Death and taxes are not the only certainties in life. Technological innovation is also a certainty. Today, accessing computing resources and sharing data through the internet, ie. cloud computing, is a reality we have to accept and address. I am not suggesting that we bury are heads in the sand and accept that “privacy is dead”. Quite the opposite. We must become knowledgeable to the point of learning how to take advantage of the benefits of cloud computing while responsibly managing the risks that cloud computing entails.
The Cloud Computing Conundrum
With cloud computing, users can access computing resources through the internet and not have to spend money on their own IT infrastructures. For low cost, users can access scalable resources, access those resources from anywhere there is an internet connection, have a customized experience, and attain levels of reliability, performance and security that they could never afford to put in place on their own.
The key downside of cloud computing is the loss of control over one’s data. With cloud computing, numerous third-party service providers, geographically dispersed all over the world, may have access to your data. That is scary. It is also scary that, through devices which connect to the internet and the scanning of email and browsing histories, private corporations and governments can closely monitor and mine data about our behaviour. Despite these risks, we must embrace technology and learn how to manage it.
The Education Sector is Striking a Cloud Computing Balance
Last week, I had the great honour of attending the annual conference for the Ontario Association of School Board Officials (OASBO). I spoke about the legal implications of cloud computing and participated on a panel about balancing benefits and dangers of cloud computing in the education sector. My co-panellists and the attendees were intelligent, compassionate people who truly care about the educational opportunities available to K-12 students in Ontario. Quite understandably, some participants shared concerns about student data being mined for profit and accessed without authority.
The real question is: How can we reap the educational benefits of the internet and manage the risks to student privacy and the exploitation of student data presented by cloud computing?
We cannot insulate K-12 students from the internet. We would fail if we tried. The world we live in is becoming increasingly wired and students demand access to on-line resources. If we created school environments where the internet was taboo, our kids could not possibly learn to be successful and compete globally in our wired-world. The answer is that we have to do our best to create and constantly maintain a reasonably secure environment where kids and teachers can use on-line teaching tools and research while minimizing risks to privacy and safety.
The Ontario Ministry of Education has made some strides in this regard. With the assistance of the wonderful OASBO contributors, the Ministry of Education has negotiated contract addenda with each of Google and Microsoft, to allow Ontario students K-12 to access Google Apps for Education and Microsoft Office365 if their school boards so choose. Essentially, these addenda incorporate some important contractual protections, and create a “walled-garden” so that school boards maintain an important degree of control on student data within the “walled-garden”. Note that Google Apps for Education and Microsoft Office365 are being provided free to the school boards for student and teacher use. Without the bargaining power that comes with pay-for-service, the addenda have done a fine job of reducing the risks of cloud computing for our kids.
Cloud Due Diligence and Contract Protections
When your enterprise has some bargaining power, what should you push for when negotiating with a cloud service provider? While you would need a lot of clout to get everything you want, here are my top 12 tips for an enterprise considering cloud computing:
- Carry out privacy impact and risk assessments prior to moving data into the cloud
- Do a security audit of the service provider
- Ask the service provide to produce any certifications to national, industry and international standards for data security, including encryption technologies
- Address the segregation of your data from other data
- Negotiate to maintain ownership of your data and the permitted uses of your data by the service provider
- Negotiate ongoing audit rights of security infrastructures
- Ensure you are provided with data breach notification and investigation rights
- Ensure there exists contingency plans for data breach and disaster recovery
- Ensure you have access to your data at all times and can obtain a copy of all information
- Ensure that the service provider can implement your enterprise retention rules and implement “holds” on data that must be preserved for litigation or regulatory purposes
- Establish parameters for termination of the contract for breach
- Put in place a procedure to ensure the deletion of confidential and personal information at the end of the contract