The document discusses the privacy risks associated with cloud computing, highlighting the loss of control over data and governance. It outlines Canadian privacy laws and the implications of U.S. legislation like the USA Patriot Act on personal information. Additionally, it emphasizes the need for accountability and strong contracts when outsourcing services to ensure compliance with privacy standards.

1. #AIIM14
#AIIM14
#AIIM14
Ge#ng
Lost
in
the
Cloud:
Privacy
Risks
and
Cloud
Compu<ng*
*with
apologies
to
Joni
Mitchell
Else
Khoury
Manager,
Informa8on
Management
Services/Freedom
of
Informa8on
and
Privacy
Coordinator
Niagara
Region
@ElseKhoury

2. #AIIM14
It’s
All
About
Me
§ Freedom
of
Informa8on/Privacy
Coordinator
§ Regional
Municipality
of
Niagara
§ Federal
Provincial
Regional
Municipal
§ Public
health,
planning,
public
works,
Seniors
care
§ Responsible
for
privacy
compliance
BUT
no
tangible
authority,
inconsistent
compliance
measures
§ Shameless
fear-­‐mongering:
it’s
kind
of
what
I
do

3. #AIIM14
Thank
you,
Edward
Snowden
You
just
made
my
job
a
lot
easier

4. #AIIM14
Bows
and
flows
of
angel
hair,
ice
cream
castles
in
the
air
I’ve
looked
at
Cloud
that
way
§ Flexibility
§ BeOer
reliability
§ Enhanced
collabora8on
§ Efficiency
in
deployment
§ Portability
§ Poten8al
cost
savings
§ Simpler
devices

5. #AIIM14
But
now
they
only
block
the
sun,
They
rain
and
snow
on
everyone
Cloud
got
in
my
way
§ Loss
of
control
by
customer
over
technology
infrastructure
/
loss
of
governance
§ Possible
loss
of
control
over
loca8on
of
data
§ Concerns
about
segrega8on
of
data
§ Data
reten8on,
destruc8on
§ Rights
to
data
§ Data
security
§ USA
Patriot
Act

6. #AIIM14
Caught
in
the
Cloud

7. #AIIM14
Privacy
Defined
§ U.S.A.
Protec8on
of
Liberty,
i.e.,
protec8on
from
government
§ Canada
Individual
autonomy
through
personal
control
of
informa8on
Privacy
Law
in
the
United
States,
the
EU
and
Canada:
The
Allure
of
the
Middle
Ground
Avner
Levin
and
Mary
Jo
Nicholson,
2005

8. www.aiim.org/infochaos
Do
YOU
understand
the
business
challenge
of
the
next
10
years?
This
ebook
from
AIIM
President
John
Mancini
explains.

9. #AIIM14
Canadian
Privacy
Laws
§ Privacy
Act
(Federal)
§ PIPEDA
(Personal
Informa8on
Protec8on
and
Electronic
Documents
Act)
Ontario:
§ FIPPA
(Freedom
of
Informa8on
and
Protec8on
of
Privacy
Act)
§ MFIPPA
(Municipal
Freedom
of
Informa8on
and
Protec8on
of
Privacy
Act)
§ PHIPA
(Personal
Health
Informa8on
Protec8on
Act)

10. #AIIM14
They’ve
looked
at
Cloud
from
both
sides
now
Chantal
Bernier,
Federal
Privacy
Commissioner
Ann
Cavoukian,
Informa8on/
Privacy
Commissioner,
Ontario
Jill
Clayton,
Informa8on/Privacy
Commissioner,
Alberta
Elizabeth
Denham,
Informa8on/Privacy
Commissioner,
Bri8sh
Colombia

11. #AIIM14
From
up
(federal)
…Canadian
government
agencies
can
obtain
personal
informa;on
held
in
Canada
about
foreign
individuals,
just
as
a
foreign
government
can
obtain
personal
informa;on
that
may
be
held
in
that
country
about
Canadians.
§ Privacy
Implica8ons
of
the
USA
Patriot
Act,
2004

