Hosting Data in the Cloud – Privacy Review
More and more businesses are considering moving their storage of data to the cloud. As Jason Segal pointed out in a recent movie – NO ONE UNDERSTANDS THE CLOUD!
What we do know is that cloud storage often provides a cheaper, scalable alternative to businesses investing in their own data storage infrastructure. While there are many benefits to using cloud providers, it is important to understand the risks involved. Some of the risks include:
- Take it or leave it contracts
- Data location – where is the data held? What are the rules in that jurisdiction?
- Data segregation – how is each user’s data segregated form others?
- Data recovery
- Who owns derivatives of any data hosted with the cloud provider?
The location of where the data is hosted has become a hot topic ever since the enactment of the USA PATRIOT Act, which contains extraordinary powers that may permit government agencies to access any data stored in the U.S., sometimes without a warrant or notice to the data owner.
The Law in Canada
Canadian privacy laws do not prevent outsourcing data to a cloud provider, even if that provider is outside of Canada. However, obligations are imposed on businesses who wish to outsource or host data in the cloud. As a sampling, some of the obligations include:
Businesses are “accountable” for the data in their possession or custody, including data that has been transferred to a third party for processing. This means that businesses must use contractual or other means to provide a comparable level of protection while the information is being processed or stored by a cloud provider. A contract with a cloud provider should address ownership of data, audit rights, confidentiality of data, termination rights, service levels, security warranties, breach notification and compliance with applicable law (among other things).
Businesses must also ensure that the cloud provider has adequate policies, practices, safeguards and encryption in place to protect the data.
Finally, businesses should be open about their practices and their intention to host data in the cloud (and potentially outside of Canada). Typically, this would be disclosed in a publicly available Privacy Policy.