Thinking About Clouds? Privacy, Security and Compliance Considerations for Ontario Public Sector Institutions

Cloud computing is a method of providing information and communication technology resources to individuals and organizations as an online service. It allows organizations with broad network access to tap into a shared pool of virtually unlimited computing resources hosted elsewhere, whether maintained by them or by a third party, paying only for what software and other services are actually needed or used. Cloud computing is an attractive option for many public sector institutions because it can reduce operating costs and improve operational capabilities and efficiencies.

However, moving personal information and processing operations into the cloud also raises concerns about information security, individual privacy and legal compliance. Information security risks may include new insider threats, and challenges to effective breach detection, remediation and reporting. Privacy risks include the potential for covert surveillance, and unauthorized access and disclosure of personal information. Compliance risks include the possibility that the laws of another jurisdiction may apply to the contract with the cloud provider. These and other risks must be addressed.

The IPC has prepared a new guidance document, Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions, to help institutions evaluate whether cloud computing services are suitable for their information management needs. In particular, it seeks to raise awareness of the risks associated with using cloud computing services and outlines some strategies to mitigate those risks.

Recommended mitigation strategies include appropriate project planning, co-ordination, and documentation, undertaking risk analyses, applying data minimization measures, due diligence investigation of the cloud provider, negotiating effective contracts, and having an incident management plan in place.

It is the responsibility of all public institutions in Ontario to maintain effective control of, and be fully accountability for, the personal information entrusted to them by the public they serve.