Last week the Chief Information Officers Council, a government body established by legislation in 1996, comes a Privacy Recommendations Paper from the Council to all government departments and agencies. So this paper carries a little extra clout.
Their paper (available here) succinctly describes the privacy risks of using cloud computing should government agencies and departments consider their use. I think these recommendations would be equally well used in business considerations, especially if companies store confidential personal records.
Here are some highlights:
The purpose of this paper, and of privacy interests in general, is not to discourage agencies from using cloud computing; indeed a thoughtfully considered cloud computing solution can enhance privacy and security. Instead, the purpose is to ensure that Federal agencies recognize and consider the privacy rights of individuals and those agencies identify and address the potential risks when using cloud computing.
The paper lists the most common risks, and I’ve edited the risks to indicate a business framework rather than a federal department/agency:
• The permitted use for the information the Cloud Computing Provider (“CCP”) collected from the business entity may not be clearly defined in the Terms of Service/Contract, enabling the CCP to analyze or search the data for its own purposes or to sell to third parties.
• The data could become an asset in bankruptcy, particularly if the Terms of Service or contract does not include retention limits.
• Depending on the location of the CCP’s servers or data centers, the CCP might allow or be required to permit certain local or foreign law enforcement authorities to search its data pursuant to a court order, subpoena, or informal request that would not meet the standards of the Privacy Act of 1974.
• The individual providing the information has no notice that explains that his or her information is being stored on a server not owned or controlled by the business entity. Thus, when the individual person attempts to access his or her data, he or she is unable to do so and is left without proper redress.
• The data stored by the CCP is breached and the CCP does not inform the business or any of the individuals affected by the incident.
• The CCP improperly implements regulatory requirements for the business entity (i.e., finds them cost-prohibitive or cumbersome) and thus inadvertently allows the data it is storing in the cloud to be viewed by unauthorized viewers.
• The CCP fails to keep access records that allow the business entity to conduct audits to determine who has accessed the data.
• The business entity cannot access the data to perform necessary audits. The data has been moved to a different country and a different server and the government suffers a loss in reputation and trust.
• The business entity fails to keep an up-to-date copy of its data. The CCP accidentally loses all of the business’s data and does not have a back up.
It’s also worth noting that the paper referenced specific legislation that also is applicable to business
health care and education entities, such as HIPAA. A CCP should assume that a business associate agreement is required if PHI is being transmitted and stored on a cloud.
I highly recommend a thorough read of the paper; it offers a good framework for a privacy assessment prior to entering into a contract with cloud computer providers. Besides, it’s only ten pages long.