we really don\'t know clouds at all: challenges to privacy compliance
TRANSCRIPT
STIKEMAN ELLIOTT LLP www.stikeman.com
We Really Don’t Know Clouds at All:Challenges to Privacy ComplianceDavid Elder
Stikeman Elliott
2nd Cloud Computing Law
Federated Press
Ottawa
21 June 2011
SLIDE 1 STIKEMAN ELLIOTT LLP
Outline
On clouds
Legal framework for privacy in canada
Key privacy obligations
Cloud challenges
The sky is not falling
SLIDE 2 STIKEMAN ELLIOTT LLP
What is Cloud Computing?
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
National Institute of Standards and Technology
SLIDE 3 STIKEMAN ELLIOTT LLP
Cloud Computing Fundamentals
Essential Characteristics:
On-demand self-service Broad network access Resource pooling Rapid elasticity Measured Service
Service models:
Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service
(IaaS)
Deployment models:
Private cloud Community cloud Public cloud Hybrid cloud
Key enabling technologies include:
fast wide-area networks powerful, inexpensive server
computers high-performance virtualization
for commodity hardware
SLIDE 4 STIKEMAN ELLIOTT LLP
Legislative Framework
Patchwork?
Mix of Federal and Provincial Regimes
Private Sector
Health Sector
Public Sector
Employees
©TinyApartmentCrafts
SLIDE 5 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Provincial:
B.C.: Personal Information Protection Act
Alberta: Personal Information Protection Act
Québec: An Act Respecting the Protection of Personal Information in the Private Sector
Federal:
Personal Information Protection and Electronic Documents Act
SLIDE 6 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Federal
Personal Information Protection and Electronic Documents Act
Applies to collection, use and disclosure of personal information by:
– Private sector federal works & undertakings, including their employees
– Private sector organizations, in course of commercial activities, when:
Transferred across provincial borders
Collected, used or disclosed in province without “substantially similar” legislation
SLIDE 7 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Provincial
B.C.: Personal Information Protection Act
Alberta: Personal Information Protection Act
Québec: An Act Respecting the Protection of Personal Information in the Private Sector
Apply to collection, use and disclosure of personal information by all private sector organizations in the Province
– Not just in course of commercial activities
– Including employee personal information
– N/A to interprovincial transfers and federal undertakings
SLIDE 8 STIKEMAN ELLIOTT LLP
Health Sector Privacy
Provincial:
British Columbia: Personal Information Protection Act
Alberta: Health Information Act
Saskatchewan: Health Information Protection Act
Manitoba: Personal Health Information Act
Ontario: Personal Health Information Protection Act
New Brunswick: Personal Health Information Privacy and Access Act
Nova Scotia: Personal Health Information Act*
Newfoundland & Labrador: Personal Health Information Act
Federal:
Personal Information Protection and Electronic Documents Act
SLIDE 9 STIKEMAN ELLIOTT LLP
Health Sector Privacy
Provincial health sector privacy laws generally apply to:
Personal health information, held by
Health Information Custodians: persons or organizations with custody or control of PHI in performing duties, including:
– Health care practitioners
– Hospitals and long-term care facilities
– Community health centres
– Pharmacies
– Laboratories, etc.
SLIDE 10 STIKEMAN ELLIOTT LLP
Key Privacy Obligations
Security
Personal info must be protected by security safeguards appropriate to the sensitivity of the information
Nature of safeguards will vary according to sensitivity, quantity, distribution, format, method of storage
Should include physical, organizational, technological measures
See PIPA Advisory #8: Implementing Reasonable Safeguardshttp://www.oipc.ab.ca/ims/client/upload/PIPA_Advisory_8_Reasonable_Safeguards2007.pdf
See Securing Personal Information: A Self-Assessment Tool for Organizations:http://priv.gc.ca/resource/tool-outil/security-securite/english/AssessRisks.asp?formAction=ShowPrintedAssess&methods=full
SLIDE 11 STIKEMAN ELLIOTT LLP
Key Privacy Obligations
Limiting Use, Disclosure and Retention
Personal info to be used solely for purposes for which collected
Personal info to be retained only as long as necessary to fulfil purposes for which collected, then returned, deleted or destroyed
Access & Accuracy
Upon request, individual has right of access to their personal information, including how used and disclosed
Inaccurate or incomplete info must be corrected
SLIDE 12 STIKEMAN ELLIOTT LLP
Key Privacy Obligations
Accountability
Organization responsible for personal info it collects
Still responsible for personal info transferred to third parties for processing
Breach Notification
Requirement or expectation to notify Privacy Commissioner, affected individual
Consent
Knowledge and consent required for the collection, use and disclosure of personal information
SLIDE 13 STIKEMAN ELLIOTT LLP
The Dark Side of the Cloud
Out of your control, vision obscured
Multiple and unknown locations, jurisdictions
Focus on low cost, efficiency may mean
– One-size fits all service, reluctance to customize
– Security as a secondary focus?
Co-mingling in community, public, hybrid cloud may mean potential
– Cross-info, segregation problems – auditability?
– Exposure to other’s vulnerabilities
– Delays where breaches
SLIDE 14 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
Obligations
Security
Security safeguards appropriate to sensitivity of personal info
Breach Notification
Advise Privacy Commissioner(s), individuals/customers
Cloud Challenges
Tendency to one-size-fits all
Cloud makes security decisions -not you
Cloud unaware of sensitivity of info
Need to be advised of cloud breach
How to define what notifiable
Need cooperation, up-to-minute details
Could be many cloud users affected
SLIDE 15 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
Obligations
Limiting Use, Disclosure, Retention
To be used solely for identified purpose
To be retained only as long as necessary to fulfil purposes, then returned or destroyed
Access & Accuracy
Right of access
Right to correct
Cloud Challenges:
Uncertainty won’t be mined/used for other purposes
Uncertainty of retention periods, foreign requirements?
Right to destroy, delete, have returned
Ensure individual will have access
Ensure can quickly correct incomplete or inaccurate data
SLIDE 16 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
Obligations
Accountability
Organization responsible for personal info it collects, even when transferred to 3rd parties
Consent
Knowledge and consent required for the collection, use and disclosure of personal information
Cloud Challenges:
How to maintain control, visibility?
Difficult to audit if widely dispersed, co-mingled
Can be need for explicit consent to storage/processing outside Canada, due to foreign legal jurisdictions
Consent to cloud itself?
SLIDE 17 STIKEMAN ELLIOTT LLP
Nothing New Under the Sun
Company Outsource Offshore Cloud
Risk
Control
SLIDE 18 STIKEMAN ELLIOTT LLP
I Can See Clearly Now
Not for everyone
Choose your provider very carefully
Where located?
Pick your cloud
Bake key terms, levels, guarantees into contract:
– Security practices and requirements
– Breach/investigation response/CIRT
– Audit
– Liability, indemnity
– Subcontracting control
