To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading
To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading
On 7 July 2016, the UK’s Financial Conduct Authority (FCA) issued finalised guidance for authorised UK financial institutions use of cloud services. In a marked contrast to some other jurisdictions’ approach, this guidance is issued against a policy backdrop of FCA’s ‘Project Innovate’ which is a initiative to foster innovation and competition. The FCA say: Continue reading
Regular readers of this blog will know we have been tracking the impact of ISO/IEC 27018:2014 –Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISO/IEC 27018). We see this as the go-to standard for customers of public cloud computing services. In a significant move, the Hong Kong Privacy Commissioner for Personal Data (Privacy Commissioner) has recently recognised the value of ISO/IEC 27018 in its revised Cloud Computing Information Leaflet (Information Leaflet).
The Information Leaflet is a helpful piece of guidance which sets out the practical steps cloud customers should take to ensure they comply with the Hong Kong privacy laws when using cloud computing services. In the leaflet the Privacy Commissioner recognises ISO/IEC 27018 as “a comprehensive reference that has met the need to assist the selection of cloud providers by data users”.
Recap on ISO/IEC 27018
We previously covered the publication ISO/IEC 27018, and also discussed how ISO/IEC 27018 would be a useful tool for customers looking to ensure compliance with privacy laws in Singapore and other countries.
We predicted regulators would begin to recognise and refer to ISO/IEC 27018 in setting privacy standards for customers of cloud computing services. Hong Kong provides the most recent example of this. We also predicted the adoption of ISO/IEC 27018 by market-leading cloud service providers (CSPs).
Why Hong Kong and its Privacy Commissioner matter
Hong Kong was one of the early adopters of privacy laws in Asia, and has an established and well-respected privacy regime. Its Personal Data (Privacy) Ordinance (PDPO) has been in force since December 1996 and the independent Privacy Commissioner has played an active role in promoting and maintaining high privacy standards since then.
It is very significant that that Privacy Commissioner in Hong Kong has recognised the benefits of ISO/IEC 27018 in its Information Leaflet. This endorsement sets the stage for wider recognition of ISO/IEC 27018 as the go-to international standard for protecting personal information in the cloud.
When regulators accept ISO/IEC 27018 as the global gold standard for CSPs, this makes the lives of customers, CSPs and regulators easier. It is easier for customers and CSPs to ensure compliance with one international standard that facilitates compliance with most national-level privacy laws, rather than starting with the each of the national-level privacy laws.
Does ISO/IEC 27018 help customers in Hong Kong?
Hong Kong’s privacy laws, set out in the PDPO, place obligations on organisations in relation to the collection, processing, use and deletion of data. Organisations that wish to use cloud computing services need to assess how they can implement such services and continue to comply with the PDPO, and in particular, its six data protection principles.
The revised Information Leaflet alerts customers to their obligations under the PDPO and highlights three overarching points cloud customers should have in mind when choosing a CSP. These points are:
It is helpful then to note that the controls introduced by ISO/IEC 27018 help customers to address these points. Taking each in turn:
In summary: Hong Kong’s privacy laws impose a range of obligations on customers, some of which apply to the customer’s use of cloud computing services. ISO/IEC 27018 is a helpful tool for customers to rely on to meet those obligations. If a customer’s CSP commits to comply with ISO/IEC 27018, this should reassure the customer that the CPS’s solution will help the customer to comply with the relevant obligations under Hong Kong’s privacy laws.
The recognition of ISO/IEC 27018 by the Hong Kong regulator shows that the standard is a robust tool, capable of addressing important questions customers will have to consider when choosing a CSP.
Hong Kong now joins privacy regulators in Australia, Belgium, Canada, Germany and Slovenia (among others) who have all recognised the benefit ISO/IEC 27018 offers as a global standard for CSPs. We anticipate that more CSPs will commit to ISO/IEC 27018 and also that more customers will look for CSPs that commit to the standard (e.g. by adding a requirement in their RFPs for CSPs to be compliant with ISO/IEC 27018).
On 3rd March 2015, Korea passed the world’s first cloud-specific law, with the stated aim of driving the adoption of cloud computing in Korea. But what are the practical implications for cloud customers and cloud services providers in Korea?
This guest post is written by Daniel Jung and @matthew1hunter.
When does the Korean Cloud Act come into force?