12. #AIIM14
Ontario
…There
will
always
be
law
enforcement
methods
and
techniques
that
will
access
certain
types
of
informa;on
here,
there
and
everywhere.
What
you
should
concern
yourself
with
is
the
kind
of
accountability
that
you
will
be
able
to
maintain
if
your
e-­‐mail
systems
go
into
the
Cloud.
§ Exploring
the
Future
of
E-­‐Mail,
Privacy
and
Cloud
Compu8ng,
Ryerson
University,
Toronto,
2011
(Ontario)

13. #AIIM14
And
down
(B.C.)
…personal
informa;on,
including
informa;on
in
computer
logs
and
on
backup
tapes
or
drives
cannot
be
stored
or
accessed
outside
of
Canada…it
is
an
offence
to
store
or
allow
access
to
personal
informa;on
outside
of
Canada
unless
it
is
authorized.
§ Cloud
Compu8ng
Guidelines
for
Public
Bodies,
Office
of
the
Informa8on
and
Privacy
Commissioner
for
Bri8sh
Colombia

14. #AIIM14
Alberta
• Compelling
a
witness
to
tes;fy
or
compelling
the
produc;on
of
documents
can
only
be
in
response
to
the
direc;on
of
a
court
tribunal
in
Canada
• Health
informa;on
can
only
be
disclosed
under
an
order,
warrant,
or
subpoena
issued
by
a
court
person
or
body
that
has
jurisdic;on
in
Alberta
• $500,000
penalty
§ The
Freedom
of
Informa8on
and
Protec8on
of
Privacy
Act
(FOIP)
amendments
(2006)

15. #AIIM14
Penal<es/Repercussions
§ Mandatory
privacy
breach
repor8ng
in
some
provinces/sectors
§ Most
governments
will
self-­‐report
(to
save
face)
§ Fines
§ Li8ga8on
(class
ac8on
law
suits
are
the
new
black)
§ Nega<ve
media
aWen<on
§ Loss
of
public
trust

16. #AIIM14
Accountability
§ Services
can
be
outsourced,
but
accountability
can’t
§ An
ins8tu8on
is
responsible
for
the
personal
(health)
informa8on
in
its
custody
and
control

17. #AIIM14
Opera<onalizing
Accountability
§ Strong
contracts:
§ Define
confiden8al
informa8on
§ Limit
disclosure/movement/exposure
§ Outline
vendor’s
obliga8on
to
abide
by
legislated
requirements
of
the
organiza8on
(privacy,
security,
reten8on,
destruc8on)
§ Privacy
Impact
Assessments
(PIA)
§ Threat/Risk
Assessments
(TRAs)
§ privacybydesign.ca

18. #AIIM14
Privacy
in
the
mainstream

19. #AIIM14
Real
changes
in
the
marketplace
AHer
Snowden,
Privacy
Should
be
Profitable.
Ivor
Russell,
Globe
and
Mail.
August
30,
2013.

20. #AIIM14

21. #AIIM14
And
in
the
law?
When
we
decided
to
open
our
border
to
trade
with
the
United
States,
we
did
so
with
a
free
trade
agreement.
That
agreement
put
in
place
various
legal
obliga;ons
and
a
dispute-­‐resolu;on
process.
This
is
how
we
deal
with
our
interconnected
world.
If
we
can
do
it
with
goods
and
services,
we
can
do
it
with
data.
Lisa
M.
Aus8n,
Heather
Black,
Michael
Geist,
Avner
Levin,
and
Ian
Kerr,
Na8onal
Post,
December
12,
2013

22. #AIIM14
I
really
don’t
know
Cloud
at
all

23. #AIIM14
Bring
an
Umbrella
else.khoury@outlook.com

24. www.aiim.org/infochaos
Do
YOU
understand
the
business
challenge
of
the
next
10
years?
This
ebook
from
AIIM
President
John
Mancini
explains.