Privacy issues in the clouds
As we approach the end of Privacy Awareness Week 2013, organised by the Office of the Privacy Commissioner and other Asia Pacific privacy authorities, this seems an appropriate moment to consider the various issues that arise out of embracing technological advances.
Privacy leaks are consistently in the headlines, and many organisations are thinking about their governance. At the same time, New Zealand organisations are quickly deploying cloud computing to enhance efficiency and ease of access to information across their business.
Low prices and the convenience of cloud computing are appealing, but there are important questions to ask around the commitments that providers make on privacy, security, and data integrity.
Cloud services can be very robust in these aspects, but it’s important to ask questions because there are many variations. Practitioners may be asked to advise their clients on such matters, and they will be asking the same questions when they choose their own IT systems.
Although cloud computing is in principle just another variety of IT outsourcing, it can seem mysterious. We don’t see the physical equipment that’s at the other end of an internet connection.
It’s also important to understand that new business models which are based on the value of data for advertising mean that some cloud services providers use customer data to target advertising and develop new products. This is often the hidden price of ‘free’ or even paid-for services.
For these reasons, transparency from cloud providers about how they will use data is particularly important. When it comes to security, there are a number of established international standards that people look to, including ISO/ IEC 27001 and the Cloud Security Alliance STAR Register. However, people are not always sure what to ask within the context of New Zealand’s privacy laws.
In February this year, the Office of the Privacy Commissioner published important cloud guidelines to help organisations as they consider the use of cloud services.
The Office of the Privacy Commissioner’s guidelines include asking questions such as:
- Will you be sending sensitive information to the cloud?
- What does the cloud provider do to help you keep the information secure?
- Will the cloud provider inform you if the information is accessed by others?
- What will the cloud provider use your information for?
- What binding commitments does the cloud provider make in the contract?
- What happens to your information when you stop using the service?
The full guidelines are available on the Office of the Privacy Commissioner’s website: http://privacy.org. nz/how-to-comply/using-the-cloud/and include plain English explanations of each aspect.
Over time, it is expected that providers will start to offer standard responses to make it easier for potential customers to compare their options, and if your client is a cloud service provider it may be prudent to ask them if they have thought about doing so.
Microsoft NZ has been the first to release a standard response to help organisations assess the Office 365 cloud service based on the cloud guidance from the Office of the Privacy Commissioner (available at http://aka.ms/ NZprivacyOffice365).Other cloud providers may find it useful as a template.
The standard response for Office 365 explains that Microsoft makes a contractual commitment to use customer data only to provide the Office 365service to customers of the service. Microsoft’s policy is not to use Office365 customer data for other purposes, such as profiling people for advertising or improving advertising services.
These use-limitations are important because customer data could include sensitive or personal information about an organisation’s staff, clients, patients, customers, or students.
The standard response for Office 365 also notes that Office 365includes the option to deploy data loss prevention rules that can help prevent sensitive information from being leaked by email, something which is particularly relevant given recent headlines.
Andrew Hunt, CEO of technology support company Kinetics Group, says, “Electronic records are critical. I ask people, ‘How well are you taking care of your data?’ Too often we’re asked to come in after data has been lost. It’sso much better to prevent issues in the first place.”
The Office of the Privacy Commissioner’s guidance suggests “Think of what risks you currently have with handling personal information. Will using the cloud increase or decrease those risks?” Mr Hunt agrees, “The guidance from the Privacy Commissioner is a valuable checklist to use with current and future providers. If you choose carefully, cloud services can definitely be a step up.”
Privacy Awareness Week is a good time to do a privacy health check, for yourself, and your clients.
Waldo Kuipers is convenor of ADLS’s Technology and Law Committee, and Corporate Affairs Manager at Microsoft New Zealand Ltd.