Cloud hosted services

Charlie Milton made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Information Commissioner's Office.

Dear Information Commissioner’s Office,

Could you please confirm:

1) Whether any personal data for which the ICO is a Controller, is hosted outside of the UK?

2) Does the ICO consider the hosting of personal data outside the UK to be a restricted transfer when the UK leaves the European Union - either as an export to the non-UK based cloud, or on importing from the non-UK based cloud?

3) If the answer to 2) is yes, a restricted transfer; what steps has the ICO taken, or plans to take, to govern the protection of personal data hosted outside the UK, either in export or import?

4) If the answer to 2) is no, not a restricted transfer, are you able to provide the ICO guidance or other advice stipulating cloud hosting services outside the UK are not restricted transfers?

Thank you for your consideration.

Yours faithfully,

Charlie Milton

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Dear Information Commissioner’s Office,

I believe my request is now overdue. Could you kindly review this for me please and provide an update or response.

Yours faithfully,

Charlie Milton

Dear Information Commissioner’s Office,

Further to my FOI request, this is now a week-overdue. I haven't received any correspondence in relation to mt request since 06 February.

For information, my request is:

Could you please confirm:

1) Whether any personal data for which the ICO is a Controller, is hosted outside of the UK?

2) Does the ICO consider the hosting of personal data outside the UK to be a restricted transfer when the UK leaves the European Union - either as an export to the non-UK based cloud, or on importing from the non-UK based cloud?

3) If the answer to 2) is yes, a restricted transfer; what steps has the ICO taken, or plans to take, to govern the protection of personal data hosted outside the UK, either in export or import?

4) If the answer to 2) is no, not a restricted transfer, are you able to provide the ICO guidance or other advice stipulating cloud hosting services outside the UK are not restricted transfers?

I would appreciate an update please.

Yours faithfully,

Charlie Milton

Information Commissioner's Office

20 March 2019

 

Case Reference Number IRQ0819207

 

Dear Sir/Madam

I am writing further to your correspondence of 8 March and 14 March 2019,
I apologise for the delay in responding.
 
Due to a high number of information requests to our department, I am
unfortunately not yet in a position to respond to your request for
information.
 
I sincerely apologise for this delay in responding and assure you that I
am currently progressing your case and will provide a full response as
soon as possible.
 
Yours sincerely
  
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Usual working pattern – Tuesday to Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

29 March 2019

 

Case Reference Number IRQ0819207

 

Dear Sir/Madam

I am writing further to your request for information received via the
website WhatDoTheyKnow.com (WDTK) on 6 February 2019. I sincerely
apologise for the lateness of response but I am now in a position to
respond to your recent request for information
 
We have considered your request under the Freedom of Information Act
(FOIA) 2000.
 
Your request
 
Following my response to a previous request for information you asked:
 
“Could you please confirm:
 
1) Whether any personal data for which the ICO is a Controller, is hosted
outside of the UK?
 
2) Does the ICO consider the hosting of personal data outside the UK to be
a restricted transfer when the UK leaves the European Union - either as an
export to the non-UK based cloud, or on importing from the non-UK based
cloud?
 
3) If the answer to 2) is yes, a restricted transfer; what steps has the
ICO taken, or plans to take, to govern the protection of personal data
hosted outside the UK, either in export or import?
 
4) If the answer to 2) is no, not a restricted transfer, are you able to
provide the ICO guidance or other advice stipulating cloud hosting
services outside the UK are not restricted transfers?”
 
Our response 
 
I can confirm that we do hold some information in scope of your request.
 
In relation to your first request, I can confirm that all the key services
that the ICO uses to process information for our regulatory purposes are
based and hosted within the UK. However, on occasion we may engage the
services of data processors and other third parties outside of the
European Economic Area (EEA). For example in our privacy statement, which
can be found [1]here, we state: 
 
“We use a third-party web application firewall from Oracle Dyn to help
maintain the security and performance of our website. The service checks
that traffic to the site is behaving as would be expected. The service
will block traffic that is not using the site as expected. To provide this
service, Dyn processes site visitors’ IP addresses.
 
We rely on the Privacy Shield Framework to transfer this information to
Dyn’s servers which are located in the US. They hold the information for
seven days.”
 
