Cloud principles

Cloud principles for the Scottish public sector to guide beneficial decision making and behaviours when adopting and using cloud services.


Principle 3: Be responsible with data

Statement

Organisations must understand their responsibility for data, and how it affects service design, security and operation.

Why?

Data impacts on service architecture in the following ways:

  • cost
  • security
  • compliance
  • availability
  • performance

By correctly understanding and accommodating data requirements, organisations can ensure the service meets their defined success criteria while delivering a cost-effective, secure and compliant solution.

What does this mean?

  • project teams should include technical / data architects who possess skills and experience in designing, implementing and managing cloud services with complex data requirements
  • when working with personal information, start a Data Protection Impact Assessment (DPIA) as early as possible in your project. Clearly understand the risks and impacts, and incorporate proportionate security mitigations into your design
  • data lifecycle requirements must be understood and recorded upfront. Improperly understood data lifecycle requirements often result in excessive costs, poor service performance or compliance violations
  • the proposed service architecture must demonstrate how data will be processed and stored throughout its lifecycle

Digital Scotland Service Standards

Applying this principle helps you to meet the Digital Scotland Service Standards:

8. Create a secure service which protects users’ privacy: by designing a secure service that meets data compliance requirements, you can readily demonstrate that your users’ data and privacy are protected.

13. Reliable service: your responsibility with data goes beyond security and privacy. Being responsible with data also means ensuring users can access it through performant services.

Guidance

Secure your data

Be clear on the sensitivity of your data and implement proportionate security controls.

A well-considered security and data architecture should balance acceptable risk with cost and solution complexity.

Be compliant

Carefully assess and record your data compliance requirements at the beginning of a migration or transformation exercise. Understanding your data compliance obligations will provide you with a clear understanding of the constraints your data places on your project. Equally, adhering to the most stringent compliance requirements due to ‘false constraints’ can delay cloud adoption, or block it completely. This can result in a functionally or financially sub-optimal outcome.

Data Protection Impact Assessment (DPIA):

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/

General Data Protection Regulation (GDPR):

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr

Your organisation may also need to comply with other assessments or regulations.

Plan for performance

Understand your data storage, access and performance requirements, and choose cloud storage services that meet your requirements. Selecting an inappropriate storage option can lead to excessive costs, contributing to 'bill shock', and unnecessarily increasing the Total Cost of Ownership (TCO). Equally, opting for a low-cost option can negatively impact service performance, degrading the user experience.

Understand your data lifecycle

Take the time to understand the lifecycle of your data. Factors such as data retention period and how quickly you need to access archived data will have a significant impact on the cost of operating a service in the cloud compared to an on-premises deployment.

Contact

Email: Cloud1st@gov.scot

Telephone: 0300 244 4000

Post:

Cloud First
Cloud and Digital Services Division
Area 1H South
Victoria Quay
Edinburgh
EH6 6QQ

Back to top