The Privacy Commissioner of Canada has made it clear that, while privacy is not a barrier to businesses using cloud computing, it must be taken into consideration. Related guidance has been issued in which businesses are reminded that the Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules “with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.”

Organizations are expected to assess the benefits, risks, and implications for privacy when considering a cloud computing service. What this means in practice, however, often creates operational challenges – particularly for those businesses who do not have the internal expertise or resources to undertake this analysis. For context, guidance for small and medium-sized enterprises prepared jointly by the federal Commissioner and the information and privacy commissioners in Alberta and British Columbia includes a “non-exhaustive” list of more than forty questions that need to be considered.

To facilitate contracting for cloud services, the International Standards Organization (ISO), has issued a code of practice for protection of personally identifiable information in public clouds (ISO/IEC 27018). The new code will help businesses evaluate the privacy practices of those cloud service providers who achieve certification. 

ISO/IEC 27018 augments security and operational controls found in ISO/IEC 27002. It establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information in a public cloud in accordance with many of the key privacy standards reflected in privacy laws around the world.

Key privacy safeguards reflected in ISO/IEC 27018 (some of which are to be addressed in the services agreement between the cloud provider and the customer) include the following:

Control, Accessibility and Portability

  • A cloud provider is expected to process personally identifiable information only pursuant to its customer’s instructions.
  • A cloud provider is expected to make available tools that facilitate end-users to access their personally identifiable information and correct or erase it.
  • A cloud provider is expected to have a policy that governs the return, transfer or destruction of personally identifiable information.
  • A cloud provider is expected to disclose personally identifiable information to law enforcement only to the extent that it has a legal obligation to do so. 
  • A cloud provider is expected to provide notice to a customer of a legal obligation to disclose personally identifiable information (unless legally prohibited from doing so). 

Secondary Uses

  • A cloud provider is expected to refrain from using customer data for its own purposes.
  • A cloud provider is expected to obtain the customer’s express consent before using personally identifiable information for marketing or advertising purposes.

Jurisdiction

  • A cloud provider is expected to disclose the countries where personally identifiable information may be processed.

Data Breaches

  • A cloud provider is expected to provide notice to customers of data breaches and provide information needed by customers to meet their notice obligations.
  • A cloud provider is expected to have a policy that identifies the timeframe for providing notice of data breaches.
  • A cloud provider is expected to record the type, timing and consequences of data breaches.

ISO/IEC 27018 also may be helpful to cloud service customers by providing a mechanism for independent third party audits or reviews in circumstances (i.e., a multi-tenant, cloud service) in which an independent right to audit is impractical and might compromise network security controls. 

From a cloud provider’s standpoint, compliance with ISO/IEC 27018 should enhance transparency and overall confidence in the provider’s service. This should, in turn, help to facilitate the adoption of the provider’s service and reduce the time required to enter into a contract with customers.