• News & Events
• News
• News Archive
• Media Contact

Privacy Commission red flags data in the cloud

By Ben Winslade, Senior Solicitor

A version of this article was first published in Computerworld 23 May 2011

Earlier this month, the Privacy Commissioner released the results of a survey of current practices relating to the international transfer of personal information by New Zealand organisations. The survey confirmed both that the international transfer of personal data was increasingly common, and that there are a number of gaps and deficiencies in the ways that New Zealand organisations are currently managing the privacy risks.

Importantly for organisations trying to work out what practical compliance steps they need to take in a cloud computing context, the survey results also provide further indications about the types of controls and safeguards which will be expected. While the results certainly do not offer any concrete guidance on what is required, they do provide some further helpful pointers towards the actions the regulator is likely to be looking for.

Questions about privacy and security are often cited as a factor which holds organisations back from wider take up of cloud computing. This was confirmed again in this survey, as privacy concerns emerged as the second most common reason given by organisations who are not currently using overseas ICT infrastructure.

Privacy and security concerns can be separated into two categories. The first is probably the most obvious – a practical consideration of whether an organisation feels comfortable entrusting its sensitive commercial and personal information to a cloud provider. This one is definitely a debate for the data security experts, not the lawyers. On the one hand there may be greater risk in spreading your information across a number of different data centres in different geographical locations, but on the other hand you might think that your information is actually more secure with the might of Google or Microsoft taking care of IT security, rather than a small in-house IT team with a lot of other things on their plate.

The other aspect to the security debate is a legal one though. This is because under Principle 5 of the Privacy Act 1993, where a customer agency provides its information to a cloud provider, that customer agency is under a specific obligation to ensure that “everything reasonably within the power of the agency is done” to prevent unauthorised access or disclosure. This is quite an onerous obligation. Even if you have taken a number of quite detailed (and costly) steps, it is difficult to be certain that you have done everything reasonably within your power. When thinking about satisfying this requirement, organisations are right to query whether filling in a few details online and clicking “I agree” to the supplier’s standard terms will be sufficient.

Because the legal standard is so high, guidance from the regulator about the sorts of practical measures she will deem to be sufficient will be genuinely welcomed. However, in the meantime, it is possible to highlight a number of points from the results data to assist in the consideration of practical compliance steps:

• Security controls need to be broader than just in transit. Substantive protection for the actual transmission of the data between New Zealand and its international location was found to be quite widespread. However the controls on the use of the information once it is overseas were found to be less convincing.
• Contractual safeguards are a minimum. A number of organisations relied on contractual safeguards to control how service providers use and protect the data. If contractual clauses are to become the primary means of protecting privacy and security (as in other parts of the world), then it becomes quite important to get the drafting of those provisions right. Reliance on the supplier’s standard terms may not always be appropriate.
• Check that the provider does what it says it will.While a number of organisations claimed to use contractual conditions to protect their data, only a small minority actually carried out independent audits to check if the provider was complying with those conditions. The Commissioner highlighted in her presentation accompanying the survey results that she sees this as a particularly important step.
  
•  Individuals should be given genuine notice. The survey results noted with alarm that in many cases individuals are not informed that their personal information is being sent overseas. A significant majority of agencies currently either do not tell individuals at all, or only reveal this when asked. In some cases these practices are likely to be in breach of Principles 3 or 4 of the Privacy Act 1993.
  
• Internal decision making processes are important.The results revealed that decisions to use overseas IT infrastructure are predominantly being made on an ad-hoc basis – relatively few agencies have policies in place to assist these decisions. Given the complexity of the legal and technical risks involved, having a consistent decision making process in place to consider the risks and determine appropriate mitigation measures is an invaluable compliance tool.

The survey is the first step by the Privacy Commissioner towards the development of specific guidance on the privacy issues involved in cloud computing. Comments made by the Commissioner accompanying the survey seem to confirm that further regulatory activity is likely in this area. The Commissioner explained that, “If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer, it is imperative that privacy issues are tackled and got right."

These warnings highlight the importance of thinking about the privacy issues early and structuring any cloud computing arrangement so as to “get it right” from the outset. Often once a system is already in operation or a complaint arises, it can be difficult to un-do what has already been done.

The fact that there are privacy and data security risks involved in cloud computing does not mean that organisations should be prevented from taking advantage of the cloud’s benefits, but it does make it worthwhile to think carefully about the best steps to take to address those risks. Hopefully future guidance from the Commissioner will provide New Zealand organisations with more specific recommendations about the steps they need to take to manage the privacy risks in cloud computing. However, in the meantime, there is enough information and guidance out there for agencies to start taking action to put themselves in an improved compliance position.

The full text of the survey results can be found at: http://privacy.org.nz/offshore-ict-new-survey-results/

• Ben Winslade is a senior solicitor at national and trans-Tasman lawyers Duncan Cotterill. He is a specialist in information technology, data privacy and intellectual property and has worked with some of the world’s leading technology multinationals, large corporate IT customers, small start-up businesses and government departments.