Issue link: https://digital.lawtimesnews.com/i/98695
torkinmanes.com Cloud Computing... (cont'd.) before signing a standard cloud agreement and moving personal information to the cloud. SMEs must (i) clarify what, if anything, the prospective cloud provider will do with the personal information provided; (ii) seek customers' consent for new uses of their personal information; and (iii) always keep in mind the reasonable expectations of the individual. As the OPC noted, Canada's private-sector privacy legislation does not actually prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However, SMEs must recognize that personal information that is transferred to another country is subject to the laws of that jurisdiction and the data may be physically located in several jurisdictions. The cloud provider's backup servers could be in a different physical location than the primary servers. SMEs must understand where the data will reside to comprehend fully the legal regimes for protecting personal information and the circumstances under which data may be accessed by foreign courts, government agencies, and law enforcement. Additionally, organizations that outsource personal information cross borders do have a legal obligation to use clear and understandable language to inform individuals that their personal information will be transferred to a cloud provider, that their personal information may be stored or processed in a foreign country and that it may be accessible to law-enforcement and national-security authorities of that jurisdiction. Even if an SME has outsourced personal information, it must have the ability to access data at any time (including backups and archives), make corrections, and investigate any allegations of noncompliance with privacy obligations. In the event of a data breach, organizations will also want control over the procedures to notify affected individuals. Organizations must also be cautious that they not lose control of the personal information transferred to the cloud provider. This requires data ownership to be clearly defined in the cloud-computing agreement (including specifics as to what the provider can do with the personal information and what will happen to the personal information if the provider ceases to operate). Organizations must also have the ability to terminate the cloud contract, retrieve the data from the cloud provider, and have the cloud provider attest that no personal information is retained in its systems, or any of its subcontractors' systems. Finally, the OPC Guidance Document contains a list of key questions that organizations should take into account when shopping for a cloud-computing solution. It is clear that organizations must take care to assess fully the benefits, risks, and implications for privacy when considering a cloud-computing solution and we at Torkin Manes have the expertise to assist in that process. Lisa R. Lifshitz is a partner in Torkin Manes' Business Law Group, specializing in the area of information technology. Lisa also practises in the area of privacy and information management, advising both Canadian and international clients on compliance with Canadian privacy requirements. She is also the leader of Torkin Manes' new crossdisciplinary Technology, Privacy and Data Management Group. Focus Highlights She can be reached at 416 775 8821 or llifshitz@torkinmanes.com. Sudevi Mukherjee-Gothi, a partner in our Insurance Defence Group has been awarded a 2012 Predecent Setter Award. Sudevi was profiled as "The Role Model" for her significant mentoring activities both at the firm and in the community. Focus Facts Think data security isn't important for your business? According to the Ponemon Institute, a U.S.-based Precedent Magazine presents this award annually to 6 lawyers privacy and information management research firm, the in their first 10 years of practice who have shown excellence organizational cost of an average data breach in 2011 in the and leadership in their practices and their communities. U.S. was $5.5 million. Sudevi can be reached at smukherjee-gothi@torkinmanes.com or Contact any member of our Business Law Group for more information. 416 777 5427. 2 c l i e n t - f o c u s e d s o l u t i o n s®