- What is a cloud?
A cloud provides on-demand access to a shared pool of computing resources which can be used for a variety of computing functions (for example, storage or running applications) without having to purchase or maintain physical servers. Cloud computing is scalable so you can use as much or as little as you need.
• Public clouds, such as Microsoft Azure and Google AppEngine, are available online to the public on a free or pay-per-use basis.
• Private clouds are accessible only within a particular organisation and can be hosted internally or by service providers.
• Hybrid clouds are an increasingly popular option and include a mix of public and private cloud resources. For example, sensitive data may be retained on a small on-premise private cloud, while anonymised big data analytics could run using the processing capacity of a public cloud.
- Where is the data stored?
Data stored in the cloud is transferred to and stored in the country where the server is located. Understanding where the information is transferred to is important because privacy laws in certain jurisdictions only permit cross-border transfers of personal information in limited circumstances. Information is often replicated in different jurisdictions to ensure information will be able to be retrieved or accessed in the event of failure of a server.
Once South Africa’s Protection of Personal Information Act, 2013 (POPI) is in full force the cross-border transfer of personal information will be limited. Personal information may as examples be transferred across borders with consent or if it will be adequately protected in the receiving country, either through the laws of the receiving country or contractually through an agreement with the receiving party.
- Regulatory considerations
Certain laws may prevent organisations from storing certain information on the cloud (or in a foreign jurisdiction). For example, if the proposed amendment to section 24 of the Financial Intelligence Centre Act, 2001 (FICA) is enacted, accountable institutions (including banks and attorneys) will be required to store Know Your Client (client verification) information in South Africa. Objections have been raised by various organisations making use of foreign clouds.
ISO27018 is an international code of practice that focuses on the protection of personal information by cloud providers. Remember that even where information is processed in the cloud a responsible party will always remain liable to ensure that personal information is processed in accordance with applicable laws such as POPI.
How will latest changes to Volcker Rule affect non-US banks?
Kathleen A. Scott discusses the final Volcker Rule, focusing on some of the issues raised by non-US banks in their comments.