The accelerating trend of organisations to move data, including customers’ personal data to public cloud environments or other off premises services, raises an important question about who is responsible for the protection of a customer’s personal data.
The principle behind data privacy is that the information we occasionally give to others about ourselves is ours. If we give information to other entitities, like companies we buy goods and services from, the information we give should only be used for the purpose we gave it for.
Optionally, we can expand the scope of that remit, but let’s keep this simple. If we give our personal information to an appliance company when buying a washing machine, the company should only use that communication to talk to us about washing machines, and when the washing machine is dead, the data should also be deleted. If the washing machine company gives our information to another party without our permission, or if the company uses it for another purpose, then they are in breach of data protection laws.
The standard applies not only to large businesses, but equally to small businesses who hold data about their customers. So the question is, when small businesses use external email suppliers and public cloud services, who is responsible for keeping this data secure?
To understand the answer, we need to understand two concepts – data privacy, and data security.
Data privacy is a concept. Data privacy is the concept we use to explain our entitlement. It is an academic, or intellectual proposition. As property owners, our house is our castle. However, this intellectualisation does not mean that our house is safe. To enforce the concept, we have to secure it with locks.
This leads us to data security. This is a physical process, like securing our house with locks or other systems. Data security provides the tools that give us the confidence to know that our rights are protected. Data privacy and data security are interchangeably used, but they really account for two different propositions, and this brings us to the crux of the issue about who is responsible for the protection of data that individuals submit to the small business owner. Until now, many small business owners maintained customer data on premises, so the responsibility is apparently more clear cut. The data rests with the small business, therefore the business is responsible for it.
As small businesses use free email services and storage like GMail, Live, and Yahoo, and others increasingly move towards professional public cloud services, there is a tendancy for small businesses to imagine that the responsibility migrates with the data to the public services they use. Unfortunately, this is not the case.
In the case of the washing machine example, the company who holds a person’s information is what is called in the UK a “data controller”. Responsibility for protection of that data rests exclusively with the data controller, even if that information is stored with a third party elsewhere.
By way of example, Theo Watson, an attorney for Microsoft, recently cited a case where an NHS trust awarded a contract to an IT firm to dispose of computer equipment. Unknown to the Trust, the IT firm subcontracted the disposal to a third party who sold the computer equipment instead. However, the computers had not been purged and sensitive patient information made its way into the public domain. UK authorities determined that the responsible party was neither the contractor, nor the subcontractor, but the NHS. Although the NHS had delegated a job to a contractor, the NHS was ultimately responsible for knowing what happened to the data it held on behalf of its patients. If that meant watching hard drives being physically destroyed, it should have made sure that that happened.
The responsibilities of data controllers is absolute, and draws the role of free email services and public cloud services into sharp resolution. Small businesses often outsource IT work because they do not have expertise or financials to handle IT in-house. Yet, large suppliers like Google will be quick to point out that breaches arising from data that they hold on behalf of small businesses are not their responsibility. So, how does a small business protect itself?
In the final analysis, the answer lies in small business owners understanding the role that they play in handling customer data, and having confidence in the suppliers they use who provide the security necessary to protect data privacy rights on their behalf as an incentive to encourage business, rather than a contractual offering.
Premium suppliers like Micorosoft are certified to ISO 27001, HIPAA, FISMA, FERPA for their Office 365 solutions. Their participation in the “Safe Harbour” protocols enables the company to transfer data between EU and US jurisdictions within the confines of regional legal governance. At time of writing, Office 365 is the only email product supplied “off the shelf” that meets the regulatory governance required by US Federal Government department buyers and EU agencies. The same products are available for public purchase and include Microsoft’s extensive libraries of transport rules to help not only with observance of data privacy, but also tools for automated management of data leakage like credit card numbers, National Health Insurance numbers, and financial services information. Consequently, IT pros recommend services like MS Exchange, Office 365, because there is confidence in Microsoft’s efficacy as far as observance of data protection principles are concerned.
Rather than relying on ISO certifications etc. Micorosoft makes notable efforts to inform users about issues which are increasingly relevant as businesses move services online. Valuable resources are available at their Office 365 Trust Centre.
On the other hand, services like GMail, Yahoo, and others appear to sail closer to the wind. One reason is that many of the services small businesses use are not designed for business use in the first place. Whatever Google’s relationship with regulators over its evolving data policies, the weight of litigation by British, French, European, American, and other regulators hardly lends endorsement to Google’s ethical efficacy. Consequently, its growth in the business world is stunted compared to Office 365’s performance.
Regardless, responsibility for the execution of securing your customers’ personal information rests with you. In choosing your supplier, choose wisely, and choose an IT supplier who can inform you.