Managing risk in cloud computing in Hong Kong SAR

In simple terms, cloud services are the delivery of information technology (IT) services via the internet, and such services can be accessed remotely from any location and device. Examples of cloud services include cloud storage and cloud computing.

Procuring cloud services for business use

There are three main offering models of cloud computing:

Infrastructure as a Service (IaaS) 

This is the most basic delivery model. The provision of infrastructure itself is the service. An IaaS vendor provides servers or computing infrastructure via the internet. The infrastructure here typically means the servers, storage and virtual networks. 

Platform as a Service (PaaS)

This is one step up from IaaS and involves vendors providing infrastructure plus an operating system to the customers, who can place their own applications on the platform and carry out development work. 

Software as a Service (SaaS)

This is the most common type of cloud service. SaaS vendors provide access to software and applications, such as email, word processing and customer management tools, to their business customers. Customers who use SaaS also use the software provided as part of their business tools.

What are the risks associated with using cloud services

Both the business and the cloud service provider share the responsibility of protecting privacy and ensuring data security in a cloud environment.

Depending on the specifics of the cloud service, when a business opts to use cloud services, it will often have to share or store the data in the service provider’s facilities, entrusting these service providers with the business’s internal data, including client information, employee data, and confidential information. This arrangement often raises inherent data security and privacy concerns. 

Addressing the risks

The Privacy Commissioner for Personal Data of Hong Kong (PCPD) recently updated the Guidance on Cloud Computing to explain some of the inherent privacy risks associated with using cloud services and offers practical advice on managing such risk.

Businesses, as data users, need to take ultimate responsibility for the protection of the personal data they collect and hold. The outsourcing of any processing or storage of personal data to third parties does not reduce the data users’ legal responsibility in this regard.

Some key considerations proposed by the PCPD include:

Notification to individuals 

The business must ensure that clear and comprehensible notification is given to individuals, such as employees or customers, in their personal information collection statement and privacy policy, stating that personal data storage and processing will be outsourced to a cloud service provider, and that their personal data may be stored or processed in another jurisdiction if such data is transferred abroad.

Purpose limitation 

The business should limit the cloud service provider’s use of data to the agreed purposes. This limitation should also apply to any subsequent subcontractors that are involved in providing the service in this contract.

Cross-border data transfer 

If data transferred to the cloud service providers will be stored or processed in another jurisdiction, the business should ensure that such cross-border transfers comply with the relevant requirements under the applicable data protection laws. For example, certain jurisdictions require data transfer agreements to be signed before sensitive data can be transferred abroad. 

Technical safety

When choosing cloud service providers, the business should carefully consider whether the physical hardware and cloud environment used by cloud service providers are secure to ensure adequate data protection. Businesses should therefore obtain the relevant assurance from the cloud service providers or certification reports from reputable or internationally recognized third parties, such as ISO standards.

Data disposal

Data disposal is a critical component of managing data. The business should ensure that there are provisions in the contract that ensure the safe erasure or return of data held by the cloud service provider to the business.

Sub-contracting

Businesses need to ascertain the sub-contracting arrangements of cloud service providers and should also obtain contractual assurance from the providers that the same level of protection and compliance controls will be imposed on their sub-contractors. 

Access to data

Individual clients and customers have the right to exercise their data subject rights (such as data access rights) under the applicable data protection laws The business should arrange with the cloud service providers to ensure that the business, and potentially regulators, can access data when needed. 

Data incident 

There should also be contractual provisions that require cloud service providers to notify the business of data incidents or breaches in a timely manner. Prompt notification facilitates the containment of the incident and ensures swift notifications to the regulators and affected data subjects.

Compliance and data audits 

Businesses should find ways to verify the data protection and security measures adopted by cloud service providers. Sometimes, businesses are also given the right to audit the operations of the cloud service providers.

How to address in contractual documents

When dealing with cloud service providers that offer only standard services and non-negotiable contract terms, businesses must carefully evaluate whether the services and the contract terms meet all the necessary security and personal data privacy protection standards. If there are gaps between the service being offered and the standards required, such gaps will require attention and should be proactively addressed.

Businesses should seek legal advice to iron out the risk in managing cloud computing processes if unsure as commitment to cloud computing services is not short term.