The issue common to the majority of 'Cloud' services, especially those operated by companies outside the EU/EEA, seems to be an understanding - by both the service provider and service user - of where the data is being processed (e.g. stored) at any one time. This can be compounded by the service provider using third parties to host at least some of their services and data.
It can be further compounded by poor system design leading to insufficient resilience and backup/recovery [there have been numerous incidents reported where data has been lost, including by 'big name' companies].
Due diligence is required (per DPA Schedule 2, Part II, paragraph 11), but can be hard to accomplish, as many service providers appear to have (a) insufficient knowledge of data protection requirements, and (b) a financial model that permits of no time to support such activity.
Another area of concern revolves around contracts being of the 'click-through' type, permitting of no negotiation. I am presently working with a client lawyer who is trying to finalise a contract for supply of a service where the Cloud is a component. The service provider's (US) lawyer sees no reason to include clauses in satisfaction of Sch 2, Pt II, para 12.
Finally, many services are free or 'cheap as chips', meaning that they are within reach of departmental budgets (or are paid for on a corporate or personal payment card and claimed back as an expense). Without clear policy - and preventative/detective controls to back this up - individuals can quickly, easily, and cheaply put a Data Controller at severe risk.
M
Sent from my iPad
On 17 Jan 2013, at 05:32, "Dunster, Jon" <[log in to unmask]> wrote:
> Dear All,
>
> Anyone any comments on the DPA status of "Dropbox"?
>
> ... or compliant alternatives?
>
> Best wishes,
>
> Jon
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|