The Privacy Commissioner of Canada has made it clear that, while
privacy is not a barrier to businesses using cloud computing, it
must be taken into consideration. Related guidance has been issued in which
businesses are reminded that the Personal Information Protection
and Electronic Documents Act (PIPEDA) establishes rules
"with respect to obtaining consent for the collection, use
and disclosure of personal information, securing the data, and
ensuring accountability for the information and transparency in
terms of practices."
Organizations are expected to assess the benefits, risks, and
implications for privacy when considering a cloud computing
service. What this means in practice, however, often creates
operational challenges – particularly for those businesses
who do not have the internal expertise or resources to undertake
this analysis. For context, guidance for small and medium-sized enterprises prepared
jointly by the federal Commissioner and the information and privacy
commissioners in Alberta and British Columbia includes a
"non-exhaustive" list of more than forty questions that
need to be considered.
To facilitate contracting for cloud services, the International
Standards Organization (ISO), has issued a code of practice for
protection of personally identifiable information in public clouds
(ISO/IEC 27018). The new code will help businesses evaluate the
privacy practices of those cloud service providers who achieve
ISO/IEC 27018 augments security and operational controls found
in ISO/IEC 27002. It establishes commonly accepted control
objectives, controls and guidelines for implementing measures to
protect personally identifiable information in a public cloud in
accordance with many of the key privacy standards reflected in
privacy laws around the world.
Key privacy safeguards reflected in ISO/IEC 27018 (some of which
are to be addressed in the services agreement between the cloud
provider and the customer) include the following:
Control, Accessibility and Portability
A cloud provider is expected to process personally identifiable
information only pursuant to its customer's instructions.
A cloud provider is expected to make available tools that
facilitate end-users to access their personally identifiable
information and correct or erase it.
A cloud provider is expected to have a policy that governs the
return, transfer or destruction of personally identifiable
A cloud provider is expected to disclose personally identifiable
information to law enforcement only to the extent that it has a
legal obligation to do so.
A cloud provider is expected to provide notice to a customer of
a legal obligation to disclose personally identifiable information
(unless legally prohibited from doing so).
A cloud provider is expected to refrain from using customer data
for its own purposes.
A cloud provider is expected to obtain the customer's
express consent before using personally identifiable information
for marketing or advertising purposes.
A cloud provider is expected to disclose the countries where
personally identifiable information may be processed.
A cloud provider is expected to provide notice to customers of
data breaches and provide information needed by customers to meet
their notice obligations.
A cloud provider is expected to have a policy that identifies
the timeframe for providing notice of data breaches.
A cloud provider is expected to record the type, timing and
consequences of data breaches.
ISO/IEC 27018 also may be helpful to cloud service customers by
providing a mechanism for independent third party audits or reviews
in circumstances (i.e., a multi-tenant, cloud service) in which an
independent right to audit is impractical and might compromise
network security controls.
From a cloud provider's standpoint, compliance with ISO/IEC
27018 should enhance transparency and overall confidence in the
provider's service. This should, in turn, help to facilitate
the adoption of the provider's service and reduce the time
required to enter into a contract with customers.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).