Cloud Computing

Cloud Computing / July 2015

• Data users should find ways to verify data protection and security commitments made by cloud

providers. If data users are given the right to audit the operation of cloud providers, they will have

a first-hand knowledge of the compliance. While this is often not possible, and data users have to

accept auditing reports or even claims of cloud providers, data users still need to scrutinise the scope,

relevance and applicability of such reports or claims.

IV. Service and deployment models

Cloud providers’ offerings include infrastructure as a service (IaaS), platform as a (PaaS) and software as

a service (SaaS)

. Data users who use the IaaS and PaaS models tend to retain control over their business

model and business tools they operate on. Data users who use SaaS, however, would have to use the

software provided by the cloud providers as part of data users’ business tools. Accordingly data users may

have to adjust their operation in order to use such software or even rely on cloud providers to operate the

software for them. As such, there could be less direct control by the data users over the personal data they

are responsible for. Data users who use SaaS need to quantify the risks associated with such arrangement,

and mitigate them according to circumstances.

Data users generally have a lot more control over dedicated private clouds than shared public clouds

. As

such, any data user looking into the use of shared public clouds should assess carefully the issues identified

in sections I to III above and seek ways to address them.

Other Outsourcing Issues

Since engaging cloud providers can be considered as one form of outsourcing arrangements, the following issues

relating to outsourcing generally should also be addressed by the data user:

• Data users are ultimately responsible for the protection of the personal data collected and held by them.

The outsourcing of any processing or storage of personal data to third-parties does not relieve the data

users’ legal responsibility for the protection of the personal data they collect and hold. Furthermore, it may

be problematic if the cloud provider is able to unilaterally change conditions in the agreement it has with

data users to a lower protection standard or limit its liability;

• Data users have obligations under the Ordinance that include enabling customers to access their personal

data, request corrections, and resolve issues and complaints. Accordingly, a data user must ensure that its

contract with the cloud provider allows the data user to meet these obligations;

• Data users should ensure that there is provision in the contract with cloud providers to limit the use of

personal data (and any other personal data cloud providers may collect during the course of the contract)

for a purpose which is the same as or directly related to the purpose of use at the time of data collection

by the data users;

• Data users should also ensure that there is provision in the contract that sets out how personal data is to be

erased or returned to data users upon data user requests, contract completion or contract termination;

Cloud providers offering IaaS or PaaS may be considered as contractors offering physical servers or servers with operating systems

installed. Customers of both services will need to further install and manage applications to use the service. SaaS on the other hand,

includes functioning applications such as customer relationship management software, accounting software etc.

Private clouds are set up by cloud providers for the exclusive use of a single customer and often are owned and managed by that

customer. Public clouds, on the other hand, are set up, owned and managed by cloud providers for the shared use by the general public

and businesses.