Cloud Computing: Trust But
Verify
14th Annual Privacy and Security Conference
February 8, 2013, Victoria
Martin P.J. Kratz, QC
Cloud Computing
• Provision of services available on the Internet
• Cloud based services widely used for consumer
applications
– increasingly being adopted for business applications
• Services typically provided on demand and
scalable
– user can expand use of the services dramatically
• Services typically provided on a per usage basis
(a pooled resource / utility model) although many
consumer based services may be provided
without charge and on terms where the user
TODAY’S DISCUSSION
• Which rules apply?
• Cloud Computing in the Private Sector
• Cloud Computing for the Public Sector
• Questions
WHICH RULES APPLY?
• To assess law that is applicable need to
determine:
– Public or Private?
– Federally or provincially regulated activity?
– What information does the organization collect, use and disclose?
Is it health information?
Is it personal employee information?
Is it information collected, used or disclosed on behalf of
another party (are they Public or Private?)
Is the information collected, used or disclosed by a third
party on behalf of the organization?
CLOUD COMPUTING &
PRIVATE SECTOR PRIVACY
PRIVATE SECTOR OVERLAP
Federal: Personal Information Protectionand Electronic Documents Act
(“PIPEDA”) BC: Personal Information Protection Act Man: PIPEDA Sask: PIPEDA Alberta: Personal
Information Protection Act
ACTIVITIES MATTER
• Legislation is
activity based
• Nature and location
of the activity (not
the organization)
dictates applicable
legislation
• Consider all
applicable
jurisdictions
• Consider scope of
obligations
Which Laws are Applicable?
• Businesses doing business in multiple
jurisdictions need to be aware of the applicable
law in each jurisdiction
• Businesses with operations and customers solely
located in a province - likely look to the law of that
province
– Alberta, BC – Personal Information Protection Act
– Quebec - Loi sur la protection des renseignements personnels
dans le secteur privé Quebec
– Other - PIPEDA
• Need to consider inter-provincial transfers of
personal information
• Contemplation of blended multi-jurisdictional
privacy compliance programs
PRIVATE SECTOR ENTITIES
MAY USE CLOUD COMPUTING
PIPEDA Case #145
• It is not a “disclosure” if the personal information is in the “control” of the customer
• Railway has agreement providing for provision of personnel files and training records to the managing organization for
management purposes
• PIPEDA 4.1.3 – organization is responsible for personal
information in its possession or custody, including information transferred to a third party for processing
• Organization to use contractual or other means to provide comparable level of protection
– Organization only provides information necessary to be processed
– Service provider limits internal disclosure on a need-to-know basis
– Agreement includes control by organization, confidentiality and other precautions reinforcing the organization’s control of the data / personal information
PIPEDA Case #394
• Email operation services provided by US service provider • PIPEDA does not prohibit one from obtaining services
across international borders
• Important for the customer to assess risks to security and confidentiality of customer personal information when
transferred to a service provider – protection measures must be formalized by contract or other means
• Must be transparent about information handling practices and notify customers that information may be available to governments of the other county under lawful orders
• The sharing of information with the 3rd party service
provider seen as a 'use' under PIPEDA that requires consent
• Once consent was obtained - change in service providers would not require a further consent
AB/BC PIPA
• It is not a “disclosure” if the personal information is in the “control” of the organization
• PIPA (BC)
– Exemption permits collection, use and disclosure of personal information without consent for services provider to assist organization to carry out work – Organization must have consent
– Service providers processing limited to the purposes in consent
• PIPA (AB)
• Definition 1(h) “organization” includes “any person acting on behalf of a corporation, unincorporated association, trade union or partnership or an individual” acting in a commercial capacity
FOCUS ON CLOUD
COMPUTING SERVICE
KEY PRINCIPLE - YOU’RE
RESPONSIBLE
An organization is responsible for personal information that is in its custody or under its control. Where an organization engages the services of a person, whether as an agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person’s compliance
with this Act.
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization
shall use contractual or other means to provide a
comparable level of protection while the information is being processed by a third party.
CLEAR ACCOUNTABILITY
5(6) Nothing in subsection (2) is to be construed so
as to relieve any person from that person’s
responsibilities or obligations under this Act
“… 5(2) affirms that a person or agent retained by
an organization, whether under contract or
otherwise, is not relieved of its own
responsibilities or obligations because it has been
retained by another organization. The end result
is that there can be accountability by on the part
of both principal and agent, organization and
CONSENT & NOTICE
• Consider consent / notice requirements:
– Initial transfer of personal information to service provider – Distinction between transfer of information for
processing and disclosure? – "use" per PIPEDA Case #394?
