The health sector handles substantial quantities of personal information, including information that is deemed to be “sensitive” under European data protection regimes. For that reason, health care providers sometimes question their ability to take advantage of increasingly popular e-health cloud services. While EU lawmakers are contemplating a “European Privacy Seal” – which could, if done properly, be useful for would-be cloud customers to assess the robustness of a cloud provider’s data protection measures – a leaked EU Council document revealed that discussions over the scheme are floundering. We therefore learnt with interest from our colleagues at the InsidePrivacy blog that the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) jointly adopted a new standard this summer governing the processing of personal data in the cloud — ISO/IEC 27018 (“ISO 27018”).
Existing information security standards such as ISO 27001 and ISO 27002 set out general information security principles (e.g., securing access, media handling, human resource security, etc.). ISO 27018 builds on these, but is the first privacy-specific international standard for the cloud. Broadly speaking, ISO 27018 seeks to address such issues as keeping customer information confidential and secure and preventing personal information from being processed for secondary purposes (e.g., advertising or data analytics) without the customer’s approval. ISO 27018 also responds directly to EU regulators’ calls for the introduction of an auditable compliance framework for cloud processors to increase trust in the online environment (see the European Commission’s 2012 Cloud Strategy here).
Inter alia, the standard requires cloud providers to:
- Process personal information only in accordance with the customer’s instructions;
- Only process personal information for marketing or advertising purposes with the customer’s express consent, which cannot be made a condition for receiving the service;
- Help customers comply when third parties assert their rights, under EU law, to access, correct and/or erase data stored about them in the cloud platform;
- Disclose information to third parties (including law enforcement authorities) only when legally bound to do so;
- Prior to entering into a cloud services contract, disclose the names of any sub-processors and the possible locations where personal information may be processed (either by the cloud provider or by any sub-processors they have engaged);
- Help cloud customers comply with their notification obligations in the event of a data breach;
- Implement a policy for the return, transfer or disposal of personal data, for instance when the service comes to an end;
- Subject their services to regular, independent security audits (or when significant changes to data security practices or policies occur); and
- Enter into confidentiality agreements with staff who have access to personal data, and provide appropriate staff training.
Significant cloud players have already announced their plans to certify their services. It remains to be seen if others will follow in their steps and whether ISO 27018 will become a true privacy differentiator in the cloud space.