PIPEDA and Cloud Computing
♬ An’ now I’m flyin’ through the air.
On a cloud, on a cloud.
On a cloud, lookin’ down…♬
Lyrics and Music by Cody Canada, recorded by Cross Canadian Ragweed.
Further to Simon Fodden’s post on August 16, 2011 entitled: “Privacy Commissioner Releases PIPEDA Guide for Lawyers“, I thought that a relevant passage in that report dealing with safeguarding personal information and in particular, with reference to mobile devices and cloud computing, would deserve its own post. The section in question on Safeguarding Personal Information is as follows (relevant paragraphs bolded for emphasis):
Safeguarding personal information
Lawyers are familiar with the need to safeguard their clients’ information. However, like all organizations, work options available to lawyers have evolved considerably. In the course of their practices, lawyers and support staff often work using computers, laptops, smart phones and other mobile devices. The use of such devices presents a number of challenges in safeguarding personal information.
Lawyers can face a number of potential vulnerabilities in the course of their practice, including the following:
- poor security measures for paper documents, computer systems, computer applications, mobile devices, computer networks, wireless networks or email transmission;
- misplacing paper or electronic documents;
- traces left by electronic documents (i.e. metadata)
- insecure courier/postal communication; and
- third-party suppliers and partners may mishandle information (including third-parties offering cloud computing services).
PIPEDA requires personal information to be safeguarded at all times. Personal information should be safeguarded through the use of:
- physical measures, for example, locked filing cabinets and restricted access to offices;
- organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
- technological measures, for example, the use of passwords and encryption.
The more sensitive the information is, the stronger the safeguards must be.
One measure to ensure that personal information is secured is to avoid physically removing the information from the office at all, or to limit doing so to the greatest extent possible. There are many technological solutions that allow lawyers to securely access office systems remotely. Such solutions, provided they are implemented in a secure manner and employ appropriate encryption standards and firewalls, can offer the best protection for personal information.
Any laptops and other mobile devices and media must be secured, including through the use of encryption. Highest care must also be taken when working in public spaces or on devices to which more than one person may have access. As well, lawyers or law firms considering cloud computing solutions must carefully consider the privacy and security implications of any service they may create or subscribe to.
Lawyers must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Where any third-party service provider may have access to or otherwise handle personal information on behalf of a lawyer, including cloud computing service providers, it is strongly recommended that a written agreement be put in place between the third-party and the lawyer. Such a contract should include provisions governing the jurisdiction where information will be processed or stored, ownership and use of information, the level of privacy controls used by the service provider, access and correction procedures, audits, and deletion procedures. Lawyers must remember that they remain accountable for information transferred to third-parties for processing. PIPEDA also requires organizations to be transparent about their personal information handling practices. Accordingly, organizations should notify clients when using a service provider located outside Canada and advise them that their personal information may be subject to the laws of a foreign jurisdiction.
The Office of the Privacy Commissioner has developed a self-assessment tool to assist organizations measure how well they are safeguarding personal information.
Hat tip to my colleague Doug Munroe for pointing out this particular section – good advice when you are flying on a cloud.
My concern with cloud computing has to do with the US Patriot act which gives *any* US government agency the right to request information from any database housed on US soil. Since all cloud services, to date, originate in the USA, I fail to see how PIPEDA can protect client confidentiality, or how a paper agreement with a third party provider of cloud services can protect your (or your client’s) privacy. The Patriot Act was supposed to expire in 2004, and has since been renewed every year by two successive administrations.
There are cloud providers in Canada that address this specific issue. The Patriot Act has always been a issue for non-US companies using the public cloud, but most have chosen to ignore it. As companies start to use cloud services for their core operations, this issue is coming to the forefront. Cloud can meet stringent privacy demands, but you have to be careful. Just because something is hard doesn’t mean you should not do it