The User’s Guide To Privacy and Cloud Computing

Questions to ask and answers to get

For consultation – January 2012


Who needs to read this document?

If you’re a small to medium sized business that is considering using one or more cloud computing services, this document is for you.

Businesses of all sizes are starting to look at cloud computing as a low-cost, flexible way of managing their computing needs.  Why go to the expense of constantly upgrading your computers, servers and software and having  IT specialists on staff, if you can meet your business requirements more cheaply and just as reliably by working online? And if there’s an earthquake or a flood and you can’t get into your office, don’t you want to be able to have access to your business information as usual?

Cloud computing is relatively new. There’s still a lot that needs to happen to make the most of the opportunities the cloud can offer. For example, the technologies are constantly being developed to improve reliability and responsiveness. Ultra-fast broadband will open up new possibilities. Different products are coming on stream all the time and some are more trustworthy than others.

One question that always comes up, though, is how users of cloud services can be sure that personal information about their clients and their staff is kept safe in the cloud. Concerns about privacy are a major reason why businesses are wary of using the cloud. This is because businesses know that people care deeply about how their information is managed. If they get it wrong, they’ll lose customers. Businesses also know that if they fail to have proper privacy protection, their reputation could be irrevocably damaged.

Nobody can give any cast-iron guarantees that you will be able to protect people’s privacy successfully in the cloud. Those guarantees aren’t available with in-house computing now – and cloud computing raises some new risks to think about.

However, this document identifies the most important questions you should ask about how personal information will be managed in the cloud. You need to be reasonably sure that you can keep the trust of the people whose information you hold, and comply with the law.


What do we mean by cloud computing?

Formal definitions of cloud-computing tend to be technically complex. This guidance focuses on the three main types of cloud computing services provided by third parties.

Infrastructure-as-a-Service
The provider lets you use its servers to store your information. This means you don’t have to have your own servers on site. You send your information to the provider’s servers, usually over the internet.

All the storage and networking is handled by the provider’s server, but you’re responsible for running the platform and software.

Platform-as-a-Service
This comes in a variety of forms. You’re provided with a “software environment” that you can build and run your own applications on. Most platform as a service solutions are aimed at organisations that want to build their own custom software.

Software-as-a-Service
Software as a service is the type of cloud computing you can just ‘pick up and use’. Instead of having a word processing, accounting, design or other type of programme installed on your business computers, you pay the provider to let you use a program or suite of programs that runs on its servers. In most cases you access the programs through a web browser.


What do we mean by “personal information”?

The Privacy Act governs personal information – that is, information that relates to any living, identifiable human being.

If you’re not putting personal information in the cloud, you don’t need these guidelines.

Information does not need to name the person to be “personal” – it just needs to be capable of identifying them. And it does not need to be “secret” or “sensitive” information – it just needs to be about them.

So all your customer and staff records are personal information – for example who they are, their contact details, their financial details, the history of your relationship with them and any other records you have about them.

Information about your business practices or policies, your trade secrets, and purely statistical information that cannot identify individual people is not personal information.


The bottom line – you’re responsible for the information you put in the cloud

The Privacy Act says that if you provide personal information to another organisation for processing or storage you still hold the information. That means if you use a cloud service, you’re responsible for what happens to the information. If there’s a privacy breach, you’re going to be the one answering the questions about what went wrong.

Specifically, you have responsibility for ensuring that personal information:

These guidelines focus on helping you manage these responsibilities.

Figure out what your staff need to know too. Tell them what’s going on and give them any training they need. Staff are often the key to handling information properly.

For example, you might have a policy that information needs to be encrypted when you send it into the cloud. But if that’s not done automatically, or your staff aren’t trained to make sure the information is encrypted, mistakes are inevitable.


Where is the information – and why does it matter?

One of the benefits of cloud computing is that information can be mobile. It no longer has to be locked into whatever computing structure your own office can provide.

But you still need to know where the information is. This is because different legal rules may apply depending on which country the information is in – so your responsibilities may differ.

If your information is located in a country that has privacy or data protection laws similar to New Zealand’s, this is likely to be helpful. It should be relatively easy to get agreement with the provider about the privacy standards and obligations that apply to the information, particularly who is responsible for what. It’s also more likely that if there is a problem, there will be an effective means of sorting it out.  

