The British Columbia Information and Privacy Commissioner has
just released some cloud computing Guidelines for public bodies.
Cloud computing (using the internet to process, manage and store
data on remote network services) can offer cost savings and other
functional benefits to public bodies, but raises particular
questions regarding compliance with BC's Freedom of
Information and Protection of Privacy Act (FIPPA). The Guidelines
point out that a public body must comply with FIPPA with respect to
all personal information in its custody or control, including
personal information that is accessed, stored or used through cloud
The Guidelines go on to describe some FIPPA obligations that are
particularly relevant to cloud computing:
Public bodies must ensure that personal information is only
stored in and accessed from inside Canada (subject to limited and
specific exceptions). If one of those limited exceptions does not
apply, it is an offence under FIPPA to store or allow access to
personal information outside of Canada without written consent from
the individual whom the information is about (or without coming
within. This requirement is relevant if a cloud computing provider
is located, operates, or has servers outside of Canada.
Public bodies must make reasonable security arrangements to
protect personal information from unauthorized access, collection,
use, disclosure, etc. In the cloud computing context, this might
entail reviewing the service provider's security
arrangements and expressly addressing security and privacy concerns
in the service contract. Public bodies should also ensure that
their own houses are in order, for example by having appropriate
security and privacy policies and procedures, access controls, and
appropriate system security measures.
The Guidelines serve to remind public bodies that FIPPA applies
to new technology solutions, and that FIPPA compliance should
always be a key consideration when implementing new technology
solutions like cloud computing.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On March 11, 2009, the Office of the Superintendent of Financial
Institutions of Canada (OSFI) released a revised version of Guideline B-10, Outsourcing of Business Activities, Functions and Processes.
Gowlings Records Management group offers services permitting the importation of digitized documents into litigation support software so records can be viewed and analyzed by counsel and client from virtually anywhere.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).