Jun
6
WRITTEN BY:
Peter Wicklein
Monday, 6 June 2011
Many organisations are embracing cloud computing for good reasons; mobility, points of access… the list of benefits is long. However like any solution, it is important to make sure that it is the right solution for your particular organisation, more particularly when it comes to Privacy and the Law.
It's important to carefully develop and analyse your organisation’s needs, and not let the expected benefits entice you down a path that may prejudice your ability to either provide or protect your data’s privacy. If you cast your mind back 10 -15 years to when outsourcing became popular you may remember that similar issues were presented. Individual’s private information was either being inappropriately used or accessed, especially when stored or processed overseas.
Unfortunately, not all countries have the same laws of privacy as Australia. Once the data is overseas, there is little chance of remedy if things go wrong. Unless you have an enforceable contract, and even then, local laws can still usurp your privacy. For example, the United States Patriot Act, allows the US government to access data in specified circumstances, while prohibiting the data custodian to notify the owner. Although unlikely to happen, this is a consideration that should be taken into account when sourcing from overseas cloud service providers.
Privacy Victoria has recently released an information sheet which makes great reading with regards to the use of cloud computing and some of the considerations that should be taken into account when assessing your needs. Some of their recommended considerations below highlight my point.
Potential problems with offshore cloud service providers
- sale of business to another entity – a change of control may impact on the contracts or obligations of the cloud service provider
- risk of insolvency or bankruptcy to the service provider
- changes to business units or practices that are made without the knowledge of their IT departments
- The inevitability of government to make changes to policy and legislation
- retrieval or destruction of information once/or if the contract with the cloud service provider terminates
The risk with any of the above scenarios is that when data is stored in an offshore cloud, the organisation loses control of the data, particularly if something goes “wrong”.
So it pays to consider these issues
- When the additional steps required to ensure privacy protection are considered, is there an actual cost savings benefit to the organisation?
- Is there data protection or privacy legislation in place in the foreign jurisdiction that meets the minimum requirements in the Information Privacy Act? Is the relevant law enforceable?
- Does the service provider have methods of notification or responding to data security breaches?
- Can the service provider guarantee that access will not be given to foreign governments or law enforcement?
- Is there a legislative requirement in that jurisdiction that prevents the Australian organisation from being notified of any potential access?
- What happens at the conclusion of the contract with the cloud service provider?
- Will information be able to be retrieved or destroyed in compliance with the Australian legal requirements mandated by the Information Privacy Act and the Public Records Act 1973?
Getting the answers to these questions is vital when considering overseas options. However you must also make sure the same level of scrutiny applies to local or interstate providers of cloud services, as sometimes laws vary between states. The Privacy Victoria information sheet points out some salient things to consider regarding this as well.
Cloud computing like any technology purchase should always be carefully considered against business needs first, without quickly jumping over the risks to the benefits. Failure to do so could cost you considerably more in repairing the direct or indirect damage of a privacy breach.