Situation

Appropriate Steps

Cloud

computing

• conduct a privacy impact assessment before

entrusting a cloud service provider to handle

personal data that may be sensitive or

confidential

• check with the cloud service providers the

locations/jurisdictions where the data will be

stored

• specify the jurisdictions where personal data

will be stored so that data subjects can

ascertain the level of privacy protection that

the jurisdiction will offer and under what

circumstances law enforcement agencies will

be allowed access to the stored data

• check if the cloud service provider will

subcontract the service to other contractors

and find out whether the controls are

comparable to the level imposed on the cloud

service provider

• find out and/or specify the contractual

remedies in the event of data breach by the

cloud service provider and its subcontractors

• ask the cloud service provider to provide

customised service with security measures

commensurate with the sensitivity of the

personal data entrusted

• find out if there are any independent reviews,

audits and certifications to show the privacy

compliance standard of the cloud service

providers, and understand the scope and

limitation of such reviews, audits and

certifications

• impose contractual duty on cloud service

providers (and their subcontractors where

applicable) to notify data users of any data

breach

• impose contractual duty on cloud service

providers to timely erase personal data and/or

return the personal data to the data users upon

completion/termination of contract

3

“Cloud computing” is generally referred to as a pool of on-demand, shared and configurable computing resources that

can be rapidly provided to customers with minimal management efforts or service provider interaction. The cost model

is usually based on usage and rental, without any capital outlay.