Guidelines on choosing Cloud Service Provider

Basic Guidelines on choosing Cloud Service Provider (CSP)

  1. Risk Assessment (Why, what, when, where, who and how).
  2. Data users are responsible for the protection of personal data.
  3. Outsourcing data processing doesn't mean outsourcing legal liability.
  4. You would not lower your IT security as a result of outsourcing.

Minimum considerations in contract

  1. Security measures or requirements.
  2. Timely return, destruction or deletion of the personal data when they are no longer required.
  3. Prohibition against any use or disclosure of the personal data for other purposes.
  4. Prohibition or restriction against sub-contracting.
  5. Immediate reporting of any sign of abnormalities or security breaches.
  6. Measures by data processor to ensure security and staff compliance are in place.
  7. Data user’s right to audit and inspection, or equivalent.
  8. Consequences of violation of the contract.

Other considerations in contract

  1. Select reputable contractors that can ensure data security and/or with good track record.
  2. Use of contractors (and measures to protect personal data in such arrangement) should be transparent to data subjects.
  3. Clear instructions should be given to data processor in respect of the use, transmission, storage and destruction of the personal data, and a record kept for all the transfers.
  4. If data processors are not Hong Kong companies, how the contracts can be enforceable both in Hong Kong and in the location where the data processor are located.
  5. Whether testing by contractor should be carried out with production data and what the protection measures should be.

Assessment Checklist

  1. Policy Compliance - CSP must always process Personally Identifiable Information (PII) in accordance with the service’s stated policies that have been disclosed to customers.
  2. End-users’ Access Rights - CSP must offer tools that help customers comply with their data protection obligations to their own end-users, including allow end-users to access, correct and/or erase PII.
  3. Purpose Limitation - CSP cannot use PII for marketing or advertising without express consent of customer. Such consent should not be a condition for receiving the service.
  4. Breach Notification - CSP must notify customer of any unauthorised access to personal data or to processing equipment or facilities resulting in loss, disclosure or alteration of personal data.
  5. Data Deletion - CSP must have and implement policy for data retention and destruction after termination of a contract.
  6. Geographic Location of Data - CSP must identify countries where data may be stored, and the names of any sub-processors.
  7. Law Enforcement Requests - CSP must notify customer of legally binding law enforcement requests to disclose customer data, unless such notification is legally prohibited.
  8. Confidentiality - CSP must enter into confidentiality agreement with staff who have access to PII and provide appropriate staff training.
  9. Encryption - CSP must encrypt PII that is transmitted over public data-transmission networks, and kept in storage facilities.
  10. Independent Reviews - CSP must subject their service to independent information security reviews, including but not limited to data backup and disaster recovery process, at planned intervals, and offer customers independent evidence that appropriate measures are in place to ensure compliance with CSP’s policies and procedures.  CSP also needs to provide audit reports or claims  (if providing the rights to audit the operations is not possible) to ensure data security.
  11. Other Security Measures - You would not lower your IT Security as a result of outsourcing.
  12. Service Level Pledge - Service Level Agreement.
  13. GDPR Compliant - The CSP is GDPR compliant If GDPR is applicable to your applications/systems.

Notes:  PII stands for Personally Identifiable Information



  1. Cloud Computing
  2. Cloud Security
  3. Minimum Security Standard for Software as a Service (SaaS)