Monday, July 28, 2014

ANALYSIS: Cloud Computing And Privacy Issues In Canada: Considerations For Businesses

By Roland Hung, of McCarthy Tétrault, Calgary.

Cloud computing is a fast-emerging, efficient and low-cost alternative to more traditional data storage solutions. It offers myriad advantages, including the ability to rapidly increase capacity or add capability without investing in new infrastructure, training new personnel, or licensing new software. Users have access to the latest technology, whether hardware or software, and organizations no longer need to operate and maintain servers/infrastructure at all hours of the day or night. Cloud computing is often touted as an inexpensive and easy solution, particularly in the case of public clouds that manage nearly every detail of the operation.

However, cloud computing also means entrusting data to information systems that are managed by external parties on remote servers “in the cloud”. Webmail and online documents (such as Apple MobileMe, Google Apps, and Amazon EC2) are well-known examples. Cloud computing raises privacy and confidentiality concerns because the service provider necessarily has access to all the data, and could accidentally or deliberately disclose it or use it for unauthorized purposes.

Collecting Personal Information Legally in the Cloud

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is the legislation responsible for overseeing and regulating the collection, use and disclosure of personal information by private organizations in Canada. British Columbia, Alberta and Quebec have substantially similar privacy legislation regulating the private sector. As a result, PIPEDA does not apply in these provinces.

PIPEDA and the other substantially similar privacy legislation in Canada provide that private organizations may collect, use or disclose personal information only for purposes that are reasonable, and only to the extent necessary to fulfil those purposes. Further, an organization may collect, use and disclose personal information only when it has notified the individual of the purposes for the collection and with the consent of the individual whose information is being collected, used or disclosed (unless one of the exceptions applies and consent is not necessary). This consent must be informed, meaning the organization has informed the individual of the reason the information is being collected, how it is going to be used, and to whom it may ultimately be disclosed. In some instances, the individual must also have the ability to “opt out” of having his or her information in the organization’s hands, which may mean the organization is not able to service that individual as a customer.

As a result, the key to collecting information legally in the cloud is: 1) to ensure that consent has been obtained; 2) that the personal information gathered is only for the purposes identified; 3) that the personal information collected is used or disclosed only as is necessary; 4) that any collection, use and disclosure of information is reasonably needed to carry out the purposes required; and 5) that there is a privacy compliance program in the organization to address the collection and use of personal information in the cloud.

There is also the extra layer of complication stemming from the use of external service providers. The organization will need to address and ensure its privacy compliance program addresses the collection and use of the personal information by external service providers, which will be addressed below…

  1. Read this entire article for free, simply activate your free 7 day trial access to World Data Protection Report now.
  2. (required)
  3. (required)
  4. (required)
  5. (required)
  6. (valid email required)
  7. (required)
  8. (required)
  9. (required)
  10. (required)
  11. (required)
  12. (required)
  13. Captcha
 

cforms contact form by delicious:days

Did you like this? Share it:

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.