< Back

Share |

Clouds on the move - the mobile workforce and hosted data services

April 2013

The increased use of personal smartphones and tablet devices by employees for work purposes has thrown a spotlight on the importance of safeguarding any work-related personal information available to these devices.

Much of this concern has focused on the enhanced storage capabilities of smart devices and the risks associated with personal information of the business being held on the device itself. These risks include the potential for unauthorised access to the information and have led to technologies enabling an employer to remotely wipe data in the event an employee's device is lost or stolen or when an employee leaves the business.

There are, however, equally important issues to consider where personal information is accessed by, rather than stored on, the device. This includes where the data is hosted in the cloud.

Use of free consumer cloud services

Back upIt is important that employees are prevented from backing up personal data of the business to non-corporate, cloud-based services. In the absence of a clear strategy to protect enterprise data handled by employees on their own devices, employees may be tempted to back-up this information to free services, such as Dropbox or Evernote, alongside their private data. In these cases the employer:

  • has no visibility as to where the data of the business may be held;
  • is unable to assess and fully understand the level of security in place at the service provider; and
  • is unable to secure the transmission of the data between the employee and the service provider.

Third-party hosted corporate services

Mobile device management and secure virtualisation models do not necessitate the need for corporate data to be backed-up to third party cloud services. Where, however, server solutions are hosted by a third party cloud provider as part of the ‘Bring Your Own Device' (BYOD) strategy of a business, then the employer must assess the risks carefully. Guidance on BYOD published by the Information Commissioner in March 2013, stresses that organisations remain legally responsible as data controllers under the Data Protection Act 1998, for personal data processed on their behalf and should:

"Use cloud based sharing and public back-up services which you have not fully assessed with extreme caution if at all".

In practice this note of caution means that a business must:

  • conduct thorough due diligence and only select a service provider offering sufficient guarantees of the security measures it has in place around the data;
  • ensure that the services are provided under a contract with the service provider under which it is obliged to:
    • do only what the data controller instructs it to do with the personal data; and
    • maintain appropriate organisational and technical security measures over the personal data.

The business must also take steps to ensure that the service provider complies with the security measures (such as through oversight and audit).

An assessment of the security measures in place to protect the data of the business may involve obtaining:

  • clear evidence of accreditation by the service provider to a recognised industry standard;
  • evidence of independent assessments of the standard of security measures implemented by the service provider (such as certification or audit by an independent technical expert);
  • comprehensive and binding guarantees by the service provider on the security standards to be applied; and
  • clarity as to the security around the access provided to this data from employees’ devices. This may include ensuring devices do not remain logged-on between access sessions and that there is appropriate authentication of user credentials, meaning that even if a device were lost or stolen, unauthorised access could not be gained to the hosted data.

KeyCloud hosted BYOD schemes will also necessitate transmissions of personal data between the device of the employee and the cloud host which can present security risks. These can include the interception of data in transit and data leakage arising from the use of unsecured Wi-Fi networks by employees on the move (such as a Wi-Fi network in a coffee shop). Employers should take steps to ensure transmissions of personal data are only via encrypted channels providing the maximum possible protection and that employees are given guidance on assessing the risks associated with the use of Wi-Fi networks when they are working outside the office.

International transfers

Use of cloud or hosted device management solutions may also involve transfers of personal data outside the European Economic Area. EU data protection law prevents such transfers unless:

  • the circumstances of the transfer mean the adequacy of the protection for individuals is provided for; or
  • one or more preconditions are met which allow the transfer to take place.

WorldBusinesses must identify the countries where the data is likely to be located, the circumstances when other transfers may be necessary to support the service (including the full details of any sub processors who may be involved) and understand all the safeguards that are in place.

Circumstances where adequacy of protection is considered to exist include, among other considerations, where:

  • the destination country for any transfer(s) has been determined by the European Commission to provide adequate protection for personal data transfers;
  • in the case of transfers to the USA, where a USA data host is certified under a regulatory framework known as 'Safe Harbor'; and
  • where contract clauses using European Commission approved model terms are put in place between a business and the overseas host(s) for the data.

Further information on determining the appropriate adequacy solution for international transfers can be found within the transfers topical issue on our Global Data Hub.

It is also worth bearing in mind that hosting data overseas may mean the data is at risk of access by any foreign law enforcement authority to which the overseas cloud provider is subject.

MalletOne way to avoid the legal prohibition on transfers of data or the risks associated with foreign enforcement authority requests for access to the data, is where the data is hosted within the EEA. In the case of European hosting it remains important that the service also relies upon local access to systems for maintenance support or any archiving or back-up of the hosted data. It is also important to note that data can remain within the reach of a foreign law enforcement authority if a European service host is the subsidiary of an overseas parent to whom a demand for access to data could be made.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Network

Vinod Bange

Sally Annereau

 


Vinod and Sally look at the data protection implications for BYOD strategies involving cloud hosted solutions and the transfer of personal data overseas.

"It is important that employees are prevented from backing up personal data of the business to non-corporate, cloud-based services."