In February the Office of the Privacy Commissioner published its privacy checklist for small businesses thinking of using cloud services, called Cloud computing: A guide to making the right choices (to view the whole checklist click here). The checklist sets out key privacy issues that businesses should consider and questions those businesses should ask cloud providers before handing over any personal information.

At a high level, the checklist covers the following key areas:

  • What is personal information? If it is about an identifiable individual, it is personal information.
  • What is the business responsible for? The business is responsible for ensuring that the information is stored safely, can be provided if the person who is the subject of the information wishes to see it, and can be destroyed when no longer needed.
  • What does the business have to do to keep information secure? It recommends that all personal information be encrypted in transit and businesses should consider what security measures or certifications the cloud provider has.
  • What happens if it all goes wrong? It recommends checking the proposed contract to determine what obligations the cloud provider has and what remedies are available in the event of a security breach.
  • What should you tell customers? It recommends that businesses tell people upfront if their information will be held offshore and, if so, where.
  • How are customer requests to see and correct the information handled? It recommends that businesses consider an alternative cloud provider if the business cannot not access personal information when needed to comply with information requests.
  • Does location matter? The checklist discusses issues relating to conflicting privacy laws and the ability under certain laws for other agencies to access personal information held in those countries. It recommends locating information in countries with similar privacy laws to New Zealand.
  • How much information does the cloud provider see? The checklist recommends businesses find out which of the cloud provider's staff get access to the business' information and how that access is controlled and monitored.
  • How do you get the information out? Can the information be retrieved or deleted if the contract comes to an end? The checklist sensibly says you need to be able to get your information out in an appropriate format when the contract ends and that you are able to verify the provider doesn’t retain copies of your information on its servers.

The key message for businesses using cloud services is that the business remains responsible for protecting personal information - whether that information is held on the company's own computers or in a shared data centre in New Zealand or offshore.