pri­va­tim: Fact Sheet “Cloud-spe­ci­fic Risks and Measures

pri­va­tim, the con­fe­rence of Swiss data pro­tec­tion com­mis­sio­ners, has published a Fact sheet on “Cloud-spe­ci­fic risks and mea­su­res” published. The fact sheet is aimed at public bodies and dis­cus­ses par­ti­cu­lar heigh­ten­ed, data pro­tec­tion risks when using cloud ser­vices and the respon­si­bi­li­ty of the public body when using such services.

The con­clu­si­on is as follows:

Public bodies may also use third-par­ty cloud ser­vices for their data pro­ce­s­sing – if their out­sour­cing is per­mit­ted under the gene­ral rules for com­mis­sio­ned data pro­ce­s­sing (see the gui­des in Appen­dix 2). For this pur­po­se, in a com­pre­hen­si­ve Risk ana­ly­sis take into account the spe­ci­fic risks asso­cia­ted with the use of cloud ser­vices. This risk ana­ly­sis must show the cloud-spe­ci­fic risks dif­fe­ren­tia­ted for the indi­vi­du­al data pro­ce­s­sing ope­ra­ti­ons as well as the cor­re­spon­ding mea­su­res with which the cloud-spe­ci­fic risks can be exclu­ded or redu­ced to an accep­ta­ble level. The assess­ment should show whe­ther the use of cloud ser­vices for the data pro­ce­s­sing is per­mis­si­ble in full, in part or not at all.

The public bodies that use cloud ser­vices for the per­for­mance of their duties con­ti­n­ue to bear full respon­si­bi­li­ty for the pro­ce­s­sing of the data. The public body (or its manage­ment) is requi­red to con­firm in wri­ting that it under­stands the risks and accepts the resi­du­al risk. The assump­ti­on of resi­du­al risks may also have an impact on accoun­ting, which should be veri­fi­ed by the finan­cial con­trols. Exe­cu­ti­ves are advi­sed to regu­lar­ly record the (resi­du­al) risks assu­med, as they are ulti­m­ate­ly respon­si­ble to par­lia­ment and the peo­p­le for pro­tec­ting the fun­da­men­tal rights of citi­zens and for the finan­cial con­duct of the administration.

The public body, for its part, must have a Data pro­tec­tion impact assess­ment car­ry out. The risk ana­ly­sis and action plan must be sub­mit­ted to the respon­si­ble data pro­tec­tion super­vi­so­ry aut­ho­ri­ties for review (pri­or checking or pri­or con­sul­ta­ti­on). They also advi­se the public bodies on legal, orga­nizatio­nal and tech­ni­cal issues.

In an appen­dix to the fact sheet, pri­va­tim pro­vi­des “examp­les of pos­si­ble over­all assess­ments of cloud risks in terms of appli­ca­ble law/jurisdiction, loca­ti­on of cloud infras­truc­tu­re and secrecy/key manage­ment”, each of which asses­ses the cloud-spe­ci­fic risks (low/increased/very high), accom­pa­nied by a recommendation.

Edit 7.2.19: The fact sheet pri­ma­ri­ly requi­res a lege artis risk assess­ment and does not gene­ral­ly per­mit or pro­hi­bit outsourcing.