♬ There is no turning back from this unending path of mine…♬
Lyrics, music and recorded by HIM.
The Office of the Information and Privacy Commissioner for British Columbia has released guidelines on cloud computing for public bodies.
You can view the guidelines at the following link: http://www.oipc.bc.ca/pdfs/public/CloudComputingGuidelines(February2012).pdf
There are several interesting aspects to the guidelines:
In addition to the requirement for public bodies to protect personal information no matter where it is, FIPPA also requires public bodies to ensure that, subject to three exceptions listed in s. 30.1 of FIPPA, personal information is only stored in and accessed from inside Canada. This presents an issue for public bodies because, currently, many companies that offer cloud computing store information outside of Canada.
The report states how a public body can use the Cloud where the information is stored and accessed from outside of Canada:
Under s. 30.1(a) of FIPPA, public bodies can store or access personal information outside of Canada if the individual the personal information is about has given consent to the public body to do so. The consent must be in the prescribed manner.
Not surprisingly, the guidelines set out a reasonable standard for protection of personal information:
Whether a public body stores personal information in its own offices, across the street or throughout the world, all public bodies are legally required under FIPPA to protect that information. The standard in FIPPA is that public bodies must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.
Those following the evolving cloud standards by different bodies will be interested to read the guidelines from the Commissioner regarding reasonable security arrangements. One key recommendation is that data is not just transmitted in encrypted form but rather is stored in an encrypted form in order that a breach of the cloud provider’s systems does not result in the unauthorized disclosure of personal information.
There is also a reference to a self-assessment tool that applies to organizations and not just public bodies that has been developed by the Office of The Privacy Commissioner of Canada, The Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia. The Self-assessment tool can be found here.
Additionally, you can view a press release from the Office of the Information and Privacy Commissioner for British Columbia at the following link: http://www.oipc.bc.ca/news/2012Releases/CloudComputing_Announcement.pdf
There is certainly one thing that is certain…there is no turning back from this unending path to the cloud.