Page 13 - CCCA64_2012
P. 13
CCCA_V6No4_Dept-Privacy-FIN_CCCA_V6No4 11/26/12 2:58 PM Page 13 Privacy and destruction practices if the organi- of foreign intrusion in perspective. Much and administrative security obligations and zation is not in control of the data. The has been made of the powers granted to that compliance with these obligations are organization should consider: (i) provi- U.S. law enforcement officials, under the audited and enforced. Moreover, organiza- sions for data portability to a new USA Patriot Act, to obtain access to data. tions must assess the risks posed by the laws provider; (ii) protocols for implement- However, Canada and other countries have or governmental practices of the foreign ing the destruction of data in accor- similar provisions for law enforcement jurisdiction to determine whether the data dance with the organization’s retention agencies. The federal Office of the Privacy will be afforded similar protections. An periods or upon transfer to another Commissioner, and more recently the organization transferring highly confiden- cloud service provider; (iii) capacity to Ontario Information and Privacy Commis- tial information or sensitive personal infor- implement a litigation hold to isolate sioner, have noted that law enforcement mation will want advice on whether the and preserve electronic evidence; and agencies in the U.S. and in other countries jurisdiction will afford them with remedies (iv) survival of covenants if the cloud already have the ability to obtain informa- to prevent unauthorized use, access or service provider retains any of the tion through Canadian officials under modification of data and recover/re-secure derivative data or metadata. mutual assistance agreements. The mere data if security is breached. potential for foreign governmental access Finally, reasonable people may differ on International Transfers does not (except as described above) make whether their personal information should Cloud computing in Canada commonly international transfer of data unlawful. This be directly subject to foreign laws. Cloud involves international transfers of the orga- view has been recently echoed by the computing almost always necessitates revi- nization’s data. There is a risk of foreign European Commission in its cloud com- sions to privacy policies, since individuals government intrusion, depending on a puting strategy. should be informed of the cross-border number of factors including the type of Nevertheless, an organization remains transfer of personal information and, in cloud service and the type of data involved. accountable under Canadian law for Alberta, such disclosure is expressly required There is no express prohibition of inter- personal information notwithstanding its in the private sector. national transfers of data in Canada, with transfer to a foreign jurisdiction. Org- two exceptions: British Columbia and anizations are required to provide for com- Timothy M. Banks is a data governance Nova Scotia both prohibit public sector parable levels of protection against unau- lawyer at Fraser Milner Casgrain LLP. He bodies from transferring personal informa- thorized use, access or modification by advises clients on privacy, social media, tion outside of Canada (or accessing it ensuring that the service provider contracts records-retention, access to information and from outside Canada) without the written contain meaningful technological, physical cross border transfers of information. consent of the individual. Nova Scotia also prohibits service providers from transfer- ring personal information outside of Cloud Computing Models Canada that is entrusted to them by public sector bodies. It should be noted, howev- There are three basic types of cloud computing outsourcing that can be provisioned in er, that Alberta does not expressly permit a three types of models. public sector body to disclose personal • Infrastructure as a Service (IaaS): outsourcing computing power and storage capacity. information in response to a foreign sub- • Platform as a Service (PaaS): outsourcing the platform (operating system, application poena, warrant or order and Quebec’s pri- execution environment and database) on which the organization can run software vate sector privacy legislation prohibits applications of its choosing. international transfers of personal informa- • Software as a Service (SaaS): outsourcing the software applications so that the entire tion if that personal information might be computing environment is outsourced. disclosed to third parties without the con- sent of the individual. Moreover, some The three models of cloud computing: public bodies will be subject to guidelines • Private Clouds: deployment of services on infrastructure resources dedicated entirely discouraging or prohibiting processing and to one organization on a private network. storage of data for reasons of national secu- • Public Clouds: deployment of services on shared resources among different organizations. rity or policy. • Hybrid Clouds: combination of deployment methods for different aspects of the system. However,it is important to keep the risks HIVER 2012 CCCA Canadian Corporate Counsel Association 13