This blog post was originally published in November 2011 by Tierney Smith, Community Engagement Manager at TechSoup Canada. It has since been updated with more recent content in November 2014, and again in December 2015 to reflect the latest "Who Has Your Back?" report.
Cloud computing has many exciting benefits for nonprofits, but it also raises some questions about privacy. Since I often get asked about the privacy implications of the cloud for Canadian nonprofits and charities, I’ll share what I’ve learned so far in this blog. Most of what I'm sharing here is the legal context which is helpful for understanding the environment, but it might not be the detail you need to make a specific decision. Also, please be aware that I'm not a lawyer - I've done my best to find helpful and reputable resources online, but if you want actual legal advice then you'll have to ask your lawyer.
Privacy vs. Security
I want to begin by clarifying the difference between 2 related but separate concepts, security and privacy. Security can be defined as the “confidentiality, integrity & availability of data.” It does include concepts of privacy and data access, but it’s broader than that. For example a virus could corrupt your data or your server cloud fail without a backup - these would be security issues that are not related to privacy.
Security is about managing risks, so nothing can ever be considered completely secure. However for most nonprofits, reputable cloud providers tend to provide better security than your current arrangement, as they have significantly more resources to dedicate to this area.
Privacy, on the other hand, has to do with the appropriate use of data. Poor privacy could be a result of security holes (e.g. your data is hacked) or for other reasons such as problematic policies, misuse of data or social engineering (e.g. an employee sells your email list). The rest of this blog will focus on considerations of privacy of cloud systems.
Cloud Privacy Concerns
Let me start by getting philosophical for a moment. Our whole society is in the midst of a discussion about the meaning and importance of privacy in an Internet age. I say “discussion” because this isn’t an issue that has been “solved”, rather it’s ongoing and developing as new laws get created, laws get interpreted in court, companies and individuals advocate on behalf of their views, and technology changes. Your decision about whether to use the cloud is a small part of this broader discussion, meaning there are no simple answers here.
Currently, one of the most significant concern in the cloud privacy discussion is how governments are collecting and accessing data, generally with the goal of protecting national security and as part of police investigations.
The US government is the most well known for accessing cloud data. Through the Patriot Act, the government has certain rights to access information as part of anti-terrorism investigations - and they can issue a “gag order” so that the cloud provider isn’t allowed to tell you that your data is being accessed. More recently, the PRISM program was brought to light, which gives the NSA direct access to the servers of major cloud providers.
These policies affect Canadians in several ways. Any data we store in a cloud service owned (even indirectly) by a US organization could be accessed through these provisions. This is the case even if the data is only stored physically in Canada. Even if data isn’t stored in a US cloud service, if it’s been emailed or transferred online in some way, it may be collected by the US government as it’s estimated that 90% of Canadian internet traffic is routed via the US.
We also need to consider what’s going on in our own backyard. Privacy lawyers have pointed out that the Canadian government has very similar powers to the US government. In addition, the Communications Security Establishment Canada (CSEC) cooperates closely with its counterparts in other countries and operates with very little government oversight.
Canadian Privacy Law
Another important angle to consider is whether your nonprofit is legally allowed to store data in the cloud. The short answer is that in most cases there are no laws or policies preventing your nonprofit from using the cloud. However, you are ultimately responsible for the data, even if you use a third party cloud provider.
For most nonprofits, the most significant consideration is that the CRA requires certain records to be kept in Canada (it may be ok if an up-to-date copy or backup of the records is kept in Canada, however we suggest consulting your accountant or lawyer). This applies to your governance documents, minutes from meetings of executives or members, and donation records.
Some nonprofits also have additional requirements from funders, or because they are part of a government program. Both British Columbia and Nova Scotia have laws against public bodies storing data outside of Canada. Check if any of these apply to you before proceeding with cloud projects.
A bit more detail on cloud privacy law & nonprofits:
Canada’s national and provincial privacy laws don’t have any rules against using the cloud. According to the Office of the Privacy Commissioner of Canada, using cloud infrastructure for data storage or processing will most likely be considered as a “transfer for processing”. What this means is that “under Principle 4.1.3 of Schedule 1 the organization would be required to ensure that a comparable level of protection is provided for the information. The organization would remain in control of the information and responsible for meeting the PIPEDA requirements.”
So, as noted above, using the cloud is permissible, but this does not take away your responsibility to safeguard your data. The Office of the Privacy Commissioner of Canada does, however, recommend that if you are going to store data in the cloud, you make this clear to individuals when you collect their data.
(Side note: PIPEDA doesn’t technically apply to nonprofits, with some exceptions - most significantly BC and Quebec. However, whether our work falls under privacy laws, the privacy of the data we store should be important to us.)
The Good News
The good news is that there is action being taken by companies, nonprofits and individuals to improve our privacy. For example, many companies have followed the lead of Google and now publish “Transparency Reports” - including many Canadian telecommunications providers. These reports show a tally of government requests for information.
The Electronic Frontier Foundation has taken a lead in advocating for better data privacy. One of their resources is an annual “Who Has Your Back?” report, which looks at how major cloud providers are protecting your data.
Should your nonprofit go to the cloud?
Ultimately, there are many factors to consider when making a decision about the cloud. Privacy considerations should be weighed along with other factors such as cost, productivity, access to data, and security. If you’re not sure about whether the cloud is the right choice from a privacy perspective, it may be best to consult your lawyer.
Having said that, here are some tips to help you along the way:
- Conduct a privacy risk assessment. It’s likely that all of your data doesn’t require the same level of privacy. For example, emails and documents may be less sensitive than client data. You don’t need to take a one-size-fits-all approach to privacy.
- Consider a hybrid cloud. If you do have some data that is more sensitive than others, then a hybrid cloud infrastructure may be right for you. For example, your email could live in the cloud but client data would be stored in a database on your server.
- Check for encryption. Make sure the cloud services you use are properly encrypted, meaning that your data will look like gobbledygook to anyone who is trying to peek at it. Here’s a report on which cloud providers have good encryption.
- Review the terms of service. This lawyer has some tips on what to look for in cloud providers’ terms of service agreements. However note that these agreements are typically “take it or leave it,” so there is little to no room for negotiation, especially for smaller nonprofits.
The goal of this post is not to scare you away from cloud computing, but to provide you with information on the privacy risks and help you make a more educated choice. At the end of the day, you must consider the sensitivity of your data and make a decision.
One more important thing to keep in mind - rather than comparing with a perfect situation, we must compare a cloud provider with our current situation, which isn’t perfect either. There are always privacy risks to take into account whether you’re in the cloud or not, and its up to you to assess where the risks are greater, and whether the risks are outweighed by the benefits of the cloud.
What other questions do you have that aren't addressed in this blog?