With the increasing volume of information collected and processed by a business unit, the trend now for data storage is through the cloud. Cloud storage offers users easy access to data and documents through the internet. No matter where you are in the world, the data or document can be accessed and retrieved via the web.
However, the convenience and portability that cloud data storage provides poses a bigger risk involving privacy. This risk is heightened as when data are stored in public clouds where anyone may have access.
Given this privacy concern involving cloud data storage, the user must have considerable familiarity on what legal or regulatory and privacy parameters to look into when entering into a contract with cloud service providers.
Primarily, the Data Privacy Act of 2012 provides the regulatory framework for the use of cloud data storage. These frameworks aiming to secure cloud data storage must be incorporated into the cloud hosting contracts with the service providers.
- The contract must clearly define reasonable restrictions on access to the user's cloud. This will include the detail on who is allowed to access and the mechanism by which the user can access the cloud.
- The contract must identify the type of encryption used and whether such encryption meets the recommended standard under the DPA. The DPA recommends the use of “Advanced Encryption Standard with a key size of 256 bits as the most appropriate encryption standard. Passwords or passphrases used to access data should be sufficient strength to deter password attacks.”
- The contract must indicate whether the user's data is separated from others. Under relevant regulations governing entities regulated by the Bangko Sentral ng Pilipinas, the user's data must be separated from the others. As regards other types of users, they must evaluate their operational business needs on whether it will permit them to use shared or dedicated cloud data storage.
- The contract must outline the terms and conditions of data egress. If the user intends to terminate the contract, the DPA provides that the personal data must be returned to the user. As such, the contract must particularly state the timeline, method of retrieval and data format once the contract is terminated.
- The contract must state the business continuity plan, especially when there is data destruction, disruption, or loss.
The foregoing are a few of the legal parameters to look into cloud hosting contracts. There is still more to add or incorporate into this type of agreement depending on the operational needs of the user.
Disclaimer: This article is for general information only and is not intended nor it be construed as a substitute for legal advice on any specific matter. A professional legal advice is still necessary to an actual or particular issue.