– Future collection, use and/or disclosure by third-party suppliers
– Is properly obtained consent / notice to collection, use and/or disclosure by a company sufficient consent / notice for performance of those activities by a
CLOUD COMPUTING TERMS
• Appropriate terms in contract with cloud
computing service providers are critical
TERMS TO CONSIDER
• Contracts with cloud computing service providers
should ideally include some or all of the following:
– Covenants restricting collection, use and disclosure of information other than for purposes for which third party is expressly retained
Typically addressed in the confidentiality provisions, but
must assess that definition of confidential information is broad enough to capture all personal information
– Covenants requiring the service provider to maintain specific privacy, safety, security and backup standards for the personal information that meet the company’s standards
– A right to audit the privacy & security practices of the cloud service provider
FURTHER TERMS
– If a cloud service provider is collecting information
directly for which consent / notice has not already been obtained, detailed requirements regarding the form and content of the consent / notice, and the manner in which it must be recorded
– Obligations to provide access to personal information to the company and its customers/employees
– A right to require the cloud service provider to modify its privacy practices at the company’s request
– An indemnity for breach of privacy (may be carved out of limitation of liability)
– Sensitivity of the personal information will dictate extent of contractual protection required
AB OIPC Investigation P2006-IR-004
• Complaint re Union – International Union maintains personalinformation about members in system in Las Vegas • Assessment of safeguards found:
– Union implemented reasonable administrative and technical safeguards at both local and international levels
– Union's policies, procedures, technical security and response to a security breach incident were compliant with PIPA
• Report assessed preventive measures used to protect personal information including:
– Training of all users, special training of system operators – Servers and data in locked secured data centre
– 5 levels of security of data – firewalls, virus, spyware, denial of service & intrusion protection
– Data encrypted during transmission – System subject to audits
AB PIPA
• Mandatory requirements for organizations using
foreign service providers include:
– Notification of individuals if service provider
outside of Canada will collect personal
information on behalf of organization
– Notification if organization will be transferring
personal information to service provider
outside of Canada
– Including information on the outsourcing
PIPEDA Case #313
• CIBC, amending cardholder agreement, notifies VISA customers on use of a US service provider and possibility that US law enforcement agencies may be able to obtain access to personal information
• No opt out possible • CPC's findings:
• PIPEDA does not prohibit use of foreign based 3rd party
service providers
• Canadian organizations must have provisions in place when using 3rd party service providers to ensure a
comparable level of protection • CIBC contract provided
– security & confidentially guarantees
– Oversight, monitoring and audit of services
PIPEDA Case #313
• personal information in the hands of a foreign 3rd party
service provider, is subject to the laws of that country and no contractual provision can override those laws
• clear that there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider — be it Canadian or US — can be
obtained by government agencies, whether through the provisions of U.S. law or Canadian law
• at the very least, a company in Canada that outsources information processing to the US should notify its
customers that the information may be available to the US agencies under a lawful order made in that country
CLOUD COMPUTING - THE
THE CHANGING LANDSCAPE
• 9/11 Terror Attacks
• Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and
Obstruct Terrorism Act (USA PATRIOT Act)
• BC Govt Serv. Employ Union vs British Columbia
(Minster of Health Services)
– Issue arises in the context of an effort by the Government to outsource certain processing
• But … access for law enforcement is normal in
other jurisdictions including Canada
• Hogan Lovells study of numerous countries
THE BC Response
• Bill 73 provides provincial offences, with fines of
up to $500,000, for outsourcing service providers
who:
– Store, access or disclose personal information of a
British Columbia public sector body outside of Canada, subject to a few narrowly defined exceptions
– Fail to provide notice to the Minister of Management Services of any foreign demand for disclosure of personal information held by the service provider; or – Discipline, suspend, demote, harass or otherwise
disadvantage an employee who, acting in good faith and on the basis of reasonable belief, complies with the notice obligations above or acts to insure compliance with the British Columbia legislation
BC Govt Serv Empl Union v. BC
• No Charter or statutory breach by outsourcing to US linked service provider
• Outsourcing of implementation and development of technology services confirmed
• Province retained ultimate responsibility for all administration and operation, assessments and final approvals
• "More than reasonable security" in structure of outsource transaction including:
– Trust provisions – Province to obtain shares of opco if risk of disclosure occurs
– Restrictions on use and control of electronic equipment by employees – $35M penalty for breach of confidentiality
– Whistle blowing requirements (contractually and legislatively by FOIPPA)
– Extensive FOIPPA provisions (Bill 73) to ensure records kept in private and in BC
– All information remains property of Province – Prohibition on disclosure of data
Features post Bill 73 in BC contracts
• Requirements for segregated data access • Requirements to keep individual user logs
• More use of non-disclosure agreements (between individual service provider employees and the public body, between employees of a sub-contractor and the service provider, and between employees of the sub-contractor and the public body)
• Annual oath requirements for service provider and sub-contractor employees
• Restrictions on access of foreign-based employees to personal information, where these employees work on transition and transformation activities
• Limitations on data access generally, including data remote access
Features post Bill 73 in BC contracts
• Corporate internal limitations on data access, cutting off extra-provincial access
• Alarm notification facilities to alert the public body to copying or unusual access activity
• Prohibitions on service provider staff outbound web and email access
• Restrictions on data portability hardware to only designated personnel
• Dedicated service provider privacy officers to monitor compliance
• Financial penalties in contract in the event of disclosure or privacy breaches
Mission School District No. 75
• Use of US based on line assessment tool
• Unions allege breach of FOIPPA to BC OIPC: – Security arrangements reasonable?
