Canadian Privacy Commissioners have issued guidance for small and medium-sized enterprises regarding the use of cloud services. The guidance cautions organizations to comply with Canadian privacy law requirements when procuring and using cloud services.

Cloud Services and Privacy Laws

Cloud services make information technology (“IT”) resources and services available as a utility or consumption-based service, and enable an organization to outsource its IT requirements (including data processing and storage) to a specialist cloud service provider (“CSP”). The use of cloud services to process and store customer data and other sensitive business information can provide both significant benefits and substantial risks.

Canadian privacy laws impose restrictions and requirements on private sector organizations regarding the collection, use, disclosure, retention and disposal of personal information, which is defined broadly to include almost any information about an identifiable individual. Under Canadian privacy laws, an organization remains accountable for personal information that it outsources to a third party (such as a CSP) for processing or storage. Privacy laws expressly require that an organization protect personal information with safeguards appropriate to the sensitivity of the information, and use contractual and other means to ensure that personal information is properly handled and protected by the organization and its service providers.

Regulatory Guidance

In June 2012, the Privacy Commissioners of Canada, British Columbia and Alberta jointly issued a guidance document entitled “Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations” to help small and medium-sized enterprises (“SMEs”) understand and comply with their privacy responsibilities regarding the use of cloud services. The guidance document reminds that an organization remains accountable for protecting personal information provided by the organization to a CSP for processing and storage, and an organization must be transparent about its personal information management and privacy practices. Following is a summary of some key recommendations in the guidance document:

Legal Obligations: An organization should understand its legal obligations and potential liabilities regarding personal information and the use of outsourced data services generally and cloud services in particular.

Identify Current Cloud Services: An organization should investigate and identify all of its current uses of cloud services.

Risk/Benefit Assessment: An organization should understand and assess the risks and benefits of using a particular cloud service, including a detailed assessment of the nature of the cloud service and the underlying infrastructure/ technologies/processes, the kind and sensitivity of the personal information that will be processed/stored using the cloud service, the reasons for using the cloud service to process/store the personal information, and the contractual arrangement governing the cloud service. An organization may benefit from professional assistance in assessing the risks of a cloud service.

Contracting: An organization must carefully review a CSP’s terms of service and ensure that the personal information it entrusts to the CSP will be treated in a legally compliant manner. The contract should clearly specify and limit the CSP’s use of the organization’s personal information. A CSP’s standard form contract may not be sufficient to allow an organization to comply with its privacy obligations, and might be particularly problematic if the CSP can unilaterally change the contract or subcontract to other providers or if the contract limits the CSP’s liability for personal information. Negotiated revisions to a CSP’s standard form contract may be necessary for legal compliance.

Security Assessment/Audits: An organization should assess the security of the organization’s proposed use of the cloud service (including access restrictions, authentication/access controls, encryption, security breach procedures, business continuity and data recovery/protection plans and termination procedures) and conduct periodic audits to verify compliance.

Consents/Transparency: An organization should ensure that it has appropriate consents from individuals to the organization’s outsourcing of personal information to a cloud service and any additional use of the personal information by the CSP. An organization should effectively inform individuals that their personal information will be transferred to a CSP and may be processed or stored in a foreign country and be accessible by foreign law enforcement and national security authorities (if applicable).

Cross Border Considerations: An organization should consider the implications of using a cloud service that processes or stores personal information in locations outside Canada, where the information is subject to foreign laws and may be accessed by foreign courts, government agencies, and law enforcement.

Control: An organization should ensure (including through contract provisions) that it retains ownership and control of the personal information it provides to a CSP and has the right to access the information at any time, make corrections to the information, investigate allegations of non-compliance and give timely notice to affected individuals (if appropriate), resolve issues and complaints, and terminate the cloud service and retrieve (with proper verification) all personal information from the CSP.

The guidance document also provides a list of some key questions that SMEs should take into account when procuring a cloud service and references other useful guidance documents.