Cloud computing allows the delivery of computing services over the Internet. While the level of convenience with this technology is appealing to many businesses and individual users, there are a number of key privacy issues to consider when analyzing the services provided by cloud computing. The primary issue is that cloud services use third parties to store and manage data at remote locations. In many cases personal information is shared with the cloud provider without the individual’s knowledge or prior consent.
Last month, PrivaTips featured an article about a decision of the Alberta Privacy Commissioner regarding the collection of data without consent by the Professional Drivers Bureau of Canada (PDB).In this case, PDB collected personal information about drivers from trucking companies, created a database of information, and then offered a search service, by which trucking companies paid a fee for a report on the driver. In that report, the personal information about the driver was disclosed to the trucking company.
The personal information was gleaned and compiled into a database over a long period of time, and it became clear during the Commissioner’s investigation that the individuals never consented to this collection, use and disclosure. The Commissioner ultimately decided that the PDB was in breach of Alberta privacy laws because it never obtained consent directly from the individual truck drivers before collecting and selling their personal information without consent.
Canadian privacy laws allow the outsourcing of computing services to third parties as long as the third party uses comparable levels of security for personal information.
Here’s what organizations, including cloud service providers can learn from the PDB case:
- Cloud service providers should consider if they are “collecting” any personal information themselves, or merely providing a service which allows their customer to store information in the cloud. When a service provider collects personal information, consent must be obtained. Also, if personal information is indeed being collected, it must be used only for the purposes identified.
- If a service provider is merely providing space on a server, the terms of service should address privacy issues, and make it clear that no personal information is collected, used or disclosed by the cloud provider.
- Termination issues should also be addressed in the agreement. What happens to that data when the service relationship ends?
It is critical to get privacy legal advice when entering into cloud-based service agreements. For more information, contact PrivaTech at email@example.com.