Storing Confidential Information in the Cloud

Information is a valuable asset in any area of business. Intellectual property protects information in a variety of ways, but sometimes that is not sufficient. Imposing contractual obligations of confidentiality when disclosing proprietary information can be vital in protecting business interests and in preserving a competitive edge.

A Confidentiality Agreement or Non-Disclosure Agreement (also frequently abbreviated as “NDA”) will help to ensure that information is protected, setting out the extent to which a recipient can use that information and for what purpose or purposes, as well as imposing key limitations on how it must be stored, whether or not (and how) it can be shared (and with whom) and what to do with it when the stated purposes are at an end (or before in some cases).

In addition, confidential information may contain certain personal data. In such cases, an NDA may also include provisions dealing with the sharing of personal data either on a controller-to-controller or controller-to-processor basis.

Updated Documents – Storing Confidential Information in the Cloud

Increasingly, electronic information is stored in the cloud, rather than confining it to a single computer or device. While this may be an almost automatic practice when it comes to storing your own business information, additional consideration should be given before storing another party’s confidential information. While some cloud storage providers purport to be “zero-knowledge”, the fact remains that confidential and proprietary information is being shared with a third party and that no system is truly invulnerable. When sharing confidential information under an NDA, careful thought should be given to the suitability of cloud storage, and it will likely be a point of negotiation.

The range of Confidentiality Agreements has been updated with new optional provisions allowing for cloud storage. The new clauses address the use of a “data storage provider” by the recipient of the confidential information but only with the agreement of the disclosing party. Other parts of the documents have also been amended to work with this option, including the recipient’s obligations to return or erase the confidential information at the end of the agreement (allowing for situations in which it may not be possible for technical or legal reasons for the recipient to fully erase the confidential information) and the optional data protection provisions. It is important to keep in mind that a disclosing party may resist the use of cloud storage by a recipient due to the necessary additional disclosure and the related reduction in control over the information. This will be a point of negotiation and professional legal advice may be necessary or desirable. It is also important to note that if personal data is included in the confidential information, the data protection clauses in these documents as written do not allow for the transfer of personal data outside of the UK (or, optionally, the EEA). This will be a further important factor to consider if the recipient wishes to store information in the cloud as not all cloud services provide dedicated storage specifically within the UK or EEA.