Cloud Computing has all the promise you would expect from the heavens. Why do we have servers and teams of on or off site IT professionals when we can flock to the cloud for an astonishingly low cost – upwards from around £5 per month per user.
It seems like a “no-brainer”, and lo and behold, there are plenty of providers eager to get our business and telling us that if we don’t, we will soon be left behind with our dreary world of grinding servers whilst the rest of the business-world frolic happily in the clouds.
Cloud computing for law firms along the lines of Google for Work and Microsoft’s Office 365 is ridiculously straightforward. Everything is set up for working seamlessly using cloud technology with documents uploaded, edited, downloaded, and emails accessible everywhere.
Its an absolute cinch to set up your modern legal office that everyone will love. And the ease of use and convenience of these accessible everywhere all-in-one packages for businesses have taken the world by storm.
Google claim 3 million paying businesses use their work services worldwide, including 60% of Fortune 500 Companies. Many UK schools also use cloud technology, which parents will know causes issues when children’s passwords get shared around the classroom.
Who uses third party data storage providers?
So we have on tap a ridiculously cheap, widely available and easy way to delegate data responsibilities to the heavens. And with so many big names on board, why shouldn’t we hop on? Before we place our head in the cloud, let’s cover some more basics.
What exactly is “Cloud Computing”?
All this means is that the computer or device used to store your data is not held on your premises, but by a third party off site provider. So when we access our data, we are actually accessing it from a (hopefully secure) data centre somewhere in the world – USA, Lapland, Honolulu; does it matter so long as we don’t have that horror of horrors: Data loss?
Can we safely delegate care of our data to someone else?
Our data is in someone else’s care, but what about the Data Protection Act? That says we need comply with responsibilities when we hold and use information about other people, and it needs to be held within the EEA, though see the Information Commissioner’s blog on storing data in Safe Harbour countries.
We’re obliged to ensure robust measures are in place to ensure the data we hold is not compromised, including a written agreement between us (as the data controller) and the data storage provider.
And let’s not forget that despite Brexit, further measures are due to come into force next year through the new EU General Data Protection Regulation.
What happens if we get it wrong, and who is responsible?
Ultimately we are responsible for meeting legal obligations concerning our data, not the third party provider. And if we get it wrong, we face embarrassment, loss of business and fines of up to £500,000.
And we’re under the ICO’s radar – 173 UK law firms were investigated in 2014 for potential Data Protection Act breaches. And a quick scan down the ICO’s list of recent organisations they’ve taken action against reveals a few legal service firms and individuals including Assist Law and a barrister.
So maybe we can’t fling our data carelessly around the world?
What do our regulators think?
The SRA acknowledge the ease and functionality of cloud computing, but they have concerns; loss of data control, confidentiality, compliance with data protection legislation – it’s all in their document Silver linings; cloud computing, law firms and risk.
The Law Society have also published a comprehensive Practice Note on cloud computing.
Essentially the message is; make sure there are safeguards in place, be aware of the many potential issues, proceed with great care, don’t forget your regulatory obligations (e.g. Outcome 7.10 re outsourcing to third parties) and remember: You haven’t delegated your responsibility for client data to someone else.
In Part 2 of this post I look at the contractual terms offered by cloud providers. Should something go wrong and its their fault, who is liable? Us, or the cloud provider?