Jurisdiction - Singapore
Reports and Analysis
Singapore – Data Protection In Cloud Computing.

16 October, 2014

 

 

The vulnerability of data held in cloud storage platforms is a recurring issue. From time to time, we come across reports of security breaches or leaks relating to data held in the cloud. It is now commonly accepted that cloud computing poses data protection risks, given the inherent nature of cloud services and the rise of threat agents such as hackers. Such risks are, however, unlikely to stop the rising trend of organisations switching to cloud computing to take advantage of substantial cost savings.

 

In Singapore, data protection in cloud computing is a developing area. This is not surprising as the Personal Data Protection Act (“PDPA”) only became fully operational in July 2014. This article outlines the current guidance given by the Personal Data Protection Commission (“PDPC”) on data protection in cloud computing and discusses whether guidance should be given on encryption of personal data in a cloud environment.


What Is Cloud Computing?


From a technical perspective, cloud computing may be viewed as “flexible self-service network-accessible computing resource pools that can be allocated to meet demand”.1 Put more simply, the UK Information Commissioner’s Office (“ICO”) defines cloud computing as “access to computing resources, on demand, via a network”.2 The key advantages of cloud computing are the availability of computer resources (e.g. “storage, processing and software”3) with greater capacity as compared to the constraints of hardware, and the flexible allocation of such resources (the “on demand” feature), which “can be adjusted on the fly to meet changes in need or based on configuration settings in an administrative interface, without the need for direct IT personnel involvement”.4 The environment in which such resources are provided and allocated is referred to as the “cloud”.5

 


Cloud computing therefore has “important economic benefits, because on-demand resources can be configured, expanded and accessed on the Internet quite easily”.6 It also generates security benefits as “enterprises, especially small-to-medium sized ones, may acquire, at a marginal cost, top-class technologies, which would otherwise be out of their budget range”.7 The spectrum of cloud computing services is vast, “ranging from virtual processing systems … to services supporting application development and advanced hosting, up to web-based software solutions that can replace applications conventionally installed on the personal computers of end-users”.8

 

 

Obligations Currently Applicable To Cloud Providers Under The PDPA


The PDPA is the primary data protection law in Singapore that governs the collection, use and disclosure of personal data. Its objective is to “ensure a baseline standard of protection for personal data across the economy by complementing sector-specific legislative and regulatory frameworks”.9 Nine main obligations are encapsulated in the PDPA, which organisations must comply with in collecting, using or disclosing personal data.


Of particular importance to cloud computing is the definition of a “data intermediary” under s 2(1) of the PDPA, which refers to “an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation”. Typically, cloud providers are considered data intermediaries as they are concerned mainly with the processing of personal data. For processing of personal data, data intermediaries are subject only to the Protection Obligation10 and the Retention Limitation Obligation11 under ss 24 and 25 of the PDPA respectively.12


As for transferring personal data outside of Singapore under s 26 of the PDPA (known as the Transfer Limitation Obligation), the Advisory Guidelines on Key Concepts in the PDPA (revised on 16 May 2014) issued by the PDPC provide the following example in the context of cloud computing:

 

“Cedric is a client of Organisation GHI. Organisation GHI notifies Cedric in writing that it is adopting a cloud-based solution to store and analyse its client data, which includes personal data such as clients’ identification details, address, contact details and income range, and asks for Cedric’s consent to move his client data to the cloud-based solution. Organisation GHI also provides Cedric with a written summary of the extent to which Cedric’s personal data will be protected to a standard comparable to that under the PDPA, in the countries and territories that it will be transferred to. Should Cedric provide his consent, Organisation GHI would be able to transfer his personal data in compliance with the Transfer Limitation Obligation.”

 

The above example recognises that data may be distributed around the globe across different data centres of the cloud provider. Hence, the client’s informed consent must be obtained before the cloud provider can transfer the client’s personal data in accordance with the Transfer Limitation Obligation.