– Adequate consent to storage and access of the personal information?
• Commissioner finds:
– S. 30 FOIPPA requirement to make reasonable security arrangements does not foreclose contracting out of
services
– Public body cannot contract out of its privacy obligations – Must provide reasonable security having regard to the
nature of the personal information involved and
seriousness of consequences if unauthorized disclosure – Found adequate consent through click to agree
Nova Scotia Response
• Personal Information International Disclosure
Protection Act 2006 SNS 2006, c 3
• Requires that information under the custody and control of a public or government body be stored only in Canada and accessed only in Canada
– Unless individual has consented to its storage or disclosure outside of Canada
– Unless for permitted disclosure
• Permits public body or service provider to
disclose personal information out of Canada for
many lawful purposes including for law
AB Suggestions
• Alberta's commissioner recommended creation of
an Alberta government checklist or model
outsourcing contract, which would be applicable
to consider in a cloud computing context :
– A prohibition on the assignment or subcontracting of the outsourcing contract without the written consent of the public body
– A requirement of notification by the outsourcer in the event of a notice of creditor's remedies or Court
applications for bankruptcy or protection from creditors – A requirement of notice on any demand for access to or
disclosure of personal information received by the outsourcer
AB Suggestions
– A requirement of notice of any loss or unauthorized access to personal information by the outsourcer or its employees
– A right to audit for both compliance with the contract and with any legislation stipulated to be applicable to it (i.e. Alberta FOIPPA, the Health Information Act, etc.)
– A requirement for the outsourcer to have in place a
system to monitor or audit its own use and disclosure of the personal information, with an access provision for the public body to review those logs on certain
conditions
– Stipulated consequences for breach including
mandatory return of all copies of personal information and assistance in recovering lost or otherwise disclosed personal information
The Federal Response
• Federal Treasury Board Secretariat released:
– A policy guidance document “Taking Privacy into Account Before Making Contracting Decisions”
– A strategy paper entitled “Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows”
Review of Licensing Automation
System
• PC 12-39 Ont. Priv. Comm.
• Ministry of Natural Resources uses US licensing
automation system to manage hunting & fishing licenses • Privacy Impact Assessment conducted before proceeding • OPC: Ontario has no legislative prohibition on storing
personal information outside of Ontario or Canada
• Prov. Institution obligated to ensure reasonable measures in place to protect privacy and security of records
containing personal information
• Risks of PATRIOT ACT similar to those of law enforcement access in Canada – rely on PIPEDA case #2005-313
Review of Licensing Automation
System
• Safeguards found sufficient and include: – All data owned by the Ministry
– Agent cannot use, collect or disclose personal information for unauthorized purposes
– All personal information is subject to confidentiality obligations
– Require notice of compelled disclosure
– No subcontracting without Ministry consent
– Agent to ensure security and integrity of all personal information in its possession
– Agent to return all information at end of term, retaining none
– Provision for audit of privacy and security compliance – Governing law Ontario
Existing Practices
• The segregation of personal information being handled
under the contract from other records held by the contractor • Audit trails to closely monitor how information is being
handled
• The limiting of right-to-access based upon specific user profiles
• Approval by the government of any subcontracting
• The return or approved destruction of all records at the end of a contract
• The signing of non-disclosure agreements
• The use of encryption technology allowing only government officials to view the decrypted data
New Practices
• The inclusion of a new step in the solicitation checklist for service contracts that asks for the review of direct and
indirect risks involving personal and proprietary information • Use of multi-disciplinary teams to review proposed
contracting arrangements
• Monitoring of all contracts where foreign companies have access to personal or other sensitive information
• Adding contractual requirements that part or all of the work be completed within the institution (especially when health information is involved) or within Canada
• Ensuring by contract that personal information or other protected or classified information is shared with third parties only where warranted
New Practices
• Consultation with legal services for all future contracts
where personal or sensitive information will be exchanged or provided to third parties to consider inclusion of
provisions that prevent disclosure under any foreign legislation
• Modification of contract forms to allow contract authorities to better assess risk
• Exploration of technological solutions to protect information flows
• Amendment of training plans to increase department-wide assessment of risks
• Development of risk management approaches related to business and personal information to mitigate risks
associated with foreign legislation, which will in turn be
incorporated in the institution's corporate risk management framework
Final Comments
• Do your Due Diligence
– know your service provider / customer
– know your jurisdiction(s)
– know your transaction
• Understand the obligations
• Design the cloud computing service
relationship to address privacy and
security safeguards
• Look to public sector guidelines as
checklist
QUESTIONS?
Martin P.J. Kratz, QC