The Protection of Personal Information Act is expected to come into force this year, and has serious consequences for business, particularly those using hosted services.
If a customer contracts with a hoster for a service, that customer is the responsible party.
Kevin Derman, cloud and hosting manager, First Distribution
This piece of legislation has been a long time coming and its many iterations and unclear implementation to date has had all manner of business in a frenzy over its implications.
At its most basic level, the Act will place new responsibilities on businesses to safeguard information they hold relating to their customers. Not only do they have to assure the security of their databases, it also introduces the concept of a 'responsible party'.
This last stipulation, says Kevin Derman, cloud and hosting manager at First Distribution, is a concept that holds many potential pitfalls for organisations making use of hosted solutions.
"There is some confusion over where this 'responsibility' lies. If a customer contracts with a hoster for a service, that customer is the responsible party. The problem is that people are trying to mitigate their risk by saying, 'we're not hosting it' (and are therefore not responsible for services provided from the cloud). This shows they're not understanding the concept of 'responsible party' as defined in the legislation," he says.
This is especially troublesome when the hoster relies on another third-party cloud provider for some of their services or infrastructure. Derman says these so-called back-to-back agreements are not always visible to the customer, which impacts on their ability to comply with the new law's stipulations that they are clear on what security measures are in place to secure end-user data.
The evolution of the local cloud environment, he adds, has led to providers moving away from their own micro data centres to take up space in the shared DCs that provide greater capacity and security advantages.
Derman says while the mystery around cloud has decreased as organisations become more comfortable with the concept, concerns and uncertainty around security requirements and measures are going to define the coming year.
Share