On 3 February 2011 the Danish Data Protection Agency (Datatilsynet) issued an opinion on cloud computing. In its opinion the DPA rejects the Municipality of Odense’s use of cloud computing to store certain sensitive information, primarily due to important security issues.
The Municipality of Odense requested an advance opinion from the DPA concerning the municipality’s planned use within the school system of Google Apps online office suite with calendar and document processing features. The municipality wanted teachers to use the solution when registering information about lesson planning and assessments of lesson plans and individual students’ educational development. In addition, the teachers were to take notes on the classes and the students’ cooperation and prepare letters to parents regarding their children. The municipality also wanted to use the solution for planning and sending invitations to meetings and distributing information about school-related activities. The use of the solution would have involved the processing of sensitive information in the form of health data, serious social problems and other data of a purely private nature.
According to the DPA, the use of cloud computing in this context primarily triggers the following issues:
- Any transmission of data to data centres located in other non-secure third countries than the USA requires a legal basis for such transmission. For example, an agreement based on the EU Commission’s standard contractual clauses and an authorisation from the DPA.
- The risk assessment conducted by the municipality is inadequate. The DPA recommends the use of ENISA’s checklist (included in the publication “Cloud computing – Benefits, risks and recommendations for information security”).
- The contemplated processor agreement does not meet the requirements of the Danish Act on Processing of Personal Data.
- It is questioned whether the municipality can meet the Act’s requirements for control to ensure that the security measures are upheld by the processor, given that the municipality does not know where the data is physically located.
- It is unclear how the following requirements of the Act will be met:
- Deletion of data so that it cannot be recreated.
- Transmission and login. The municipality has not made clear whether encryption will be used when transferring data between the various data centre.
- No information has been provided about what data are logged or how long the log is stored.
The DPA is willing to reconsider the case for a revised statement if Odense Municipality continues to work on the case and seeks solutions to the identified issues.
The entire opinion (in English) is available at the DPA’s website: http://www.datatilsynet.dk/english/processing-of-sensitive-personal-data-in-a-cloud-solution/
Considering the development of cloud computing I find the opinion to be of great interest. Please let me know if other DPAs have already addressed the issues of cloud computing and what their views are.