In an era where data has become as valuable as oil, the ability to store, access, and process information rapidly through advanced technology has transformed data into the driving force behind both public and private sectors. One of the key policies addressing this transformation is the "Cloud First Policy," which aims to make organizations more agile, efficient, and responsive to customer and citizen needs.
However, migrating massive amounts of data to the cloud inevitably brings risks related to data security and data privacy for data subjects, particularly when considering Thailand's Personal Data Protection Act B.E. 2562 (PDPA).
The Council of Ministers in Thailand has adopted the "Cloud First Policy" to drive the public sector toward comprehensive digital transformation. The goal is to make government services more convenient, faster, transparent, and accessible to citizens—whether for document submissions, information access, or using various online systems, all hosted on secure and modern cloud systems.
This policy began with the "Go Cloud First" policy statement to parliament in September 2023, where the Council of Ministers declared its commitment to making cloud technology the primary tool for modernizing government administration to be contemporary, transparent, and efficient. Subsequently, in November 2023, it approved and supported relevant agencies to accelerate implementation of this policy, demonstrating serious commitment to entering the digital age comprehensively.
Nevertheless, to prevent redundant investments and inefficient resource use, the Council of Ministers decided to postpone cloud procurement and rental projects for the public sector in early 2024. The reasoning was to wait for clarity on the National Digital Infrastructure Master Plan or "National Cloud," which would serve as a unified guideline that all agencies could follow and use as criteria for appropriately selecting cloud services in terms of security, standards, and costs.
In June 2024, the Council of Ministers established a special committee to set guidelines, define operational frameworks, and implement this policy as effectively as possible. This represents a significant step in making cloud adoption in the public sector a reality with unified direction nationwide.
The core of the Cloud First Policy is selecting cloud service providers that meet high standards of security and reliability, enabling public sector data to be connected efficiently, reducing redundant work across agencies, and providing citizens with faster, more targeted services. This elevates government services to match private sector standards and keeps pace with changes in the digital world.
"Cloud First Policy" doesn't require completely abandoning existing systems or servers, but rather prioritizes "Cloud Computing" services for data storage as the first choice before investing in various IT infrastructure development. Organizations must select appropriate cloud systems based on the nature of different types of work, including:
While the Cloud First Policy plays a crucial role in pushing public sectors toward modern, flexible, and more efficient work systems, data security—particularly personal data security, which is a core principle of PDPA—cannot be overlooked and remains central to citizen data processing and management.
Under PDPA, agencies that collect or process personal data must have comprehensive security measures covering organizational measures, technical measures, and physical measures to address personal data breaches, such as data leaks, loss, or unauthorized access. These concerns become especially critical when agencies use external cloud services, particularly when clouds store data in foreign countries. Without appropriate security measures, the risk of personal data violations significantly increases.
The following case study reflects cloud system vulnerabilities that occurred with a major global cloud service provider like Google Cloud: the UniSuper case in Australia. UniSuper is a pension fund company serving employees in Australia's education and research sectors, managing member assets worth over $125 billion. In May 2024, UniSuper's cloud system hosted on Google Cloud was accidentally deleted due to a Google Cloud initial configuration error. This resulted in temporary loss of data for over 600,000 pension fund members and complete service disruption.
While Google Cloud was able to restore data from external backup systems later, this incident highlighted risks that can occur even with world-renowned cloud service providers and raised concerns about Google Cloud's data security reliability.
This event serves as an important reminder that moving to cloud systems under the Cloud First Policy must be accompanied by strict responsibility for personal data protection under appropriate legal frameworks and adequate security measures.
Key issues that public and private sectors must address when using Cloud technology include:
1. Data Processing Agreement (DPA) with Cloud Service Providers
Organizations must create a DPA, which is a legal document defining data processing agreements between "Data Controllers" and "Data Processors." This establishes the scope, purposes, and responsibilities for personal data processing by cloud service providers, who serve as data processors under PDPA. This ensures data is used only for the specific purposes necessary to provide cloud services according to the agreement, is not used beyond the agreed terms, and has security measures that meet the minimum standards required by PDPA.
2. Cross-Border Data Transfer Verification
Many people may believe that if personal data is stored in cloud systems located in foreign countries, it automatically constitutes "cross-border data transfer" under PDPA. However, this isn't true in all cases.
The office of the Personal Data Protection Committee (PDPC) has defined a "cloud service provider" as a provider that stores or temporarily holds data for others in temporary or permanent form. It has also defined "cross-border data transfer" as not including sending and receiving personal data that serves merely as an intermediary for data transit between computer systems or networks, or data storage where no external parties can access the personal data except the data controller or data processor who sent the data. This includes data transmission through foreign networks or through cloud computing service provider systems where no one other than the data controller or data processor who sent the data can access the personal data, due to technical measures or legal conditions in place.
Therefore, when an organization stores data in cloud systems located in foreign countries, where no one other than people within the organization can access it, this is merely data storage and is not considered cross-border data transfer under PDPA. Conversely, if external parties can access or manage the data in the cloud—such as having rights to view, edit, or use it further—this may be considered "cross-border data transfer." If those who access the data are in foreign countries, the organization may need to comply with Sections 28 and 29, such as considering whether the destination country has adequate personal data protection standards or establishing Standard Contractual Clauses (SCC) for personal data protection.
3. Appropriate Security Measures
Organizations should choose cloud services with appropriate security measures that comply with the minimum standards set by the committee. Such measures must include organizational, technical, and physical measures, such as data encryption during transmission and storage, data backup, employee training on the importance of personal data, and access control to areas. Measures must consider the ability to maintain confidentiality, integrity, and availability.
Regarding access, use, modification, correction, deletion, or disclosure of personal data, measures must include at least: access control, user access management, user responsibilities, and audit trails to prevent and reduce the risk of data breaches.
4. Channels for Data Subject Rights Request
Despite personal data being stored or processed through cloud systems, data subjects always retain their 'rights' as guaranteed by PDPA, such as:
Therefore, organizations have a duty to provide clear and easily accessible channels for rights requests to handle such requests, whether through websites, applications, or other electronic channels. There should be forms or systems that can immediately forward requests to relevant parties, with appropriate processing timeframes according to law.
Importantly, organizations must create a Privacy Notice to clearly inform data subjects that their data will be protected according to PDPA and what rights they have regarding their own data, even if that data is stored in cloud or external service provider systems.
5. Data Protection Impact Assessment (DPIA)
Before organizations implement cloud systems, especially when they need to collect or process sensitive personal data such as health data, racial or ethnic origin data, criminal history data, or data from vulnerable data subjects such as minors or disabled persons, and when collecting large-scale data, they should conduct a DPIA to assess potential risks and establish measures to address those risks.
DPIA is an important tool that helps organizations see the overall risk picture that may affect individual rights and freedoms and enables appropriate preventive measures, such as selecting cloud service providers with high security standards, clearly defining data access rights, or configuring systems to support automatic data encryption.
Beyond helping identify impacts and preventive measures, DPIA serves as important evidence demonstrating that organizations are aware of and implementing appropriate personal data protection principles. It also helps prioritize risks, plan responses to potential incidents, and ensures cloud usage meets standards and reliability.
Therefore, the "Cloud First Policy" is not just about moving data to the cloud, but represents a fundamental shift in mindset and work processes across government and all sectors to fully embrace digital transformation. Cloud adoption must prioritize data security and comply with PDPA. Through strategic planning and selecting appropriate technology, the government can deliver public services that are efficient, transparent, and modern.
