3. What is cloud computing?
• technologies that provide computation, software,
data access and storage services that do not require
end-user knowledge of the physical location and
configuration of the system that delivers the services
(Wikipedia)
• delivered over a network (typically, the Internet)
4. Categories
• Infrastructure as a Service (“IaaS”) and Storage
• Delivers computer infrastructure, along with storage and
networking
• Software as a Service (“Saas”)
• Delivers software without the need to install and run
applications
• Platform as a Service (“PaaS”)
• Allows the development and deployment of applications
without the need to purchase specific hardware or software
11. Key Obligations
• Disclosure
• must disclose every relevant document in possession,
control or power
• “document” is broadly defined
• Preservation
• must preserve all relevant documents
• Serious consequences for breach
12. E-Discovery
• Electronic documents increase scope, complexity and
cost of discovery process
• Courts aware of importance of electronic documents
13. Cloud Computing and Discovery
• Disclosure and preservation obligations still apply
• Court does not care if you store data in your building or
in the cloud – only cares whether you have possession
or control
14. Cloud Computing and Discovery
• Consider risks:
• lost data
• non-compliant data preservation practices
• platform not easily searched
• sub-outsourcing
15. Cloud Computing and Discovery
• Cloud computing contract is key
• Maintain legal control over data
• Due diligence on cloud provider
• Ability to retrieve data in any circumstance
17. • When you think about Cloud Computing, consider it
as “mega-outsourcing”
18. • Regular outsourcing is when you store your data on
your own servers, but you send certain data to an
outside service provider or a service, so they can
perform a function with the data and provide a product
(e.g. send personalized cheques to your customers or
process your payroll and arrange for direct deposits for
your employees).
19. • Cloud computing means you don’t have your own
servers anymore – you’ve “out-sourced” that whole
infrastructure
20. • The key privacy law compliance issue is security of
personal information
21. • Geographic location of personal information is a
significant privacy law issue, especially for public
bodies in British Columbia (and service providers to
public bodies) but the concern with geographical
location of data really boils down to a security issue
22. Public Bodies in B.C.: Section 30.1 of FOIPPA
• A public body must ensure that personal information in
its custody or under its control is stored only in Canada
and accessed only in Canada, [unless a specific
exception applies]
• Breach of s. 30.1 of FOIPPA is an offence
• Some cloud service providers are aware of this
requirement and offer cloud services that meet this
requirement
23. Québec – Private Sector Privacy Legislation
• If using service provider outside Québec to store or
process personal information, must take all reasonable
steps to ensure that the personal information will not be
used for purposes not relevant to the object of the file or
communicated to third persons without consent
• If cannot be satisfied that the personal information will
be properly protected, must not communicate the
information outside Québec (s. 17)
24. • What about professionals (e.g., doctors, lawyers,
accountants, etc.) and businesses handling highly
sensitive personal information (e.g. banks, credit unions,
insurance companies)?
• Ethical and contractual obligations around confidentiality
may also require specialized cloud computing solutions
• Community Cloud or Private Cloud may work (e.g. Law
Society Cloud for lawyers is being considered)
25. • Private Sector - still have obligation under PIPEDA,
PIPA, the Québec Private Sector Privacy Legislation
(and, possibly, contractual obligations) to make
reasonable security arrangements to protect personal
information from risks such as unauthorized access,
disclosure, destruction, etc.
• Standard Cloud Computing contracts may not sufficiently
protect customer/employee personal information
• Requirement for transparency/notification
(customers/employees have a right to know)
26. Security issues:
• What geographic locations could be involved? Rule
some out or stipulate acceptable jurisdictions
• Reputation/history of cloud provider
• What other data will be mingled with your organization's
data? Concern re: concentration of high-risk data
• Will your organization be able to access audit logs?
27. • How quickly could you be required to produce a copy of
your organization’s records? will your organization be
able to meet that timeframe?
• What obligations does the cloud provider have in the
event of an information security breach?
• Immediate notification to your organization?
• Indemnity for any damages and professional fees?
28. • What happens if the cloud provider goes bankrupt?
backup/escrow might not be sufficient without access to
the application software necessary to decode the stored
data
• Does the contract provide for a method for your
organization to audit the cloud provider’s compliance
with its contractual security obligations?
29. • Insurance – does your organization’s insurance
coverage for information security breaches or data loss
apply if your data is “in the clouds”?
30. Thank You
Tamara Hunter
Associate Counsel,
Head of Privacy Law Group, Vancouver
tamara_hunter@davis.ca
604.643.2952