What the provider should tell you

The Privacy Act says that you won’t breach the law if local laws require you to disclose personal information. But unless you have checked it out, you won’t know what the chances are of this happening. And your customers may be taken aback and may see any disclosure of information as a breach of trust, particularly if a foreign government is involved. So once you know the position, it’s a good idea to tell your customers up front.


The State Services Commission produced guidance on offshoring ICT in 2007 - http://www.e.govt.nz/library/offshore-ICT-service-providers-april-2007.pdf. Many of the basics of using overseas ICT are covered by this guidance.



What do you have to do to keep information secure?

Because cloud computing involves dealing with a third party - and therefore sending personal information outside your organisation – you need to make sure that the information is secure both while it’s in transit and when it is stored. Be clear on which aspects are your responsibility and which are the provider’s.

What the provider should tell you


Are you a government agency? There are already minimum requirements in place under the GCSB’s New Zealand Information Security Manual that outline how transfers can be done securely: http://www.gcsb.govt.nz/newsroom/nzism/NZISM_2011_Version_1.01.pdf)



How much information can your provider see?

Many cloud services won’t involve the provider accessing your information at all. Some access to information is relatively innocuous – such as automated checks to make sure that the provider’s systems are running properly.

But you need to ask. You’re not on the spot, so you can’t control things directly – you’re reliant on the provider to get it right. The last thing you want is for someone unexpected and untrustworthy to get hold of your information – and your customers trust you to make sure their information is properly protected.

Any use of personal information should be linked to the purpose for which you’ve got the information in the first place. If it’s being used for a new purpose, that should almost always be authorised by the customer the information is about.

What your provider should tell you


Where are the exits?

At some point, you may decide that you no longer want to use a particular provider. Whatever the reasons for this, you need to be able to get your information out and make sure that it is not still retained on the provider’s servers once you’re gone.

What your provider should tell you


How to handle customer requests?

People are entitled to see or correct the information you have about them. So you need to make sure that if someone asks to access their information or correct it, that you can do this easily. You have to respond to a request as soon as you can – and within 20 working days at the outside.

This shouldn’t normally be a problem, but there are some software as a service products (for example web survey tools) that are designed to make some personal information difficult to access.

What your provider should tell you


What if it all goes wrong?

If things go wrong for some reason, you need to know how to deal with it.

The best way to do this is to agree right at the start with your provider how any problems will be addressed. All the points covered in the previous sections will help you have these discussions with your provider. Then you can include them in your contract or make sure they are in the standard terms and conditions.

In addition, you will need to work out:


Tell people what’s happening if you can

The most important thing is to maintain your relationship with the people whose information you hold. They have entrusted you with their personal information. You need to be able to assure them that it's being handled appropriately. If you let them down, you’ll lose their trust – and quite probably their business.

So keep them in the loop. If you can, tell them up front that their information will be held offshore and where their information is going. That’s an opportunity to tell them that you’ve checked it’s secure, that it won’t be misused, and that you can get it back whenever you need it.

If it’s not practicable to tell people – for example because it’s too confusing – at least have a privacy policy that covers your cloud computing use. You can put that policy on your website and also have it  ready to you can show people when they ask.   


CHECKLIST

  1. Know what personal information you’re sending into the cloud 

If you’re not putting personal information in the cloud, privacy isn’t an issue.

If you are putting personal information in the cloud, know what it is so you can handle it right.

  1. Location - where will the information be

Work out where your information is going and what privacy protection laws they have

  1. Security - lock it down.

Make sure the information is protected both while it travels and when it’s at the provider’s end.

  1. Use and Disclosure – who sees the information and what will it be used for
    Make sure you know if the information will be disclosed and to whom.

Make sure only the right people at the provider can see the information and that it’s not being misused.

  1. Ability to exit, and deletion of information

Can you get the information out, in a form that you can use, if you decide to switch providers?

Will the provider delete the information or will it try to keep it?

  1. Relationship with the provider - get your contract straight

Make sure both parties are clear about their responsibilities. You don’t want things to fall through the cracks.

  1. Relationship with the customer - be up front

Wherever you can, tell the people concerned what you’re doing with their personal information. 

- DRAFT –