The cloud isn't just a buzz word anymore. Cloud computing adoption has been increasing and is expected to grow in the coming years. It is becoming obvious that SMBs are better off using cloud services for data processing, storage, back-up , security services and so on.
When considering cloud for your business and weighing the pros and cons, one of the burning issues is security of data. Where will your data be stored? Is it secure for your data to cross border? An article published by Financial Post outlines the risks related to storing your electronic information offshore. This is a must read for Canadian-based organization that are ready to embrace cloud storage. Here are a few key points that are covered in this article:
1. When your data is stored in a foreign land, it will no longer be governed by Canadian law. The government of that country will be able to access the information or be able to use the information in ways not allowed under Canadian law. This means when you are choosing a cloud service provider for your data, knowing where your data is going to reside is important. In its guidelines for cloud computing as it relates to privacy responsibilities and considerations, the Office of the Privacy Commissioner of Canada says:
"Organizations need to recognize that personal information that is transferred to another country is subject to the laws of that jurisdiction. In the case of cloud computing, data that is outsourced may be physically located in several jurisdictions. ..... It is important to understand where the data will reside to fully comprehend the legal regimes for protecting personal information, and the circumstances under which data may be accessed by foreign courts, government agencies, and law enforcement. "
2. Even if a service provider or vendor resides in Canada, that doesn't mean the servers they use for their cloud offering are in Canada as well. It is important to have this discussion with the service provider before you commit to sign up for the service. It is also recommended to have a clear understand how your data backup will be done. Some vendors might do backup on a server in another country even if they have their cloud servers in Canada.
3. Canada's data-protection law mandates companies to have their customers consent when they decide to transfer their data (in this case personal information) to a third party. Here is what the Office of the Privacy Commissioner of Canada says about this:
"Under Canada’s private sector privacy legislation, an organization that collects personal information from an individual is accountable for the personal information even when it is outsourced for processing to third-party providers. What this means is that all businesses in Canada, regardless of their size, are ultimately accountable for the personal information they collect, use and disclose even if they outsource personal information to a service provider that operates in the cloud."
4. Given that you have your customer's consent, you need to sign a contract with the cloud service provider 'to prevent the unauthorized use or disclosure of the information and to put adequate protections in place.' But remember that if the data is going to cross borders, the laws of the foreign country might override the contractual agreement you have with the service provider. Here is what the Office of the Privacy Commissioner of Canada says about this:
"It is also important to be aware of the limitations for obtaining judgements and enforcing contracts. No contract, no matter how well crafted, can override the laws of the foreign jurisdiction. Moreover, generally an organization can only enforce the provisions of a contract against the other party to the contract, and not third-parties. In a foreign jurisdiction, obtaining judgements to enforce contracts may be difficult and costly for the outsourcing organization. It may prove to be equally difficult to enforce a judgement in a foreign jurisdiction."
Read the full guidelines from the Office of the Privacy Commissioner of Canada here.