On 3 March 2015, the Korean National Assembly passed the Act on the Development of Cloud Computing and Protection of Users (Korean Cloud Act). The bill has been under consideration since October 2013. The final version of the Korean Cloud Act is available here (currently only available in Korean).
The Korean Cloud Act comes into force on 28th September 2015. Before the Korean Cloud Act comes into force, the Ministry of Science, ICT and Future Planning (Ministry) will establish additional rules for cloud services (as explained below).
What will the Korean Cloud Act do?
The good news for cloud customers and cloud services providers alike is that the Cloud Act aims to promote the cloud market in Korea.
The Korean government sees cloud computing market as a vital industry for future IT development and intends to build a solid foundation to raise Korea’s global competitiveness in the industry.
The Korean Cloud Act aims to do this by:
Taking these three points in turn:
1. Korea is going to invest time and effort in enhancing the cloud market.
The Korean government is keen to boost its investment in the cloud market. In this respect, under the Korean Cloud Act, the Ministry is to establish plans (and update them every three years) to enhance the cloud market. This will include: setting out plans for the development of the cloud computing market; cloud computing related research and expert training; financial and other support for local SMEs providing cloud services and ancillary services, establishing pilot projects, tax incentives and collaboration with other countries.
2. Public institutions in Korea can and should use cloud services.
The Korean Cloud Act encourages public institutions to implement cloud services as a priority, in order to benefit from cost efficiency, improving productivity and industrial competitiveness. In order to assist with this encouragement, the Korean Cloud Act permits the use of cloud services by public institutions.
3. The bar for protecting customers’ information has been raised – and cloud customers should expect their CSPs to comply.
Security and privacy issues have always been perceived as being the main roadblocks to the use of cloud services. To address this the Korean Cloud Act imposes certain obligations on CSPs to try to remove the roadblocks and drive the use of cloud services in a way that addresses security and privacy concerns. In practical terms, CSPs have some new obligations to comply with, and cloud customers will want to look for CSPs who can meet these requirements. In particular, CSPs should note the following important points (and consider their compliance levels):
The Korean Cloud Act has teeth
Any person who uses or discloses a customer’s information to a third party without consent shall be punished by imprisonment for not more than 5 years or with a fine not exceeding KRW 50 million (about USD 46,500). Slightly reduced levels of fines will apply to breaches of the other obligations listed above.
Areas not currently addressed by the Korean Cloud Act
The Korean Cloud Act doesn’t deal with data classification. One of the perceived hurdles, in particular for public institutions, to using cloud services, is the ability to determine what categories of data can be hosted by CSPs. There are different ways of categorizing data and clear guidelines on the subject help to overcome this hurdle. This is an area that may be considered in the future. Nonetheless, the clear endorsement of cloud services in the Korean Cloud Act will likely be sufficient evidence for most that the Ministry considers that cloud is appropriate for the vast majority of data held by public institutions.
The Korean Cloud Act doesn’t address the limits imposed by other (quite strict) regulations in Korea. For example, the financial services sector is subject to strict regulations that are potentially delaying the adoption of cloud services in the sector. CSPs and cloud customers alike will be hoping that this clear endorsement of cloud will drive regulatory change in other sectors.
The Korean Cloud Act states that the Personal Information Protection Act (PIPA) will continue to apply in regard to personal data. However, as the Ministry develops further plans and regulations, the obligations in the Cloud Act will sit alongside those in the PIPA and will likely add a layer of additional requirements (although the focus of these additional obligations will be CSPs).
The Korean Cloud Act doesn’t, as yet, point to any particular international standards. In other countries, authorities point to international standards (e.g. ISO/IEC 27001 and ISO/IEC 27018) as appropriate measures to assess CSPs i.e. does the CSP comply with these standards. It’s interesting to note that the controls in the new international standard for public cloud services, ISO/IEC 27018, appears to meet many of the new requirements included in the Cloud Act (and goes further than many of them), so CSPs who comply with ISO/IEC 27018 will not have any trouble complying with the new Cloud Act requirements.
CSPs should consider their levels of compliance and cloud customers in Korea should, as a matter of good practice whenever they procure or use cloud services, ask their CSP how their solution complies with the Korean Cloud Act. Reputable CSPs should have no problems providing a satisfactory response to customer questions about the Korean Cloud Act.
In addition, CSPs and customers alike should wait for further updates from the Ministry on the plans to support the cloud market and the plans for further obligations/requirements in relation to cloud services.
