New ISO Standard for the Protection of Personal Data in the Cloud

Cloud computing is rapidly becoming an integral part of daily life.  However, cloud computing services can involve the collection, storage, processing and transmission of sensitive data across multiple jurisdictions and through numerous parties including sub-contractors.  As cloud computing moves beyond the hype to become a genuine business solution, the tension between the benefits and risks of the cloud becomes more acute.

The Hong Kong Government is keen to promote Hong Kong as an information and communications technology hub, citing Hong Kong’s mature IT infrastructure, high mobile internet penetration rate, free content transmission and proximity to Mainland China as providing a sound environment for the development of web-based businesses, such as cloud computing.  However, concerns about cloud security and privacy may be holding some companies back from adopting cloud computing services in Hong Kong.  Such fears are obviously not unique to Hong Kong; the European Commission noted in 2012 that data protection concerns were identified as one of the most serious barriers to cloud computing take up.  The Commission called for a wider use of standards, certification of cloud services and the endorsement of such certificates by regulatory authorities.

In response, in July 2014, the International Organisation for Standardisation (ISO) published ISO 27018 which establishes guidelines for cloud service providers for the protection of Personally Identifiable Information (PII).  The standard was developed in consultation with contributors from 14 countries and 5 international organisations and is the first privacy-specific international standard for the cloud.

Key Principles of ISO 27018

ISO 27018 is based on ISO 27001  (which is the existing best practice standard on information security management) but specifically addresses the risks to PII protection arising from the processing of PII by public cloud service providers.  Annex A to ISO 27018 provides a set of additional controls and guidance to address public cloud PII protection requirements in accordance with the 11 privacy principles set out in ISO/IEC 29100 which include:

• Consent and choice – Cloud service providers should make available tools to enable customers to comply with data access, data correction and data removal requirements;
• Purpose legitimacy and specification – Cloud service providers should only process PII in accordance with the customer’s instructions, should refrain from using customer data for its own purposes and may process PII for marketing or advertising purposes only with the customer’s express consent. Such consent should not be a condition for receiving the service;
• Data minimization – Temporary files and documents should be erased or destroyed within a specified, documented period and periodic checks should be conducted to ensure that unused temporary files above a certain age are deleted;
• Use, retention and disclosure limitation – Disclosure of PII to law enforcement authorities should only be made when there is a legal obligation to do so and, if permissible, cloud service providers should notify customers in advance of such disclosure.  Disclosures of PII to third parties should also be recorded, including what PII has been disclosed, to whom and at what time;
• Openess, transparency and notice – Cloud service providers should disclose to customers, prior to entering into a service contract, the identity of sub-contractors and possible locations where the PII may be processed;
• Accountability – Cloud service providers should promptly notify the relevant customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII;
• PII return, transfer or disposal – Cloud service providers should have a policy regarding the return, transfer or erasure of PII and should make this policy available to the customer;
• Information security – The controls include:
• Personnel under the cloud service provider’s control with access to PII should be subject to confidentiality obligations. 
• The creation of hard copy materials containing PII should be restricted and must be destroyed securely e.g. cross-cutting, shredding etc.
• There should be procedures to log any data restoration efforts.
• There should be protection for data on storage media leaving the cloud service provider’s premises including authorisation procedures and restricting access to authorised personnel only (e.g. by encryption).
• Portable physical media devices that do not permit encryption should not be used except where it is unavoidable and any such use should be documented.
• PII should be encrypted prior to transmission over public data-transmission networks.

Cloud service providers should subject their services to periodic independent information security reviews.

ISO 27018 does not replace applicable national legislation and regulations, but can assist by providing a common compliance framework for public cloud service providers, in particular those that operate in a multinational market.

The Office of the Government Chief Information Officer in Hong Kong has stated its commitment to promoting the development and adoption of international cloud standards and best practices in Hong Kong to stimulate the development of the cloud computing industry and facilitate cloud adoption by local enterprises.  The “Expert Group on Cloud Computing Services and Standards” has been established since 2012.  In April 2013 it published a “Security and Privacy Checklist for Cloud Service Providers in Handling Personal Identifiable Information in Cloud Platforms” which provides some high level guidance for cloud service providers to consider when implementing management, operational and technical measures:

http://www.infocloud.gov.hk/themes/ogcio/media/practiceguideindividual/Practice_Guide%282013-11%29_EN_new.pdf

The ISO 27018 standard has now created a more streamlined system for adhering to regulations set by data protection authorities around the world.  As cloud computing services mature, cloud service providers are becoming more competitive.  In the opening speech at the “BSI Information & Cloud Security Conference 2014” Daniel Lai, the Government Chief Information Officer, stated that there is a need for cloud service consumers to understand cloud computing and to evaluate different cloud service providers' offers, including information security and privacy protection offerings.  However, an average cloud service consumer may be confused about how to choose a trustworthy cloud service provider from the massive market players.

He noted that standards might be the key to this dilemma.  Through information and cloud security standards, security requirements and offerings of both cloud service consumers and providers are explicitly set out, which facilitates the alignment of security expectations and services of both parties.  He said that service providers acquiring security-related certifications can illustrate their credentials, instil confidence in potential customers, and demonstrate their capabilities to deliver trusted products and services.

Key Contacts

Catherine Zheng

Partner | Intellectual Property

Email or call +852 2825 9617

Charmaine Koo

Consultant | Intellectual Property

Email or call +852 2825 9300