5 / 6
5
Cloud Computing / July 2015
• Data users are recommended to impose in their contract with cloud providers an obligation on cloud
providers to notify the data user of data breaches. Such mandatory notification by cloud providers would
facilitate timely handling of data breaches by data users, which includes taking speedy remedial action,
maintaining business continuity, meeting legal obligations and managing customer and public relations.
Data users should also ensure that this requirement is adhered to by the cloud providers’ contractors/sub-
contractors, where applicable;
• Data users must ensure that there is sufficiently clear and comprehensible notification to customers in their
personal information collection statement and/or privacy policy statement that personal data processing
may be outsourced to a cloud provider, that their personal data may be stored or processed in another
jurisdiction, and that it may be accessible to law enforcement and national security authorities of that
jurisdiction;
• Data users are expected to maintain the same level of protection of personal data irrespective of whether
the personal data is managed/held by them or by a cloud provider. Where data users may not have
direct oversight over all the controls necessary for the protection of personal data, they should seriously
consider implementing an end-to-end, comprehensive and properly managed encryption system
7
for the
transmission and storage of personal data.
The ISO Standard
The International Organization for Standardization (ISO) released the “
ISO/IEC 27018, a Code of practice for
personally identifiable information (PII) protection in public clouds acting as PII processors
” (“the ISO 27018
standard”) in August 2014
8
.
This ISO 27018 standard covers the general principles and concerns regarding personal data privacy protection.
It provides specific guidance for cloud providers in 14 security categories
9
defined under the commonly accepted
IT security standard
ISO 27002 Code of practice for information security controls
, as well as the 11 privacy
principles
10
described under the
ISO 29100 Privacy framework
11
.
It is beyond the scope of this leaflet to provide details of the ISO 27018 standard. Interested readers should study
the standard themselves. Suffice it to say that data users must understand the limits of applicability of the ISO
27018 standard when engaging cloud providers who claim to be compliant with this standard.
While the ISO 27018 standard addresses the concerns identified in this leaflet, it does not mean data users
engaging the ISO 27018 compliant/certified cloud providers are assured of compliance with the Ordinance. This
is because, in some areas, the ISO 27018 standard specifies only what issues need to be addressed, but not how
the issues should be resolved.
It will take time for this new standard to be properly understood and widely applied. However, the standard does
provide a comprehensive reference that has met the need to assist the selection of cloud providers by data users.
7
End-to-end encryption refers to an encryption system that only data users (but not cloud providers) have the ability to decrypt and
understand the data.
8
www.iso.org/iso/catalogue_detail?csnumber=614989
Namely 1. Information Security Policies, 2. Organization of Information Security, 3. Human Resource Security, 4. Asset Management,
5. Access Control, 6. Cryptography, 7. Physical and environmental security, 8. Operation Security, 9. Communication security,
10. System acquisition, development and maintenance, 11. Supplier relationships, 12. Information security incident management,
13. Information security aspects of business continuity management and 14. Compliance.
10
Namely 1. Consent and choice, 2. Purpose legitimacy and specification, 3. Collection limitation, 4.Data Minimization, 5. Use, retention
and disclosure limitation, 6. Accuracy and quality, 7. Transparency and notice, 8. Individual participation and access, 9. Accountability,
10. Information security and 11. Privacy compliance.
11
www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45123