Since its release in August 2014, ISO 27018 is becoming well established as the “go to” standard to help cloud customers to comply with their privacy obligations when using public cloud services. Privacy regulators recognise and refer to the new standard. Cloud customers are using it in their RFP requirements and in their assessments of CSPs. And CSPs themselves can and should adopt and commit to the new standard.
A guest post by Matthew Hunter (@matthew1hunter) and Daniel Jung.
We reported last year about the publication of this new standard: “ISO/IEC 27018:2014 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO 27018”).
In a subsequent post, we discussed how ISO 27018 helps cloud customers in Singapore to comply with Singapore’s Personal Data Protection Act (PDPA). We concluded that if a cloud customer engages a cloud services provider (CSP) that complies with ISO 27018 (e.g. adopts and contractually commits to ISO 27018), then the cloud customer can be confident that the CSP’s solution will help the cloud customer to comply with its key legal obligations under the PDPA relevant to its use of cloud services. We carried out the same research for other countries and the same conclusion applies: Cloud customers who use CSPs that comply with ISO 27018 will be better able to comply with relevant privacy law obligations in Australia, Hong Kong, Japan Korea, Malaysia, New Zealand and European countries, including the France, Germany, Spain and the UK.
In this post we will look at the latest developments in the market in relation to ISO 27018 and at how ISO 27018 is becoming the “go to” standard to help cloud customers to comply with their privacy obligations. We will also provide pointers for cloud customers, CSPs and regulators on how to benefit from ISO 27018.
The latest ISO 27018 developments
Since August 2014, we have seen regulators around the world recognise and refer to ISO 27018 (and this should come as no surprise as regulators often refer to ISO standards (e.g. ISO 27001).
These regulators and others are continuing to consider the use of ISO 27018. The Belgian authority is also working on an analysis of ISO 27018 to be included in a global recommendation to customers using cloud. The PDPC in Singapore is also considering the use of ISO 27018.
Customers in the public and the private sector are looking at including ISO 27018 in their RFP requirements and in their procurement contracts, in the same way they have done with other ISO standards. These are the kinds of discussions we have been having with, and recommendations we are making to, our clients.
Cloud customers have been, in the past, slow to adopt cloud services. In part, this has been because of regulatory concerns. But ISO 27018 has provided cloud customers with a convenient solution to address privacy regulations when using public cloud services. We have seen that cloud customers who use CSPs that comply with ISO 27081 will be better able to comply with relevant privacy law obligations in many jurisdictions.
Cloud services providers
CSPs can now adopt and commit to ISO 27018.
Earlier this year Microsoft, one of the leading CSPs in the market, became the first CSP to adopt and commit to ISO 27018. An independent audit confirmed its services incorporate all of the ISO 27018 controls and the ISO 27018 controls will become part of Microsoft’s contractual commitment to its customers. We expect to see other CSPs follow suit.
No standalone certification is available as yet for ISO 27018. However, compliance with ISO 27018 is demonstrated through an ISO 27001 certification that incorporates all of the controls from ISO 27018. By going through this kind of assessment process, CSPs (and their ultimately their customers) can be certain of their ISO 27018 compliance. To remain compliant, CSPs must undergo yearly independent reviews. This is what the likes of Microsoft will do.
The more regulators recognise and refer to ISO 27018 and the more customers require compliance with ISO 27018, the more CSPs will need to adopt and commit to ISO 27018. Like other ISO standards before it, ISO 27018 will become the norm.
What next for ISO 27018?
Regulators are adopting ISO 27018, customers are requiring compliance with ISO 27018 and CSPs are committing to ISO 27018 compliance. ISO 27018 is already becoming the norm (just like other ISO standards).
We expect this to continue. The adoption of cloud services is increasing across all sectors: financial services, retail, energy, logistics, manufacturers, travel and all kinds of SMEs. In the public sector governments have pushed “public cloud first” style policies in the US, Europe, Australia and Singapore. It is in the interest of governments to allow cloud services to be adopted in the public and private sectors. The benefits of cloud services are clear. But at the same time the compliance challenge will not disappear. The regulation of data is on the rise (and rightly so). Data should be regulated; it is a valuable and sensitive asset. This is why ISO 27018 is proving helpful; customers can benefit from cloud services but at the same time ensure compliance with privacy regulations.
A key challenge for organisations who want to use cloud services is to do so in a way that is compliant with the organisations’ obligations under data protection laws.
