Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /homepages/25/d403724996/htdocs/stormclouds/services/wp-content/themes/Divi/includes/builder/functions.php on line 4993
Privacy & data | STORM Clouds Services

Roadmap about migration of public services into the cloud

A step by step roadmap for Public Authorities to help them as they plan, determine effort and budget, select the appropriate services, make the required internal organisational changes and finally execute the migration into cloud.

Privacy & data

Privacy is understood as the right of a person to have his/her personal data properly secured. Moreover, it is related with the ability of a person to control, edit, manage and delete information about them and to decide how and to what extent such information is communicated to others (Ico, 2014). Data protection is the process of safeguarding important information from corruption and/or loss (Microsoft, 2014).

Cloud services make it easier for Public Authorities to take advantage of opportunities to share information. For example, sharing personal information with another public Authority or Agency may be achieved by simply creating user accounts with the appropriate permissions within a SaaS solution rather than having to implement a system-to-system interface to exchange information. Although cloud services have the potential to lower the technical barriers to information sharing Public Authorities must ensure that they appropriately manage access to personal information and comply with the requirements of the European and National Privacy Legislation.

Cloud providers should commit to protecting the data and limit the use of them. The data that Public Authorities host in cloud services belongs to them—and should not be used by a cloud provider for purposes other than to provide the customer’s service. Moreover, cloud providers should not use customer data for purposes unrelated to providing the service, such as advertising. Additionally, each service has established a set of standards for storing and backing up data, and securely deleting data upon request from the customer.

The best-designed and implemented service cannot protect customer data and privacy if it is deployed to an environment that is not secure. Customers expect that their data will not be exposed to other cloud customers. They also assume that the processes used at the datacentre, and the people who work there, all contribute to keeping their data private and secure.

The main threats to privacy in a cloud computing environment are:

  • Lack of User Control
  • Lack of Training and Expertise
  • Unauthorized Secondary Usage and Loss of Trust
  • Complexity of Regulatory Compliance
  • Transborder Data Flow
  • Litigation
  • Legal Uncertainty

In 2014, the International Organization for Standardization (ISO) adopted ISO/IEC 27018:2014, an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII (ISO, 2014).

The new standard sets out best practices for public cloud service providers. It establishes security guidelines to protect personal data and provides a privacy compliance framework that addresses the fundamental obligations of a data processor under EU data protection laws. Any organisation that processes PII through a cloud computing service under a contractual arrangement can be certified under ISO 27018 – this means all types and sizes of organisations, including public and private companies, government entities and not-for-profit organisations, are eligible. To qualify for certification under ISO 27018, the applicant provider must agree to be audited by an accredited certification body and must also submit to periodic third party reviews.

Public Authorities can use this standard as an independent measure when evaluating and comparing privacy controls of potential public cloud service providers. An essential step is the signature of the service level agreement with the cloud provider. The agreement defines, among other things, a privacy policy prescribing where and how the organization’s data is stored, processed and used (i.e. accepted and prohibited uses) by the cloud service provider. It should also define some privacy related measures and technical controls to be applied on the cloud side, such as the vetting of employees, breach notification, isolation of tenant applications, and the use of products certified to meet national or international standards.

Although the agreement covers a lot of privacy issues, the lack of physical control by cloud users over data storage, and the absence of standardised and mature techniques for monitoring how data is accessed, processed and used inside the cloud, it is harder to verify a cloud’s compliance with such privacy policies.


  1. Analyse the type of data and usage
  2. Set up a limit for the back up volume
  3. Identify software tools for back up
  4. Select the more appropriate back up policy
  5. Choose where to store back ups

In addition to the evaluation of cloud provider, Public Authorities should also assess their Smart City services to identify issues that may lead to infringing users’ privacy. This applies mainly to applications that keep personal information or handle payments. In the first case the application must comply local laws about storing personal data, including any rules about the location of data centres, such as the EU Directive on data Protection [1] while in the second with any rules about safe payments, such as the Payment Card Industry’s Data Security Standard (PCI DSS).

However, there are many Smart City infrastructure management applications, such as applications related to public transport, street lighting or road traffic management that do not fall into any of the above categories, and for these data privacy is not such an issue. Agencies planning to place personal information on a cloud service should perform a Privacy Impact Assessment (PIA) to verify that privacy requirements are adequately addressed.