A key challenge for organisations who want to use cloud services is to do so in a way that is compliant with the organisations’ obligations under data protection laws.
This guest post by Matt Hunter (@matthew1hunter) and Daniel Jung explains how ISO 27018 is relevant and why companies considering cloud solutions should look to cloud providers who meet this standard.
Around the world, companies are coming under increasing pressure to comply with data protection laws. Singapore is no different. In July 2014, Singapore’s Personal Data Protection Act (PDPA) came into force. Will the new international standard, ISO 27018, help customers in Singapore to overcome the data protection challenge when using cloud services? Our conclusion is yes. If a cloud customer engages a cloud service provider (CSP) that complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the PDPA relevant to the use of cloud services. Similarly, if a CSP complies with ISO 27018, the CSP can be confident that it can offer a cloud solution that will help its customer comply with its key legal obligations under the PDPA.
Background
The PDPA places obligations on companies when it comes to the collection, use and disclosure of personal data. One of the consequences of the PDPA is that companies in Singapore who want to engage the services of a CSP must consider how the cloud solutions will comply with the relevant obligations under the PDPA. Similarly, CSPs who want to offer cloud solutions to customers in Singapore must consider how their cloud solutions will comply with the relevant obligations under the PDPA.
In August 2014 the International Organization for Standardization (ISO) published a new standard specifically applying to how CSPs protect and managed data on behalf of their customers. “ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (widely known as ISO 27018). One of the main intentions of ISO 27018 is to help public CSPs to comply with applicable obligations when holding personal data for their cloud customers.
So, how do the key legal obligations in the PDPA compare to the requirements of ISO 27018? Can ISO 27018 help cloud customers and CSPs alike to ensure compliance with PDPA requirements? In this blog we compare the key legal obligations in the PDPA relevant to the use of cloud services to the requirements in ISO 27018 and look at the practical steps that cloud customers and CSPs can take to ensure compliance.
How do ISO 27018 and the PDPA compare?
- Consent and Purpose.
PDPA requirement: An organisation must obtain the consent of an individual in order to process personal data about the individual.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and prohibits processing for any other purposes. This requirement will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that are inconsistent with the consent the customer has obtained from individuals.
- Notification.
PDPA requirement: An organisation must notify individuals about the purposes for which their data will be processed.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and it requires the CSP to disclose information about sub-processors and data location to the customer. These requirements will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that have not been notified to individuals and the customer can provide extra information in its notice to individuals about sub-processors and locations of processing.
- Data retention.
PDPA requirement: An organisation must cease to retain personal data as soon as the purpose for which the personal data was collected is no longer being served by the retention of the personal data.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to implement a policy under which the CSP ensures that personal data is erased as soon as it is no longer necessary for the specific purposes of the customer.
- Data subjects’ right of access and correction.
PDPA requirement: An organisation must, upon the request of an individual, provide the individual with access to the personal data that an organisation holds about the individual and correct the personal data.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to assist its customer to comply with a data subject’s access requests and correction requests.
- Security.
PDPA requirement: An organisation must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to take certain types of security measures, to adopt and implement security awareness policies and to subject their services to independent information security reviews at regular intervals.
- Sub-contracting.
PDPA requirement: An organisation has the same obligations in respect of personal data processed on its behalf and for its purposes by a third-party, as if the personal data is processed by the organisation itself.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires a contract to be executed between the data controller (the customer) and the data processor (the CSP), that contains minimum security arrangements and an obligation to process data in accordance with the data controller’s requirements. Further, it also requires the CSP to seek consent from the customer before engaging any sub-contractors.
- International transfer restrictions.
PDPA requirement: An organisation must not transfer personal data outside of Singapore unless the transfer is made in accordance with the requirements of the PDPA to ensure that the organisation provides a standard of protection to the personal data so transferred that is comparable to the protection under the PDPA.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to specify and document the countries in which the personal data may be processed and, no matter where the personal data is located, all of the other requirements in ISO 27018 will apply to the Personal Data, so the customer can be sure that its personal data will be protected to the same standard of protection.
- Policies and procedures.
PDPA requirement: An organisation must implement policies and procedures in order to meet their obligations under the PDPA and shall make information about its policies and procedures publicly available.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to execute a contract with the customer to ensure that data is processed in accordance with the customer’s instructions (including instructions as to policies and procedures that are adopted by the customer).
Put simply, the comparison shows that the key legal obligations are matched by the standard’s requirements.
What about other countries?
The same conclusion appears to us to apply in other countries as well. The PDPA is similar to the data protection laws in many other countries, including Australia, European countries, Hong Kong, Japan, Korea, Malaysia and New Zealand. If a cloud customer in any of these countries engages a CSP who complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the data protection laws in its country.
How can a CSP demonstrate compliance with ISO 27018?
There are a few options:
- A CSP can contractually commit to comply with ISO 27018. This will show a commitment to comply but it does not demonstrate compliance.
- A CSP can consider third party certification against ISO 27018. This can currently only be done through a ISO 27001 certification that incorporates, as part of the controls that the CSP is being certified against, the controls in ISO 27018.
- A CSP can do a compliance self-audit against ISO 27018. There are also good arguments that a self-audit by a provider under ISO 27018 is accepted as proof of compliance with technical and organisational measures (as required, for example, under EU law for data processing agreements).
- Certification against a standard that includes ISO 27018. In November 2013, the Infocomm Development Authority of Singapore (IDA) launched a Multi-Tiered Cloud Security Standard (MTCS) in order to encourage CSPs to implement strong risk management and security practices through certification. This standard is currently being updated by the IDA. It would be sensible (and beneficial to customers and CSPs) if the IDA included by reference ISO 27018 or included equivalent requirements in any revised MTCS. This would mean that a CSP that is MTCS certified, would also be ISO 27018 certified.
Conclusion
There is no silver bullet to ensure overall compliance with an organisation’s obligations under privacy laws. However, in relation to cloud solutions, ISO 27018 is a welcome step towards ensuring that such cloud solutions are compliant with relevant privacy law obligations, including those in Singapore’s PDPA, and thereby further boosting customer confidence in cloud solutions. Customers should check that their CSPs (existing or potential) comply with ISO 27018. This will help customers to be confident that the cloud solutions (existing or potential) comply with the relevant obligations under the PDPA (or the relevant laws in other countries). CSPs should demonstrate compliance with ISO 27018 in order to be confident that their cloud solutions will help their customers to comply with the relevant obligations under the PDPA (or the relevant laws in other countries).
where does this leave 27001/2 then. IF a CSP is still using 27002 does that mean they are not providing adequate security in terms of data privacy?