cloud computing

Cloud hosting solutions provide opportunities for many businesses to enjoy reduced IT costs, improved business continuity plans and a flexible infrastructure for both remote and static employees. Yet particularly in the legal industry, cloud computing can represent a significant risk to data protection.

The Bar Council has recently put together a set of guidelines which have been issued by The Information Technology Panel. These aim to keep legal firms aligned with their data protection obligations.

Data Protection

The Data Protection Act was created to safeguard the use of ‘personal data’ which is stored on a computer, or on paper with the future intention of being recorded on a computer. Personal data broadly refers to details of a person’s information such as their name, address and occupation. Advanced details are referred to as ‘sensitive personal data’ and can include information such as a person’s religious beliefs, criminal offences, ethnicity, medical details and political opinions. These types of details represent a high value commodity for anyone who wishes to commit financial fraud, so there is an incredible need to keep personal data protected from criminals.

The Information Commissioners Office is in charge of regulating any organisation which handles personal data. A serious breach of personal data could cost a company up to £500,000 in penalty fees which would not typically be covered by professional indemnity cover.

Barristers Chambers Compliance

It is vital that barristers’ chambers are fully compliant with current Data Protection laws. This requires that all barristers who handle personal information should notify the Information Commissioners Office with details of how they process and store such data. They must also be aware of the rules surrounding offsite data storage, particularly with the recent switch to cloud computing which many firms are now favouring.

Cloud Computing Storage Location

The current Data Protection Act prohibits personal data from being transferred to other countries outside of the European Economic Area unless they have adequate protection of their own in place. When it comes to cloud computing, the remote servers which store your data are brought into question. They must be situated within the EU area, or if this is not the case then they must comply with current EU data protection laws. Companies will need to carry out a risk-based assessment of the transfer and storage of the data, to check that it complies fully with the regulations.

It is also essential to remember to check the protection surrounding your email service if it is hosted by servers which are located outside of the EU.

Encryption in the Cloud

It is important that all the data that a company stores in the cloud is encrypted. Many cloud services providers do offer encryption as part of their package. However, this is not usually an adequate method of security as the providers will often be able to gain access to the raw data before encryption occurs.

Unless your provider is a ‘zero knowledge’ provider, it is preferable to use the inbuilt encryption services within Windows or Mac operating systems. This allows users to create an encrypted folder, in which you can save all your work before transferring it to the cloud. There are various limitations for the user with this type of encryption, most notably that you would be unable to view the encrypted folder on a mobile device. However, it is an effective encryption method as the cloud services provider would not be able to gain access to the unencrypted data using this method.

Alternatively, firms could choose to use a third party software package that allows you to easily encrypt your data and also view it on mobiles.

Backups

The Bar Council emphasise that cloud computing does not mean the end of backups. In the event that a server is wiped out by a virus and the problem is transferred to synchronising servers, it is essential that a backup copy exists for business continuity purposes. Automated backups are best practice as you can simply set them and forget them without worrying about manual user input.

We are experts in providing IT security solutions for legal sector companies who need to comply with the Bar Council, the Attorney General and the Information Commissioners Office. If you’d like guidance on how to improve your own data security, then why not call us today on 0203 355 7334 for a free IT consultation.