Privacy Commissioners Call on Small- and Medium-sized Businesses to Look Before They Leap Into the Cloud

June 14, 2012

Increasingly today, the word cloud is almost as likely to be spoken in a conversation about computing as it would in a discussion about the weather. New guidance issued by the Privacy Commissioner of Canada, and the Information and Privacy Commissioners of Alberta and British Columbia seeks to provide insight for small- and medium-sized enterprises (SMEs) to help their forecasting of potential benefits and risks posed by cloud-based services.

Cloud computing is the delivery of computing services over the Internet. SMEs may be attracted to cloud services as they can significantly reduce the cost and complexity of owning and operating computers and networks. Businesses using a cloud service provider don’t need to spend money on information technology infrastructure, or buy hardware or software licences. Cloud services can also enable a business to store data offsite with the ability to access it over the Internet from the office, home or virtually anywhere.

In essence, this is a form of outsourcing. Businesses need to remember however that for any information they put in the cloud, the responsibility to safeguard it to the level required by Canada’s private sector privacy laws remains firmly with them.

“In general, the smaller a business, the less likely it is to have the budget to keep a dedicated, full-time Chief Privacy Officer on staff,” said Privacy Commissioner of Canada, Jennifer Stoddart. “This guidance is designed to help SMEs understand their responsibilities and how to help safeguard their reputations when considering and using cloud services.”

“Any business needs to take a long look at options that could lead to cost savings and productivity improvements, but they need to consider the full picture,” said Alberta Information and Privacy Commissioner Jill Clayton. “Our new guidance provides information on steps SMEs intrigued by cloud services should take to understand their privacy risks.”

“Cloud services centralize vast amounts of a business’s personal customer and client information,” said British Columbia Information and Privacy Commissioner Elizabeth Denham. “This can create a heightened risk of intrusion and data loss, so we urge SMEs to check with a service provider to ensure security measures are sufficient to protect sensitive data.”

The guidance includes key precautions and advice, such as:

  • Pay close attention to cloud service contracts. For example, might the fine print allow for thirdparty disclosures of the information stored?
  • Are your customers aware that their information might be outsourced to the cloud and do you have their consent?
  • Where in the world is the data stored and what law may apply? No matter what, the business outsourcing the data is responsible for ensuring it’s protected to a level expected under Canadian privacy law.

The full guidance can be found on the web site of either: the Office of the Privacy Commissioner of Canada www.priv.gc.ca; the Office of the Information and Privacy Commissioner of Alberta www.oipc.ab.ca; or the Office of the Information and Privacy Commissioner of British Columbia www.oipc.bc.ca.