) issued some guidance on cloud computing. Amongst other issues, this advised data controllers to ensure that personal data in transit is secure and protected from interception by:
- encrypting data in transit;
- using encryption that meets recognised industry standards; and
- obtaining assurances from data processors that data in transit is appropriately secure.
The ICO advised that data “at rest” i.e. personal data which is stored, should also be encrypted, depending upon the nature of the personal data held i.e. sensitive personal data and the type of processing taking place.
Data controllers were advised to ensure that encryption keys are:
- kept up to date, in order to maintain the level of protection; and
- not lost, as this could render the data useless.
In light of this ICO guidance clients are increasingly asking SaaS providers to include data encryption obligations in SaaS agreements.
For example Google cloud services now:
- automatically encrypts all data before it is stored;
- regularly updates keys;
- implements access controls; and
- permits auditing procedures.
In time this could become standard for all SaaS providers. In any event you may want to check with your data centre, where you are outsourcing hosting and storage to check whether they also offer this service, which is provided to Google cloud service customers at no additional cost.