These peripheral services may involve a limited amount of personal data
being transferred through or held outside the UK. In all cases where we
have used services outside of the EEA we have ensured compliance with the
appropriate international transfer processes. We also have established
processes to identify and capture data flows to ensure that they are
adequate and fit for purpose.
 
I consider point 2 and therefore points 3 and 4 of your correspondence are
queries, rather than information requests, which ask for our opinion
regarding the issue of restricted transfers post Brexit. We provide a
range of advice services for organisations and for the public. However, we
do not provide these through the WDTK website. Should you wish to contact
us with your personal email address I can ensure your questions are
forwarded to the relevant departments who will be best placed to respond.
 
In the meantime and by way of advice and assistance, you might find the
following links to our website helpful.
 
 

* For guidance and resources for organisations after Brexit please see:

 
[2]https://ico.org.uk/for-organisations/dat...
 
 

* For our views on how personal data will continue to flow after Brexit
please see:

 
[3]https://ico.org.uk/about-the-ico/news-an...
 
 

* You may also find Elizabeth Denham’s blog post regarding ICO advice
for organisations prepare for a possible no-deal Brexit helpful. This
can be found here:

 
[4]https://ico.org.uk/about-the-ico/news-an...
 
This concludes my response to this request. I hope the information
provided is helpful.
 
Next steps
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me.
 
You can ask us to review the way we have handled your request. Please see
our review procedure [5]here.
 
Following our internal review, if you remain dissatisfied with the way we
have handled your request, there is a statutory complaints process and you
can report your concern to the regulator. I have included information
about how to do this separately.
 
Your information
 
Please note that our [6]Privacy notice explains what we do with the
personal data you provide to us and what your rights are.
 
This includes entries regarding the specific purpose and legal basis for
the ICO processing information that people that have provided us with,
such as an [7]information requester.
 
The length of time we keep information is laid out in our retention
schedule, which can be found [8]here.
 
Yours sincerely
 
  
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [9]ico.org.uk  [10]twitter.com/iconews
For information about what we do with personal data see our [11]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. https://ico.org.uk/global/privacy-notice...
2. https://ico.org.uk/for-organisations/dat...
3. https://ico.org.uk/about-the-ico/news-an...
4. https://ico.org.uk/about-the-ico/news-an...
5. https://ico.org.uk/media/1883/ico-review...
6. https://ico.org.uk/global/privacy-notice...
7. https://ico.org.uk/global/privacy-notice...
8. https://ico.org.uk/media/about-the-ico/p...
9. http://ico.org.uk/
10. https://twitter.com/iconews
11. https://ico.org.uk/global/privacy-notice/

Dear Information Commissioner's Office,

Thank you for your response.

I appreciate that you have guidance available however my request specifically relates to the ICO's management of international transfers and not on your guidance for other organisations. Could you therefore review the request again based on the ICO's governance of their own international transfers?

Yours faithfully,

Charlie Milton

Information Commissioner's Office

2 April 2019

 

Case Reference Number IRQ0819207

 

Dear Sir/Madam

Thank you for your correspondence of 1 April 2019.
 
In my original response dated 29 March 2019 I explained that point 2 and
therefore points 3 and 4 of your request were queries, rather than
information requests, which ask for our opinion regarding the issue of
restricted transfers post Brexit. I explained that we provide a range of
advice services for organisations and for the public. However, we do not
provide these through the WDTK website. I invited you to contact us with
your personal email address so that I could ensure your questions were
forwarded to the relevant departments who would be best placed to respond.
 
The links to the guidance on our website were provided by way of advice
and assistance only and not a formal response to the queries that you had
raised.
 
It is not clear what recorded information you are specifically requesting
at this time. It might also be helpful to explain that conditional
requests are not always considered valid requests. The ICO has drafted
guidance on “Recognising a request made under the FOIA” which can be found
[1]here, page 19 explains specifically about when a conditional request
would not be considered valid.
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me. In my last
correspondence I also explained the next steps should you remain
dissatisfied with the way I have handled your request.
 
Yours sincerely
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [2]ico.org.uk  [3]twitter.com/iconews
For information about what we do with personal data see our [4]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. https://ico.org.uk/media/1164/recognisin...
2. http://ico.org.uk/
3. https://twitter.com/iconews
4. https://ico.org.uk/global/privacy-notice/