• First Reference
  • About us
  • Contact us
  • Free Coronavirus FAQ 🔬
  • Free Newsletter 📨
  • Get PolicyPro Free Trial 🎉

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
You are here: Home / Business / First international standard on cloud services and personal information protection

By Adam Gorley | 2 Minutes Read November 19, 2014

First international standard on cloud services and personal information protection

The International Standardization Organization has released a standard for privacy aimed at cloud computing service providers. The standard, “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (ISO 27018), includes “control objectives, controls and guidelines for implementing measures to protect personally identifiable information” in public cloud computing environments.
According to lawyer Maria-Martina Yalamova on the National Law Review:

ISO 27018 is tailored to cloud services specifically and is the first privacy-specific international standard for the cloud. ISO 27018 seeks to address such issues as keeping customer information confidential and secure and preventing personal information from being processed for secondary purposes (e.g., advertising or data analytics) without the customer’s approval. ISO 27018 also responds directly to European Union regulators’ calls for the introduction of an auditable compliance framework for cloud processors to increase trust in the online environment. (Emphasis added.)

The new standard is useful for organizations that provide cloud services as well as those seeking to use such services. Service providers can benefit from the certainty offered by an internationally recognized compliance framework, and customers who choose certified providers can better understand how their information is being managed.
Yalamova outlines some of the requirements that the standard imposes on cloud service providers:

  • Always process personal information in accordance with the customer’s instructions
  • Only process personal information for marketing or advertising purposes with the customer’s express consent. Such consent cannot be made a condition for receiving the service
  • Help cloud customers comply when individuals assert their access rights
  • Disclose information to law enforcement authorities only when legally bound to do so
  • Disclose the names of any sub-processors and the possible locations where personal information may be processed prior to entering into a cloud services contract
  • Help cloud customers comply with their notification obligations in the event of a data breach
  • Implement a policy for the return, transfer or disposal of personal data, for instance when the service comes to an end
  • Subject their services to independent information security reviews at scheduled intervals (or when significant processing changes occur)
  • Enter into confidentiality agreements with staff who have access to personal data and provide appropriate staff training

For more information on the new standard and a preview, visit ISO.org.

  • About
  • Latest Posts
Follow me

Adam Gorley

Editor at First Reference Inc.
Adam Gorley is a copywriter, editor and researcher at First Reference. He contributes regularly to First Reference Talks, Inside Internal Controls and other First Reference publications. He writes about general HR issues, accessibility, privacy, technology in the workplace, accommodation, violence and harassment, internal controls and more.
Follow me

Latest posts by Adam Gorley (see all)

  • Legal recreational marijuana: how can you address the workplace risks? - October 15, 2018
  • Jeffrey Sherman to present at GTA Accountants Network | Early-bird rates, CPD hours - September 28, 2018
  • 2018 will be a pivotal year for employers and HR managers in Ontario – #LearnTheLatest - April 20, 2018

Article by Adam Gorley / Business, Finance and Accounting, Information Technology, Privacy / auditable compliance framework, Breach notification, cloud computing, confidential information, Confidentiality Agreements, consent, Data breach, data breach notification, International Standardization Organization, International Standards Organization, ISO, legal compliance, personal information, personally identifiable information, PII, PII processors, processing personal information, protecting personal information, public clouds, trust

Share with a friend or colleague

Learn the 10 essential HR policies in the time of COVID-19

Get the Latest Posts in your Inbox for Free!

About Adam Gorley

Adam Gorley is a copywriter, editor and researcher at First Reference. He contributes regularly to First Reference Talks, Inside Internal Controls and other First Reference publications. He writes about general HR issues, accessibility, privacy, technology in the workplace, accommodation, violence and harassment, internal controls and more.

Footer

About us

Established in 1995, First Reference Inc. (known as La Référence in Quebec) provides Canadian organizations of any size with practical and authoritative resources to help ensure compliance.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2021 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy