How Does Security & Privacy Concern Cloud Service Providers?


In the cloud service business, protection of customer data and privacy is a critical function and has increasingly become a key determinant of business success.  Cloud service providers that demonstrate an ability to protect the PII entrusted to them can gain the trust and confidence from their customers.  Failure to do so can lead to an erosion of customer loyalty, negative publicity, loss of potential business and legal proceedings.

 

What Cloud Service Providers should be aware of?

 

Cloud service providers should take practicable steps to ensure PII entrusted to them remains at all times protected against unauthorised or accidental access, alteration, processing, erasure or other use.  In many cases, protection of PII is similar to protection of other data and includes protecting the confidentiality, integrity, and availability of the information.  A checklist recommending the best practices for protecting PII in cloud platforms is provided for reference by cloud service providers, based on their roles as data processors and data users respectively.  The checklist is by no means exhaustive.  Cloud service providers should always examine their own risk profile and implement the most appropriate security measures.

 

Practical Guide on PD(P)O

 

For more detailed guidelines in handling personal data, cloud service providers can make reference to the publication titled "A Practical Guide for IT Managers and Professionals on the Personal Data (Privacy) Ordinance"[1] published by the Hong Kong Computer Society.

 

Introduction to the Checklist

 

Cloud computing brings changes to the role and responsibilities on data governance when the data processing facilities are no longer fully owned by the data user.  This checklist focuses on protection of personal identifiable information (PII) when processing PII on a cloud platform.

Using a cloud computing platform and service does not transfer the data protection responsibility to a cloud service provider. When PII data is collected, the collector is in control of the lifecycle of the PII data and responsible for meeting the obligations defined in the Personal Data (Privacy) Ordinance.

 

Terminology

 

The terminology adopted in this checklist aligns with the Personal Data (Privacy) Ordinance.

Term Definition Example*
Data Subject Refers to a living individual, whose personal data is being processed. The credit card applicant is the data subject.
Data User Refers to the entity which owns the data collected from the Data Subject.  This entity is responsible for the protection of the collected data throughout its entire data lifecycle. The credit card issuing bank is the data user. 
Data Processor Refers to the entity which provides services or products to Data User when, collecting, processing or storing PII. The data centre operator selected by the card issuing bank is the data processor.


* Using credit card application process as an example

 

 

[1] Refer http://www.hkcs.org.hk/en_hk/home/publication/PDPO/ on the guide "A Practical Guide for IT Managers and Professionals on the Personal Data (Privacy) Ordinance" published by Hong Kong Computer Society

 

 

 

Back Top