ANALYSIS: Cloud Computing And Privacy Issues In Canada: Considerations For Businesses
By Roland Hung, of McCarthy Tétrault, Calgary.
Cloud computing is a fast-emerging, efficient and low-cost alternative to more traditional data storage solutions. It offers myriad advantages, including the ability to rapidly increase capacity or add capability without investing in new infrastructure, training new personnel, or licensing new software. Users have access to the latest technology, whether hardware or software, and organizations no longer need to operate and maintain servers/infrastructure at all hours of the day or night. Cloud computing is often touted as an inexpensive and easy solution, particularly in the case of public clouds that manage nearly every detail of the operation.
However, cloud computing also means entrusting data to information systems that are managed by external parties on remote servers “in the cloud”. Webmail and online documents (such as Apple MobileMe, Google Apps, and Amazon EC2) are well-known examples. Cloud computing raises privacy and confidentiality concerns because the service provider necessarily has access to all the data, and could accidentally or deliberately disclose it or use it for unauthorized purposes.
Collecting Personal Information Legally in the Cloud
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is the legislation responsible for overseeing and regulating the collection, use and disclosure of personal information by private organizations in Canada. British Columbia, Alberta and Quebec have substantially similar privacy legislation regulating the private sector. As a result, PIPEDA does not apply in these provinces.
As a result, the key to collecting information legally in the cloud is: 1) to ensure that consent has been obtained; 2) that the personal information gathered is only for the purposes identified; 3) that the personal information collected is used or disclosed only as is necessary; 4) that any collection, use and disclosure of information is reasonably needed to carry out the purposes required; and 5) that there is a privacy compliance program in the organization to address the collection and use of personal information in the cloud.
There is also the extra layer of complication stemming from the use of external service providers. The organization will need to address and ensure its privacy compliance program addresses the collection and use of the personal information by external service providers, which will be addressed below…