 

 

More complex issues may, however, arise in determining whether informed consent has been obtained. For example, in the case of layered cloud services where different providers provide different aspects of the cloud service, the UK ICO has given guidance that the cloud provider should make available “information relating to the location of each sub-processor involved in the processing of the data …, with details of the security arrangements in place”.13


Encryption Of Personal Data In A Cloud Environment


In the European Union context, the Article 29 Data Protection Working Party has observed that “[i]n a cloud environment, encryption may significantly contribute to the confidentiality of personal data if implemented correctly, although it does not render personal data irreversibly anonymous”.


The UK ICO has similarly given guidance on protecting personal data by encryption in cloud computing, including the following:14

 

  • The cloud provider should give assurances that data in transit within the cloud service is appropriately secure;
  • The cloud customer should consider if it is appropriate to use encryption on data ‘at rest’, i.e. when stored within the cloud service; and
  • It is important to ensure the security of the encryption key, so as to maintain the level of protection encryption can offer.
 

It may be useful for the PDPC to consider promulgating similar guidance, as well as address the relationship between encryption and anonymisation.


The PDPC has defined anonymisation as “the conversion of personal data into data that cannot be used to identify an individual whether from that data itself, or from that data and other information to which the organisation has or is likely to have access”.15 It has also clarified that as anonymised data is not personal data, the data protection provisions in Parts III to VI of the PDPA will not apply.16 Data that is anonymised may protect “against inadvertent disclosures and security breaches”.17


As noted above, the Article 29 Data Protection Working Party appeared to have taken the view that encrypted data is not irreversibly anonymised data. In Singapore, it seems unclear whether encrypted data is even anonymised data in the first place. Although the PDPC has not expressly identified encryption as an anonymisation technique, it has also stated that the list of anonymisation techniques is for general information and isnot exhaustive18. Clarifying the relationship between encrypted data and anonymised data will help cloud providers and cloud clients decide the most cost-efficient way to protect personal data in the cloud. It will also assist in delineating the parameters of the Protection Obligation of cloud providers under the PDPA.


Conclusion


While the PDPA offers cloud clients some protection through the limited data protection obligations imposed on cloud providers, the existing guidance given by the PDPC on data protection in cloud computing may not be sufficient to address the intricate permutations of storing data in the cloud. Cloud clients should therefore pay careful attention to the terms and conditions of cloud contracts to ensure that the confidentiality of their personal data is not compromised.


Whether personal data in the cloud should be encrypted or anonymised is likely to have long-term implications on business costs, especially in light of the overarching Protection Obligation and cross-border data transfers governed by the Transfer Limitation Obligation. The PDPCshould consider issuing detailed guidance on the relationship between encryption and anonymisation for the benefit of cloud providers and cloud clients.

 

End Notes:

 

1 Kirk Hausman et. al., Cloud Essentials (2013).

“Guidance on the use of cloud computing” available here.

3 Note 2 above.

4 Note 1 above.

5 Thomas Erl et. al., Cloud Computing: Concepts, Technology & Architecture (2013).

6 Article 29 Data Protection Working Party (established under the European Union Data Protection Directive), Opinion 05/2012 on Cloud Computing (adopted on 1 July 2012).

7 Note 6 above.

8 Note 6 above.

9 See “http://www.pdpc.gov.sg/legislation-and-guidelines/”overview.

10 This obligation requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks: see Advisory Guidelines on Key Concepts in the Personal Data Protection Act issued by the PDPC (revised on 16 May 2014), Chapter 10.

11 This obligation requires an organisation to cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or business purposes: see Advisory Guidelines on Key Concepts in the Personal Data Protection Act issued by the PDPC (revised on 16 May 2014), Chapter 10.

12 See s 4(2) of the PDPA.

13 Note 2 above.

14 Note 2 above.

15 Advisory Guidelines on the PDPA for Selected Topics issued by the PDPC (revised on 11 September 2014), Chapter 3.

16 Note 15 above.

17 Note 15 above.

18 Note 15 above

 

RHTLTWlogo+slogan-RGB

 

For further information, please contact:

 

Jonathan Kok, Partner, RHTLaw Taylor Wessing
jonathan.kok@rhtlawtaylorwessing.com

 

RHTLaw Taylor Wessing TMT Practice Profile in Singapore

 

Homegrown TMT Firms in Singapore

Comments are closed.