The British Columbia Information and Privacy Commissioner has just released some cloud computing Guidelines for public bodies. Cloud computing (using the internet to process, manage and store data on remote network services) can offer cost savings and other functional benefits to public bodies, but raises particular questions regarding compliance with BC’s Freedom of Information and Protection of Privacy Act (FIPPA). The Guidelines point out that a public body must comply with FIPPA with respect to all personal information in its custody or control, including personal information that is accessed, stored or used through cloud computing solutions.
The Guidelines go on to describe some FIPPA obligations that are particularly relevant to cloud computing:
Public bodies must ensure that personal information is only stored in and accessed from inside Canada (subject to limited and specific exceptions). If one of those limited exceptions does not apply, it is an offence under FIPPA to store or allow access to personal information outside of Canada without written consent from the individual whom the information is about (or without coming within. This requirement is relevant if a cloud computing provider is located, operates, or has servers outside of Canada.
Public bodies must make reasonable security arrangements to protect personal information from unauthorized access, collection, use, disclosure, etc. In the cloud computing context, this might entail reviewing the service provider’s security arrangements and expressly addressing security and privacy concerns in the service contract. Public bodies should also ensure that their own houses are in order, for example by having appropriate security and privacy policies and procedures, access controls, and appropriate system security measures.
The Guidelines serve to remind public bodies that FIPPA applies to new technology solutions, and that FIPPA compliance should always be a key consideration when implementing new technology solutions like cloud computing.