EU data protection supervisor Peter Hustinx has warned that Cloud firms must avoid shirking their data protection responsibilities when providing services.

In an official opinion from the European Data Protection Supervisor (EDPS) office, Hustinx added that accountability is a cornerstone of data protection and the responsibilities of all parties involved in Cloud Computing must be clearly defined in law.

Hustinx made a series of specific recommendations, including:

  • Clarifying and providing further guidance on how to ensure the effectiveness of data protection measures in practice and the use of binding corporate rules
  • Developing best practices on issues such as controller/processor responsibility, retention of data in the Cloud environment, data portability and the exercise of data subjects’ rights
  • Developing standards and certification schemes that fully incorporate data protection criteria
  • Clearly defining the notion of transfer and the criteria under which access to data in the Cloud by law enforcement bodies outside the EEA countries could be allowed.

BASDA Cloud SIG chair, Ronald Duncan, pointed out that “BASDA lead the way in this area with the first Cloud Code of Practice (COP) which fully covers the data protection requirements. This is particularly important for public sector bodies following a £325,00 fine for an NHS Trust who outsourced there data destruction to a non BASDA member – the data ended up on Ebay. This was not an isolated incident as six NHS bodies have already received fines totaling £945,000. Thus any organisation purchasing cloud services needs to check if they are purchasing from a BASDA member so that they can be confident that their data is safe. ”

The EDPS opinion can be found here and use this link for the full article