The ICO offers cloud guidance. Who knew?

Opinion Davey Winder Dec 7, 2012

The ICO's role in cloud protection has been widely shouted about - despite this, no-one seems to know

Who knew that the Information Commisioner's Office offers guidance on the cloud?' Well, all Cloud Pro readers for a start.

After all, we have been covering it with some gusto, even the occasional bit of venom, since the ICO first started handing out advice about data protection in the cloud era.

However, things are never quite so straightforward, and new research has revealed that more than 40 percent of IT professionals had no idea that such guidance was available.

The research, conducted for CipherCloud, questioned some 300 senior IT professionals and, frankly, highlights a rather worrying if not altogether surprising lack of awareness of the ICO efforts. I say unsurprising, in spite of the coverage here and elsewhere within the media, as I was warning about how it missed the mark by a country mile a couple of months ago.

The research highlights a rather worrying if not altogether surprising lack of awareness of the ICO efforts

My exact words, which you can find here were "among the items of genuine lunacy suggested is this gem. The ICO advises businesses that, in order to comply with the Data Protection Act (DPA), businesses should have a written contract with their cloud service provider (CSP) that prevents the terms of this 'partnership' from being altered without prior agreement; that way, any potential impact upon DPA provision can be cut off at the pass. Of course, that assumes your CSP caves in to such a contractually-binding agreement  - which is about as likely as Jimmy Savile being canonised."

In that same column I concluded with a hope that "the ICO will release some revised advice soon, removing the fantasy contract spell casting approach, replacing it with a way to handle this monster". A hope, I should point out, that has not been realised.

It's not that the overall gist of the document is all bat-crap crazy - the idea that enterprises doing business in the cloud should be aware of possible penalties when it comes to data protection issues is, quite obviously, a good one. But the statistics revealed by this research suggest, equally obviously, that the ICO really isn't doing a good enough job in getting that message across.

Of course, part of the problem is an apathy on the part of IT professionals and business people alike when it comes to searching out such documents. The ICO has a role in ensuring that the message gets across, but business must also play a proactive part in hunting the advice down if it wants to be saved the fruitless embarrassment of claiming 'I knew nothing' when faced with a hefty fine.

Part of the problem, and quite possibly a bigger part, is that if the guidance document is considered to be a daft one in some aspects then word of mouth will never spread. At least not positive word of mouth. That, I suspect, is what has happened here.

Of those professionals who had heard of the ICO guidance, 15 percent claimed only to be 'somewhat aware' of their responsibilities towards compliance, 11 percent were aware but only partially compliant, 4 percent aware but unsure if they were compliant or not and only 27 percent aware and fully compliant. Those numbers should send shock waves through cloud-using businesses in the UK, and a rocket up the behind of whoever is responsible for writing the guidelines at the ICO.

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.