Cloud computing has many exciting benefits for nonprofits, but it also raises some questions about privacy. Since I often get asked about the privacy implications of the cloud for Canadian nonprofits and charities, I’ll share what I’ve learned so far in this blog. Most of what I'm sharing here is the legal context which is helpful for understanding the environment, but it might not be the detail you need to make a specific decision. Also, please be aware that I'm not a lawyer - I've done my best to find helpful and reputable resources online, but if you want actual legal advice then you'll have to ask a lawyer.
PIPEDA
I’ll start by looking at what PIPEDA (Canadian privacy law) has to say about cloud computing. Before diving in I should note that PIPEDA doesn’t technically apply to nonprofits in most cases, with some exceptions (the biggest ones being BC and Quebec). See my previous blog for more details on when Canadian privacy law applies to nonprofits. However, I’ll continue under the assumption that regardless of whether our work falls under privacy laws, the privacy of the data we store is important to us.
According to the Office of the Privacy Commissioner of Canada, using cloud infrastructure for data storage or processing will most likely be considered as a “transfer for processing”. What this means is that “under Principle 4.1.3 of Schedule 1 the organization would be required to ensure that a comparable level of protection is provided for the information. The organization would remain in control of the information and responsible for meeting the PIPEDA requirements.”
In other words, you are ultimately responsible for the data, even if you use a third party cloud provider.
I should also point out that there is no law preventing most organizations from using cloud computing, and that includes using cloud providers outside of Canada. The only special cases are for public sector bodies in BC, Alberta and Nova Scotia, and additional regulation for specific sectors such as banking. This means that for most nonprofits (that aren’t public sector), there is no privacy law against using cloud computing.
Patriot Act
One of the most common concerns that I hear from nonprofits is about the US Patriot Act. At the most basic, the concern is that the US government will be able to access your data if it is stored by a cloud provider in the US. US law gives the government certain rights to access information as part of anti-terrorism investigations - and they can issue a “gag order” so that the cloud provider isn’t allowed to tell you that your data is being accessed.
Because of the gag order it’s hard to know exactly why these kinds of requests are being made, however one example that was publicly revealed was a request for the Gmail (email) data of a Wikileaks volunteer. Google also publicly shares the number of requests made (but not why the request was made) and how many they complied with in their Transparency Report.
My understanding of this issue is that (a) we actually have similar legislation in Canada, and (b) the US government and the Canadian government are fairly co-operative in sharing data for investigations, so choosing a cloud provider that only stores your data in Canada may not get around this issue. For more details see this cloud privacy FAQ.
If you are going to store individuals’ data with a cloud provider who stores data outside of Canada (which they likely do unless they specifically say that all of their data is stored in Canada), the Office of the Privacy Commissioner of Canada recommends making this clear to individuals when you collect their data.
Terms of Service
Another area to think about with cloud privacy is the Terms of Service of the cloud provider (including their Privacy Policy, if it is a separate document from the Terms of Service). Of course every cloud provider’s terms of service are different and most are difficult to read for the average person. This blog provides some tips on what to look for in a terms of service contract.
The Privacy in the Clouds report (prepared for the World Privacy Forum) explains the various risks here. Unfortunately, individuals and organizations (especially small organizations, which includes most nonprofits) have no control over a cloud providers’ terms of service, it tends to be a matter of “take it or leave it”. As well, many terms of service include a clause that the provider can change the terms of service at any time - even a careful organization might not realize such a change has happened. There is also the risk that the cloud provider could be bought out, thus leading to changes, or go bankrupt. In short, cloud providers still have a lot of work to do at making their terms of service clearer, easier to understand and more standardized.
Conclusion
The goal of this post is not to scare you away from cloud computing, but to provide you with information on the privacy risks and help you make a more educated choice. At the end of the day, you must consider the sensitivity of your data and make a decision.
One more important thing to keep in mind - rather than comparing with a perfect situation, we must compare a cloud provider with our current situation, which isn’t perfect either. There are always privacy risks to take into account whether you’re in the cloud or not, and its up to you to assess where the risks are greater, and whether the risks are outweighed by the benefits of the cloud.
What other questions do you have that aren't addressed in this blog?
Post new comment