This guest post by Matt Hunter (@matthew1hunter) and Daniel Jung explains how ISO 27018 is relevant and why companies considering cloud solutions should look to cloud providers who meet this standard.
Around the world, companies are coming under increasing pressure to comply with data protection laws. Singapore is no different. In July 2014, Singapore’s Personal Data Protection Act (PDPA) came into force. Will the new international standard, ISO 27018, help customers in Singapore to overcome the data protection challenge when using cloud services? Our conclusion is yes. If a cloud customer engages a cloud service provider (CSP) that complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the PDPA relevant to the use of cloud services. Similarly, if a CSP complies with ISO 27018, the CSP can be confident that it can offer a cloud solution that will help its customer comply with its key legal obligations under the PDPA.
The PDPA places obligations on companies when it comes to the collection, use and disclosure of personal data. One of the consequences of the PDPA is that companies in Singapore who want to engage the services of a CSP must consider how the cloud solutions will comply with the relevant obligations under the PDPA. Similarly, CSPs who want to offer cloud solutions to customers in Singapore must consider how their cloud solutions will comply with the relevant obligations under the PDPA.
In August 2014 the International Organization for Standardization (ISO) published a new standard specifically applying to how CSPs protect and managed data on behalf of their customers. “ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (widely known as ISO 27018). One of the main intentions of ISO 27018 is to help public CSPs to comply with applicable obligations when holding personal data for their cloud customers.
So, how do the key legal obligations in the PDPA compare to the requirements of ISO 27018? Can ISO 27018 help cloud customers and CSPs alike to ensure compliance with PDPA requirements? In this blog we compare the key legal obligations in the PDPA relevant to the use of cloud services to the requirements in ISO 27018 and look at the practical steps that cloud customers and CSPs can take to ensure compliance.
How do ISO 27018 and the PDPA compare?
PDPA requirement: An organisation must obtain the consent of an individual in order to process personal data about the individual.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and prohibits processing for any other purposes. This requirement will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that are inconsistent with the consent the customer has obtained from individuals.
PDPA requirement: An organisation must notify individuals about the purposes for which their data will be processed.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and it requires the CSP to disclose information about sub-processors and data location to the customer. These requirements will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that have not been notified to individuals and the customer can provide extra information in its notice to individuals about sub-processors and locations of processing.
PDPA requirement: An organisation must cease to retain personal data as soon as the purpose for which the personal data was collected is no longer being served by the retention of the personal data.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to implement a policy under which the CSP ensures that personal data is erased as soon as it is no longer necessary for the specific purposes of the customer.
PDPA requirement: An organisation must, upon the request of an individual, provide the individual with access to the personal data that an organisation holds about the individual and correct the personal data.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to assist its customer to comply with a data subject’s access requests and correction requests.
PDPA requirement: An organisation must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to take certain types of security measures, to adopt and implement security awareness policies and to subject their services to independent information security reviews at regular intervals.
PDPA requirement: An organisation has the same obligations in respect of personal data processed on its behalf and for its purposes by a third-party, as if the personal data is processed by the organisation itself.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires a contract to be executed between the data controller (the customer) and the data processor (the CSP), that contains minimum security arrangements and an obligation to process data in accordance with the data controller’s requirements. Further, it also requires the CSP to seek consent from the customer before engaging any sub-contractors.
PDPA requirement: An organisation must not transfer personal data outside of Singapore unless the transfer is made in accordance with the requirements of the PDPA to ensure that the organisation provides a standard of protection to the personal data so transferred that is comparable to the protection under the PDPA.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to specify and document the countries in which the personal data may be processed and, no matter where the personal data is located, all of the other requirements in ISO 27018 will apply to the Personal Data, so the customer can be sure that its personal data will be protected to the same standard of protection.
PDPA requirement: An organisation must implement policies and procedures in order to meet their obligations under the PDPA and shall make information about its policies and procedures publicly available.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to execute a contract with the customer to ensure that data is processed in accordance with the customer’s instructions (including instructions as to policies and procedures that are adopted by the customer).
Put simply, the comparison shows that the key legal obligations are matched by the standard’s requirements.
What about other countries?
The same conclusion appears to us to apply in other countries as well. The PDPA is similar to the data protection laws in many other countries, including Australia, European countries, Hong Kong, Japan, Korea, Malaysia and New Zealand. If a cloud customer in any of these countries engages a CSP who complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the data protection laws in its country.
