If you or your clients who operate businesses are using the “cloud” to manage the sensitive personal information of others, new guidelines from the privacy commissioners will be of interest.
In June, the federal privacy watchdog, as well as those in British Columbia and Alberta, cautioned small and medium-sized enterprises about their obligations when these firms use the cloud to store customer information. The guidelines, entitled Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations, remind operators of small and medium-sized organizations that they remain responsible for safeguarding the privacy of their customers. These firms hold this responsibility even though the information is being stored by a third party, the company providing the cloud-based computing services.
This special focus on smaller organizations reflects the reality that this sector is likely to be the one that relies most on cloud providers to store sensitive information. Outsourcing this service saves the time and money associated with in-house information technology (IT) systems.
As the guidelines note, it is now not unusual for employees to have transferred confidential client information to the cloud without the knowledge of management or an internal IT department. This could occur, for example, if a company uses a cloud-based email service or uses an online document-sharing service to execute client business.
Three main areas of concern are noted: sensitivity of the information (clearly, that includes financial information); whether the cloud service provider is private, public or a combination thereof; and the terms of the agreement between the business and the cloud provider.
To avoid running afoul of Canadian privacy rules, the guidelines offer a range of suggestions. These include, for instance, limiting access to the sensitive information by the provider and finding out what types of controls the provider itself uses to protect privacy. Users of cloud services also should have detailed plans to deal with privacy breaches should they occur.
Businesses that use the cloud also should think ahead about what will happen should they terminate their relationship with the cloud provider. For instance, can the confidential information be transferred back to the business, and will the cloud provider ensure that it deletes all of the information from its own systems?
Other steps to protect client information include reviewing the contract with the cloud provider. This is a key point at which to ask for terms that will minimize the risk of a breach of privacy.
Businesses also should ensure the consent they receive from clients covers various uses the cloud provider may make of the information.
In a note on the new guidelines, Toronto-based law firm Blake Cassels & Graydon LLP points out that the guidelines are intended to be practical and to help, not hinder the operations of enterprises that use the cloud. The note is available at www.blakes.com.
© 2012 Investment Executive. All rights reserved.