Organizations, small and medium-sized businesses in particular, should take note of new guidance regarding privacy considerations in cloud computing jointly issued by the Privacy Commissioner of Canada and the Information and Privacy Commissioners of Alberta and British Columbia (the Privacy Commissioners).

On June 14, 2012, the Privacy Commissioners issued Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations (the Guidelines) which outline the Privacy Commissioners’ joint position on privacy considerations and risk-management strategies for small and medium-sized enterprises (SMEs) that receive the delivery of computing services over the Internet, otherwise known as cloud computing.

It may come as no surprise that SMEs are on cloud nine for cloud computing. Amongst its features, cloud computing presents a great opportunity for businesses to cut costs by reducing the cost and complexity of owning and operating computers and networks and limiting the need for information technology infrastructure, purchasing hardware and buying software licences. However, using cloud computing does present risk from a privacy perspective.

Indeed, pursuant to Canada's private-sector privacy legislation, an organization that collects personal information from an individual is accountable for that personal information even when it is outsourced to third-party providers, including cloud providers. This means that organizations will remain accountable for the collection, use and disclosure of personal information when information is stored on a cloud, and must provide individuals with rights of access to and correction of their personal information even though the cloud is operated and administered by the cloud provider.

The Guidelines warn that organizations frequently find that employees have already moved personal information to a cloud service without IT staff or management being aware. As such, the Privacy Commissioners recommend that SMEs examine their organization to determine whether their business activities already involve outsourcing personal information to a cloud provider. Key questions to determine whether this is the case include:

  • Do employees use a cloud-based email service for business correspondence?
  • Do employees use an online service to collaborate on documents containing personal customer information?
  • Can client databases be accessed online from any location?

The Guidelines identified three key variables that SMEs should consider when determining whether personal information should be stored on a cloud: the sensitivity of the information, the type of cloud (e.g., private, public, community, or hybrid), and the contractual arrangements with the cloud provider.

As massive online databases such as those created by clouds may be attractive to cybercriminals, cloud computing security is of paramount importance. The Guidelines provide a list of key considerations to manage this risk:

  • Limit access to the information and restrict further uses by the provider;
  • Ensure that the provider has in place appropriate authentication/access controls;
  • Manage, understand and assess the cloud provider’s data encryption practices;
  • Ensure that there are procedures in place to address breaches of personal information or other security incidents;
  • Ensure that there are procedures in place in the event of a service outage to ensure business continuity and prevent data loss;
  • Ensure periodic audits are performed to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected; and
  • Ensure that termination procedures permit the transfer of personal information back to the organization and require the cloud provider to securely delete all personal information within a specified, reasonable time.

Contractual arrangements regarding privacy compliance and information security present a vital opportunity for organizations to minimize privacy risks arising from information being stored on clouds. The Guidelines note that many cloud providers, particularly free online services, provide set terms of service that may allow for more liberal use of personal information and retention practices than is permitted under Canadian privacy law.

With this in mind, the Privacy Commissioners advise that organizations using a cloud service must carefully review the cloud provider’s terms of service and ensure that the personal information it entrusts to the provider will be treated in a manner consistent with the organization’s privacy obligations. In particular, the Privacy Commissioners note that it may be problematic if the cloud provider is able to unilaterally change the agreement, limit its liability for the information, and/or subcontract to various other providers. If organizations are not comfortable with the terms proposed by a cloud provider, the Guidelines warn that the organizations should not transfer personal information, should push back on terms and should shop around for a better solution.

The Privacy Commissioners further advise that, before engaging services for cloud computing, SMEs should review the nature of the personal information consents previously obtained to determine whether further consents are necessary. Specifically, SMEs should be particularly vigilant of what, if anything, the cloud provider will do with personal information (for example, selling or analyzing the information or sub-contracting any services). If the cloud provider will use the personal information for purposes beyond what was originally consented to as between the SME and the individual, then a separate consent for that new use is required. In any event, SMEs should be transparent about their use of cloud providers and inform individuals that their personal information:

  • Will be transferred to a cloud provider;
  • If applicable, may be stored or processed in a foreign country; and
  • May be accessible to law enforcement and national security authorities of another jurisdiction, if the information is stored or processed in a foreign county.