Onshoring public sector data

A majority of UK parliamentarians believe that UK public sector data should be securely processed in this country – what do councils need to consider when procuring data storage services?

The increase in data protection legislation and concern over data privacy means that public sector organisations are beginning to worry about where their data is being held.

This is not just a response to stories from whistleblowers.

National governments are aware that cloud has the ability to move data to countries outside their jurisdiction and where data protection laws are less stringent.

Such concerns have led to an explosion in data centre building and acquisitions of companies in Germany. Meanwhile in the UK parliamentarians have expressed concern over data offshoring.

As a result this is not longer just an IT matter or even a compliance issue. It has become a governance issue and with the EU General Data Protection Regulation (GDPR) due to come into force soon, the costs of getting it wrong rise are now an extinction issue for companies.

In a white paper (registration required) and YouTube video, Skyscape chief executive Simon Hansford asks government bodies if they have assessed all the risks in order to make an informed choice of cloud provider.

Of course, there is a clear promotional element here for Skyscape Cloud Service who are focused on selling to national and local government departments.

But what are the five points?

  • Breaching the UK Data Protection Act can lead to big fines and reputational damage. Make sure you know where your data will be processed and stored, and by whom.
  • You’re responsible for validating suppliers’ statements about security and understanding data jurisdiction. Take that responsibility seriously — interrogate your suppliers.
  • Safe Harbor isn’t really safe, and doesn’t exempt US companies from US law. Ask yourself who you’re contracting with, and whether UK or US law prevails.
  • Data disclosure is a global issue. If you contract with an overseas supplier, your data could be subject to foreign surveillance.
  • There’s a growing trend towards keeping data sovereign. Most parliamentarians Skyscape surveyed believe UK public sector data should be processed in the UK.

If you are looking at these and thinking you knew all those, the question is are you then applying them to your choice of cloud provider?

In the white paper, Skyscape gives much more detail on each point. Some things that you may not have known are:

  • There are eight principles on which the UK Data Protection Act 1988 is based. Of these, point eight says: Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
    Many companies looking for a cheap cloud deal often have no idea where the data is really located. In many cases, it is not until all the small print is read that it becomes clear that data is being backed up to a different country. The paper talks about the £500,000 maximum fine from the Information Commissioner should you in 2017 that fine will increase substantially.
  • If dealing with government data the changes to the Government Security Classifications Policy (GSCP) means the buyer now has to determine whether suppliers comply with the government’s 14 Cloud Security Principles. To complicate matters this is not just about directly contracted cloud services. Any third-party supplier that could be holding data needs to prove where they are storing and if they are holding data in the cloud the buyer has to ensure that this meets the 14 Cloud Security Principles.
  • The voluntary EU-US Safe Harbor agreement does not automatically mean that US companies are entitled to hold data. They must meet a set of criteria first and only due diligence rather than relying on a statement on a website can guarantee that. Over the last year there have been a number of cases brought against US companies, including one by the German data protection authorities, due to the failure of companies to adhere to the Safe Harbor agreements.
  • The fight between Microsoft and the US Courts over a subpoena requesting data from its Ireland data centre has been high profile news. What the white paper adds to this is numbers around both Microsoft and Google. For example between January and June 2014:
    • Microsoft received more than 34,000 law enforcement requests from over 68 countries seeking information about 58,000 accounts. It released data in response to over 75% of those requests.
    • Google received more than 31,000 law enforcement requests from over 68 countries relating to 48,000 accounts. It released data for around 65% of those requests.
  • Keep data sovereign. Skyscape Cloud Services issued the results of a poll of UK parliamentarians looking at attitudes to data location and jurisdiction. It found that the majority wanted UK public sector data securely processed inside the UK by security-cleared personnel.

At the Datacentre Dynamics (DCD) Converged conference held alongside CeBIT in Hannover this week, a panel discussion came to the conclusion that data sovereignty is likely to lead to the end of the mega data centre and the rise of lots of smaller but more expensive data centres. The result will be a gradual rise in the costs of cloud services.

The panel also said that one of the problems is that much of the data sovereignty discussion is led by rhetoric not by enacted laws and this was causing problems for many data centre owners.

At the end of the day it doesn’t matter if you are a small business, multinational enterprise or a government body.

Due diligence around cloud services is something that cannot be left to chance yet that is exactly what is happening.

Many council IT departments are discovering that the purchase of cloud services by business units who are not doing any due diligence is coming back to haunt them when they take over the contracts.

There is an ever-narrowing window before the GDPR comes into force for organisations to sort this out or face the consequences.

Colin Marrs

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to our newsletter