Home Articles Data storage in and outside the UK

Data storage in and outside the UK

archives2012

Data security has always been high up on the agenda for any company, however with the emerging cloud infrastructures that are available it would be wise to consider all of the options presented. The main point being, “do you really know where your data is being held and stored, let alone who is accessing it?”

With Virtual storage available anywhere, UK based companies would be prudent to ask the right questions before taking the leap of faith which is Cloud Storage. With this said, UK based providers with virtual storage based in the UK (onshore) adhere to the DPA (data protection act 1998) which demand the safe guarding of any given firms data.

The DPA is an act of UK parliament that defines the ways which any firm’s data can be legally stored and used. The main purpose of this act is to protect any given individual or firms data against misuse or abuse. There are 6 main parts (amongst many others) that are pertinent to this topic but one in particular I would like to draw your attention to:

Data must not be transferred to a country or territory outside the European Economic Area unless that country or territory protects the rights and freedoms of the data subjects.

So, with this point at the centre of the data protection act, how sure can any given firm be of where there data resides outside of the UK? With the emergence of so many cheap and inexpensive cloud storage strategies available there are a multitude of issues that could arise from these so called “cost effective data storage strategies”.

Let’s not forget the issues that outsourcing faced when the service first emerged. There are documented cases where reputable service delivery organisations employees selling clients data to make a quick buck.

I can recall one horror story where we were called after an audit was conducted to a large city firm, where data storage was outsourced to a let’s say, not so reputable company.

They had indeed gone to tender and awarded the tender to said company (based in India). However unbeknown to the client firm that same company had outsourced the very service to another outsourced storage firm based in Nigeria. If this was terrible enough, the paper trail lead even deeper into darkness for the client as when they asked for a restoration for some of their data, it simply could not be found!

The Client was fined by their governing body and they quickly moved their operations to UK based IT infrastructure and tried to forget the whole embarrassment. This situation could have been a lot worse.

So, out of all of the IT strategies that are required for any given business (or individual in all honesty), data security and storage are top of the list. If you had the option of where your data storage is located, wouldn’t you rather be in your native country that at least abide by the governing body that protects your intellectual capital, rather than going for a cheaper option that could potentially sell your data to your competitor? All of this without any recourse back to themselves as they do not abided by the UK governing laws? I think the choice is obvious in my book and this together with the fast IT connectivity interconnects now available, businesses do not need to have this concern at a high price.

So how can you use contracts to ensure there is an adequate level of protection?

There are several types of contract that you can use to transfer personal data outside the EEA.

The main types are:

Contracts based on the standard contractual clauses approved by the European Commission (EC model clauses); and
other contracts you draw up yourself after a risk assessment to bring protection up to an adequate level.

EC model clauses

The European Commission has approved three sets of standard contractual clauses (known as model clauses) as providing an adequate level of protection. If you use these model clauses in their entirety in your contract, you will not have to make your own assessment of adequacy.

Two of the sets of model clauses relate to transferring personal data from one company to another company, which will then use it for its own purposes. In this case you can choose either set of clauses, depending on which suits your business arrangements better. The other set of model clauses is for transferring personal data to a processor acting under your instructions, such as a company that provides you with IT services or runs a call centre for you.

The model clauses are attached as an annex to the European Commission decisions of adequacy, which approve their use. The Information Commissioner has authorised the use of both sets of model contracts for transfers from controller to controller: the original 2001 clauses and the revised 2004 clauses.

The Information Commissioner has also authorised the use of revised contractual clauses adopted in May 2010 for transfers from controller to processor, and in doing so withdraws his authorisation for the the original 2001 clauses for transfers from controller to processor. Contracts made under this authorisation and concluded before 15 May 2010 are still valid, however, the revised clauses should be used from 15 May 2010.

If you are relying on the European Commission adequacy decisions you cannot change the clauses in any way, for example by removing parts or adding other clauses to change the meaning, but the clauses can be incorporated into other contracts. For more information, see section 3.2 of The eighth data protection principle and international data transfers.

Sound complicated? Well you would be right. Data security and storage is a potential minefield of issues to wade through. Call me paranoid but if someone asked me where I would recommend any given firms data storage to reside, it would be within the country that they reside in.

At the very least they are protected under the DPA. Obviously I would also suggest that they perform the appropriate due diligence on ANY firm that they are considering.

Cloud technology is here to stay and will become even bigger over the years to come. However with such a growth curve there will be many issues to come out in the future with regards to data handling and virtual storage.