Cliffe Dekker Hofmeyr offers an appraisal on the Working Paper on Cloud Computing – Privacy and Data Issues, recently published by International Working Group on Data Protection in Telecommunications. Although the guidelines detailed in the Working Paper are not mandatory, it appears that the intended approach to data protection in the cloud is one of uniformity, with a view to ultimately developing best practice based processing of personal information. It would be interesting to understand to what extent S ATrade Hub and Microsoft, in conjunction with the Customs of Namibia and Botswana, considered any such guideline in regard to their cloud computing initiative on the Trans-Kalahari Corridor?
The recommendations under the Working Paper highlight some of the risks and complexities associated with cloud computing. The overreaching nature of the Working Paper will serve to ensure that there is no lowering of general data protection standards for processing personal data in the cloud. The Working Paper specifically advocates the following general recommendations:
Carrying out privacy impact and risk assessments prior to embarking on cloud computing projects.
Development of practices by cloud service providers to ensure greater transparency, security and accountability regarding information on potential data breaches; and also more balanced contractual clauses to promote data portability and data control by cloud users.
Research, third-party certification, standardisation, privacy by design technologies and other related schemes in order to achieve a desired level of trust in cloud computing.
Legislative reassessment of the adequacy of existing legal frameworks allowing cross border transfer of personal information and consideration of additional privacy safeguards.
Accounting for independent audit trails with regards to the location of the personal information. Continuity in the provision of information by data controllers to privacy and data protection authorities. These recommendations are aligned to the general principles set out in the European Union and Safe Harbor data privacy frameworks.
The Working Paper also provides more specific recommendations, on ‘best practice’, ‘controllers’, ‘cloud service providers’ and ‘auditing’. These specific recommendations contemplate the implementation of technical measures that can be used to determine the exact physical location where personal information is held and stored, with an audit trail specifying any copying and/or deletion of personal information. In addition, the Working Paper includes a suggestion for encryption of all personal information (both at rest and in transit) and also recommends the conclusion of agreements between data controllers and cloud service providers to expressly designate and limit the physical locations where personal information will be processed. The Working Paper specifically provides that the cloud service provider should not be entitled to use personal information in the cloud for its own purposes.
It is likely that significant steps will need to be taken by cloud service providers in order to comply with the recommendations under the Working Paper and/or applicable data protection laws, which may potentially require substantial financial resources, including for procuring and implementing the appropriate technology required to give effect to the recommendations and/or laws.
In the South African context, the principles under the current draft of the Protection of Personal Information Bill(PPI) (in particular, the provisions which relate to the conditions for lawful processing of personal information and transborder information flows) can be aligned to the recommendations under the Working Paper. The real test for cloud service providers and their customers will however be in the practical implementation of the principles under PPI. Many of the recommendations under the Working Paper will serve to provide guidance in this respect, particularly in the measures which need to be implemented to maintain a level of transparency in the supply chain of personal information in the cloud. Source: www.cliffedekkerhofmeyr.com
- TKC Pilot – linking regional Customs systems through the “Cloud” (mpoverello.com)
- Namibia buys into ‘Single Window’ concept (mpoverello.com)