How can a CSP demonstrate compliance with ISO 27018?
There are a few options:
There is no silver bullet to ensure overall compliance with an organisation’s obligations under privacy laws. However, in relation to cloud solutions, ISO 27018 is a welcome step towards ensuring that such cloud solutions are compliant with relevant privacy law obligations, including those in Singapore’s PDPA, and thereby further boosting customer confidence in cloud solutions. Customers should check that their CSPs (existing or potential) comply with ISO 27018. This will help customers to be confident that the cloud solutions (existing or potential) comply with the relevant obligations under the PDPA (or the relevant laws in other countries). CSPs should demonstrate compliance with ISO 27018 in order to be confident that their cloud solutions will help their customers to comply with the relevant obligations under the PDPA (or the relevant laws in other countries).
The Monetary Authority of Singapore (“MAS“) is consulting on a new notice and guidelines on outsourcing. Having already commented on its positive message for cloud services, this post addresses the rest of the consultation. In summary, we think:
Background MAS first issued its ‘Guidelines on Outsourcing’ in 2004 (and updated them in 2005). Under this consultation:
Interested parties should submit views and comments to MAS by email to email@example.com by 7 October 2014. What we like
Some important points we would like to see MAS clarify
Some less important points that could helpfully be clarified
Next steps: Customers, suppliers and advisors have until 7 October to submit a reply to the MAS. Let’s see to what extent they address the points noted above.
There should be relief at the moment felt by financial institutions and cloud service providers alike, following the release of the MAS’s consultation on the proposed new outsourcing notice and updated guidelines as mentioned in Rob’s previous post.
The MAS doesn’t use the word “cloud” expressly in its consultation. However, the MAS has made important changes to the outsourcing guidelines. The changes are relevant to cloud services and, most importantly, there are positive references to cloud services. Cloud is OK provided you follow MAS’s rules.
In summary, these are positive steps for customers and service providers of cloud services. As the proposed new guidelines currently stand, the MAS has decided not to call out cloud services in much detail. Instead the MAS seems to be moving towards accepting cloud services as just another service delivery model, rather than as something that needs additional regulation or treatment. This is good news.
Apart from cloud, the new notice and update guidelines should be welcomed. There are some points that the MAS should be asked to clarify and now’s the time to do that – more on these points in our next blog. However, overall, these proposals are good for cloud and good for the financial services industry in Singapore.
On Friday 5 September, the Monetary Authority of Singapore (which regulates financial institutions in Singapore) published a consultation on revising its existing guidelines on outsourcing.
Responses are due by the 7th October.
Singapore’s Infocomm Development Authority (IDA) has launched a new cloud security standard: Multi-Tier Cloud Security (MTCS) Standard For Singapore (SS 584). The IDA explains that the objective of the standard is: “to provide businesses with greater clarity on the levels of security offered by different cloud service providers (CSPs).”
The IDA’s fact sheet explains that: [Customer clarity is achieved] “through third-party certification and a self-disclosure requirement for CSPs covering service-oriented information normally captured in Service Level Agreements.”
The disclosure covers areas generally addressed through contractual service levels including:
Tiered Security Levels
The standard defines three tiers of security, with tier 1 being the base level and tier 3 being the most stringent:
The five certification bodies are the British Standard Institute, Certification International Pte Ltd, DNV Business Assurance, SGS International Certification and TUV SUD PSB Certification.
The IDA explains that it will work to cross-certify the MTCS SS with other international standards or certification schemes – such as the International Standard Organization (ISO) 27001 Information Security Management System (ISMS) and Cloud Security Alliance (CSA) Open Certification Framework (OCF).
In the wake of increasing global concern about data security, this initiative by Singapore is in line with its policy to promote Singapore as a data hub and is welcome. However, the small size of the Singapore domestic market and continued suspicion of cloud solutions by other regulatory bodies (notably the Monetary Authority of Singapore) means that this may have limited market impact without engagement by a wider range of regulators.
Meanwhile across the ASEAN region, current policy winds are increasingly blowing towards requiring data (especially financial data) to either be kept out of the cloud, or in national clouds. To continue the weather metaphor, on the bright side it is possible that if and when it is concluded some provisions of the Trans-Pacific Partnership (TPP) may roll-back some of the more nationalistic requirements currently in force or being considered.