The Dutch Data Protection Authority and other European regulators have made recommendations for government agencies that store personal data in the cloud. One of the recommendations is that government organizations should refrain from agreeing to a standard contract from a cloud service provider. Carrying out a Data Protection Impact Assessment (DPIA) is also essential.
The privacy watchdog announces the 13 recommendations of the national regulators via a press release.
Identify privacy risks well in advance.
The recommendations are described in detail in a report by the European Data Protection Board (EDPB), the joint venture of all supervisory authorities in the EU. Researchers conducted surveys and interviewed government agencies that store personal data in the cloud, and they then inventoried the results and formulated several recommendations.
The most important tip that the regulators can give to government agencies is that they first correctly map out the privacy risks before they start working with a cloud provider. A DPIA or data protection impact assessment is, therefore, mandatory. This is a means of checking whether a party complies with European privacy rules. An independent party examines how an organization deals with the processing of personal data. She examines, among other things, which privacy-sensitive data a body collects, for what purposes it needs this data, how it processes this information and whether the processing of this data outweighs the invasion of privacy.
Government organizations must realize that they take the proper technical and organizational measures to limit any privacy risks as much as possible. They have to make specific agreements about this with a cloud provider, and it is unwise to settle for a standard contract that many service providers work with.
Storage of personal data outside Europe
Another prominent recommendation from the members of the EDPB concerns the storage of personal data outside the EU. If a government organization chooses to have personal data processed by a party outside Europe, the protection of this data must be at least at the same level as in the EU.
Because that was not the case in the US, the European Court of Justice struck down the Privacy Shield in the summer of 2020. There is now an agreement in principle on the table, although some have reservations about it.
EDPB advises government agencies to act together
According to the Dutch Data Protection Authority, other European countries can learn a lot from the Dutch government. “Dutch government organizations are increasingly jointly conducting a thorough DPIA for cloud services. And because the government often also publishes these DPIAs, other organizations can learn how to assess the risks of certain cloud services,” the regulator writes.
A joint analysis also means that government organizations can better negotiate good conditions with cloud providers. That is why the EDPB recommends that government institutions cooperate with other organizations when they enter into discussions with parties that offer cloud services. Finally, ministries must harmonize how privacy is included in the procurement process.
Cabinet introduces a new cloud policy.
At the end of August, the cabinet presented a new cloud policy. In the plan, State Secretary for Digitization Alexandra van Huffelen gave government organizations more scope to use cloud services from commercial parties such as Microsoft, Amazon and Google.
At the same time, she warned of the potential risks. Government agencies that want to use cloud services from international providers should take a good look at the conditions in the field of security and privacy. In addition, they are required to make a risk analysis in advance.
AP: ‘Cloud policy government too noncommittal.’
The Dutch Data Protection Authority ruled that the cabinet’s new cloud policy was too noncommittal. “Privacy should be the guiding principle regarding whether you can store information about citizens at a company. If you do not properly investigate which risks there are, you cannot take measures to remove those risks,” said AP chairman Aleid Wolfsen.
The Netherlands Authority for Consumers and Markets (ACM) was more optimistic about the government’s new cloud policy but, like the privacy watchdog, saw several dangers. For example, switching from one cloud provider to another isn’t easy. “Due to this limited interoperability, companies and organizations have little freedom in choosing between cloud services from different providers,” the consumer watchdog concluded.
Find more articles here
Follow us on Facebook here