Guidance for Organisations Engaging Cloud Service Providers

There are an increasing number of services offering ‘cloud storage’, allowing documents, photos, videos, and other files be uploaded to and stored on a remote server, to enable sharing or remote access, or to act as a backup copy. The use of any cloud services as part of their business is an important area in which organisations need to ensure there is adequate security for the personal data they process.

A data controller must remain in control of the personal data it collects when it subcontracts the processing to a cloud provider. A key element of control is to ensure the security of the data. Controllers (both clients and cloud service providers) also need to be transparent about the processing of personal data. Important for both control and security is the location of the data. A related issue is also the requirement for a written contract. This guidance is aimed at helping controllers ensure that they meet each of these obligations when utilising cloud services.

Guidance for Organisations Engaging Cloud Service Providers - Full Guidance Note