Torkin Manes

Winter 2013

Issue link: http://digital.lawtimesnews.com/i/98695

Contents of this Issue

Navigation

Page 0 of 7

torkinmanes.com Torkin Manes LLP Barristers & Solicitors 151 Yonge Street, Suite 1500 Toronto, ON M5C 2W7 Tel: 416 863 1188 Fax: 416 863 0305 www.torkinmanes.com Associated worldwide with WINTER 2013 F O C U S O N I N F O R M AT I O N T E CH N O L O G Y L A W Privacy Requirements in the Era of Cloud Computing Lisa R. Lifshitz In June, the Office of the Privacy Commissioner of Canada ("OPC"), the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information & Privacy Commissioner for British Columbia issued a joint Guidance Document titled "Cloud Computing for Small and Mediumsized Enterprises: Privacy Responsibilities and Considerations". Cloud computing, a form of outsourcing involving the delivery of computing services over the Internet using shared resources, offers many potential benefits to small and mediumsized enterprises (SMEs), including scalability, flexibility and cost-efficiencies. Many SMEs already use cloud computing for data processing, storage and backup, for accounting services, for communications, or for customer service and support. Unfortunately, many companies do not realize they are already "in the cloud" if they use cloud-based e-mail services for business correspondence, or any online service to collaborate on documents containing personal information. The focus of the OPC Guidance Document was to remind SMEs that under Canada's private-sector privacy legislation, an organization that collects personal information from an individual is accountable for the personal information even Inside... FAMILY LAW .......................................................3 COMMERCIAL LENDING ....................................4 EMPLOYMENT LAW............................................6 REAL ESTATE LITIGATION ....................................... 7 TORKIN MANES UPDATE ...................................8 when it is outsourced for processing to third-party providers. Thus, all businesses in Canada, regardless of their size, are ultimately accountable for the personal information they collect, use and disclose even if they outsource personal information to a service provider that operates in the cloud. Unfortunately, many standard cloud-computing agreements (especially for "free" services) contain legal terms that are not sufficient to allow SMEs to meet their Canadian privacy obligations. Moreover, standard cloud-computing agreements often allow a provider to change the agreement unilaterally, limit its liability for the information, and/or subcontract to various other providers. However, as confirmed by the OPC, SMEs must use contractual or other means to ensure that personal information is appropriately handled and protected by the cloud provider. The OPC also recognized that security in the cloud is of paramount importance and the Guidance Document offered some best-practice guidelines. SMEs using cloud-computing services should: • Limit access to the information and restrict further uses by the provider; • Ensure that the provider has in place appropriate authentication/access controls; • Manage encryption; • Ensure that there are procedures in place in the event of a personal information breach or security incident; • Ensure periodic audits are performed; and • Have an exit strategy. SMEs must assertively maintain control over personal information that is sent to a cloud provider, and take steps to prevent and limit secondary uses of personal information. Again, due diligence on the part of the organization will be required c l i e n t - f o c u s e d s o l u t i o n s® (continued next page) 1 1

Articles in this issue

Archives of this issue

view archives of Torkin Manes - Winter 2013