Getting Lost in the Cloud: Privacy and Cloud Computing

By Bryant Duhon posted 01-28-2014 16:41


Join Else Khoury in Orlando for AIIM 2014 for a conversation about the Cloud and privacy. Although cloud computing presents a compelling business case for companies looking to reduce spending, streamline processes, and increase accessibility, the very idea of trans-border data flows raises the hackles of privacy advocates all over the globe. In Canada, government and members of the public have expressed serious concern over the potential misuse of personal information gone offshore. Join Else for an overview of those concerns and what they might mean for your organization.

Else Khoury is the Manager of Information Management Services and the Freedom of Information and Privacy Coordinator for Niagara Region, an upper-tier municipal government body which serves a population of 440,000 in Ontario, Canada. Else is in the unenviable position of managing privacy issues for approximately 3,000 staff, many of whom believe that “the cloud” is the best thing since chocolate dipped bacon. Else is responsible for developing policy, training, and compliance on FOI, Privacy, and Information Management, which she accomplishes with the help of an incredibly dedicated team and a healthy dose of ridiculous idealism.

The dawn of cloud technology has brought with it unprecedented opportunities to address issues which in the past have limited productivity, economy, and efficiency. The resulting ability to collaborate and share information regardless of geographic boundaries or the confines of technical infrastructures has resulted in the opening up of creative and collaborative processes.

But with these benefits come questions: Where is my information going? How is it getting there? Who has access to it?

Following the events of 9/11, the enactment of invasive and restrictive laws like the USA Patriot ACT and the Canadian Anti-Terrorism Act opened up a whole host of new questions: Who has access to my information and what will it be used for without my ever knowing?

While it is true that the ability to share data for security purposes across borders existed long before the Patriot Act was put into place, the recent exposure of the National Security Association’s international surveillance activities has brought these concerns into sharper focus.

In Canada, privacy law exists at the federal, provincial, and municipal levels, and applies to both the public and private sector.  Each law is monitored and overseen by a Privacy Commissioner, who in most cases has the power to investigate and order actions when an impropriety has occurred. Many Commissioners are highly visible public figures with the ability to shine a spotlight on an institution’s privacy-related transgressions, with the damaging result of a sudden and dramatic loss of public trust in the institution in question.

Across the country, Privacy Commissioners have taken different positions on cross-border information transfer and the Cloud in general. While most have recommended a cautious and considered approach, some have gone so far as to prohibit the off-shore transfer of personal and personal health information.

With these restrictions in mind, how’s a global cloud service provider to compete? And as a consumer, what questions should you be asking before jumping into the Cloud?

For service providers, the answer is simple: do your research so that you will be able to placate the doubts of potential clients, especially those in the public sector. Considering various legislative requirements ahead of time is essentially the first step of Privacy by Design, a concept developed by the Information and Privacy Commissioner of Ontario. Ensuring that the principals of privacy protection are embedded into each cloud solution and/or contract will go a long way to addressing the concerns government organizations and individuals may have.

For consumers and users, think about:

·      Who is collecting your information?

·      What are they collecting?

·      Where is it going to be held/moved/stored?

·      How will your information be protected?

·      When will it be destroyed?

·      Why does the service provided need this information?

And yes, this means actually committing to reading those terms before you click “I agree”. If you have any discomfort with the answers that you receive to these questions (or if you don’t receive answers at all), consider whether the service you are considering engaging in is worth the potential risk to your own (or your clients’) privacy.

The Cloud represents the solution to many modern information-based problems. Ensuring that privacy has been factored in to the provision of cloud services is the right thing to do, for ourselves and for business.

#privacy #AIIM2014 #cloud #AIIM14